Researchers have engineered a new version of the ClickFix social engineering technique using prompt injection to trick agentic AI into performing a range of malicious actions.
Guardio dubbed this “PromptFix” – a variation on the ClickFix attacks that usea fake error or verification message to manipulate victims into copying and pasting a malicious script and then running it.
It uses prompt injection techniques to present attacker instructions to the AI agent inside an invisible text box.
“Why would the AI treat these as commands? In prompt injections, the attacker relies on the model’s inability to fully distinguish between instructions and regular content within the same prompt, hoping to slip malicious commands past sanitation checks,” Guardio explained.
“WithPromptFix, the approach is different. We don’t try to glitch the model into obedience. Instead, we mislead it using techniques borrowed from the human social engineering playbook – appealing directly to its core design goal: to help its human quickly, completely, and without hesitation.”
Read more on ClickFix: ClickFix Attacks Surge 517% in 2025
In a test scenario, the research team posed as a scammer that sends a fake message to a victim from their ‘doctor,’ with a link to ‘recent blood test results.’ The AI browses to the link, encounters a CAPTCHA and uncovers the hidden prompt injection instructions which engineer it to cause a drive-by download attack.
“The injected narrative tells the AI Agent this is a special ‘AI-friendly’ captcha it can solve on behalf of its human. All it needs to do is click the button. And so, it clicks,” Guardio explained.
“In our controlled demo, the button downloaded a harmless file. Still, it could just as easily have been a malicious payload, triggering a classicdrive-by downloadand planting malware on the human’s machine without their knowledge.”
The security vendor warned that similar techniques could be used to send emails containing personal details, grant file-sharing permissions to cloud storage accountsor execute other potentially malicious actions.
“In effect, the attacker is now in control of your AI, and by extension, of you,” it said.
Agentic AI Is Too Easily Tricked
Guardio also tried other scenarios using Perplexity’s AI-powered browser Comet, to see if it could trick the AI agent into performing malicious tasks.
Unfortunately, the research team was successful in getting it to buy an item from a scam e-commerce site they set upand clicking on a link to a genuine phishing site in an email they sent.
These attacks exploit AI’s tendency to act without full context, trust too easilyand follow instructions without applying human skepticism, Guardio said.
“The scam no longer needs to trick you. It only needs to trick your AI. When that happens, you’re still the one who pays the price,” it added.
“This is Scamlexity: a complex new era of scams, where AI convenience collides with a new, invisible scam surface and humans become the collateral damage.”
Lionel Litty, chief security architect at Menlo Security, agreed that AI agents are both gullible and servile.
“In an adversarial setting, where an AI agent may be exposed to untrusted input, this is an explosive combination,” he added.
“Unfortunately, the web in 2025 is very much an adversarial setting.”
Imagecredit: gguy / Shutterstock.com