Auto dealerships are increasingly becoming targets of a dangerous new cyberattack method called ClickFix—and it’s spreading fast. Reports show that ClickFix attacks grew more than 500% in the first half of 2025, and dealerships across the U.S. are already getting hit.

So what is ClickFix—and why should dealers care?

What is a ClickFix Attack?

ClickFix is a trick, not a hack. Instead of breaking into your systems directly, attackers fool your employees into doing the work for them.

Here’s how it typically happens:

1. The Lure – An employee lands on a dealership website, social media post, or ad that looks legitimate but has been compromised.
2. The Fake Prompt – A pop-up appears: a fake CAPTCHA test, browser error, or “security check” that looks normal.
3. The Trap – When the employee clicks the prompt, malicious code is secretly copied into their clipboard.
4. The Instructions – The page then tells them to press Windows + R, paste the code, and hit Enter.
5. The Compromise – By following those steps, the employee unknowingly installs malware, such as a Remote Access Trojan (RAT), giving hackers full control of their computer.

In short: attackers trick users into installing malware themselves, bypassing traditional security tools.

Why Dealerships Should Be Concerned

In March 2025, a dealership employee fell victim to a ClickFix campaign that attempted to install SectopRAT—a type of malware that lets attackers steal sensitive information, hijack browsers, and even conduct wire fraud.

Worse, researchers discovered that more than 100 dealership websites were unintentionally serving ClickFix attacks. The problem started when a third-party vendor, LES Automotive (a provider of dealership video content), was compromised. That meant dealerships using their video service were unknowingly putting customers and employees at risk.

This wasn’t an isolated case. Federal agencies and security experts have warned that cybercriminals—and even state-sponsored hacking groups—are increasingly adopting ClickFix because it works.

Why ClickFix Works

• It looks like a normal part of the internet (CAPTCHAs, error messages, updates).
• It relies on human behavior—getting someone to follow simple instructions.
• It bypasses antivirus and firewalls because the user executes the malicious command themselves.

That combination makes ClickFix particularly dangerous for busy dealership staff who are just trying to get their work done quickly.

What Can Dealerships Do?

Dealerships don’t have to be sitting ducks. Here are practical steps to reduce risk:

• Employee Awareness – Train staff to be skeptical of unexpected pop-ups, especially those asking to copy/paste code or open the Windows Run dialog.
• Vendor Risk Management – Ask vendors how they protect their code and services from being hijacked in supply chain attacks.
• Managed Endpoint Detection & Response – Basic antivirus won’t stop this. You need 24/7 monitoring that can detect and investigate suspicious behavior.
• Incident Response Plan – Assume someone will eventually click. Have a plan- and the resources – in place to quickly contain and remediate the attack.

The Bottom Line

ClickFix attacks are exploding in popularity because they’re cheap, effective, and exploit trust. Dealerships that don’t adapt are putting sensitive data, finances, and their reputation at risk.

If your current strategy is just “we have antivirus” or “our vendor says we’re covered,” it’s time to take a harder look. Attackers are innovating—dealerships must too.