A FRIEND runs an online retail business and knows her way around a laptop — or so she thought. She called me recently to walk me through what happened when she clicked a Calendly link to set up a StreamYard broadcast. It was not what she expected.
The page stalled. A prompt appeared claiming her browser needed an installer to continue. It looked like something she had seen before — a routine system requirement. She followed the steps, downloaded the file, entered her Mac password, and pasted a command into Terminal. Only later did she understand what she had actually done.
This is a ClickFix attack: fake error messages that nudge users into running malicious commands on their own devices. Proofpoint observed the method as early as March 2024. Sekoia later described a version of it called Phantom Meet, built around fake Google Meet pages. What makes it effective is not technical novelty. It works because it looks familiar. The dialog box looked official, the steps felt routine, and by the time the code ran in her Terminal, her system may already have been exposed.
How the attack moves
Sekoia’s research describes ClickFix as a deliberate shift away from infected email attachments toward something harder to filter: the user doing the work. Copy this code, paste it into Terminal on a Mac or Command Prompt on Windows, then press Enter. Because the action comes from the user, browser-based protections may not catch it in time.
The lure, as Gemini later identified, was a lookalike StreamYard domain: streamyard.com.co. One extra “.co” attached to a familiar name, and the page looked real enough at a glance. When you are scrambling to get a live broadcast running, checking the full URL is rarely the first thing on your mind. Busy people click so they can move on. That gap is what the attacker counts on.
Once a script like that runs, the goal is usually credential theft. Malware used in these attacks can go after saved passwords, browser sessions, and other account data. On a Mac, that can include attempts to access stored credentials. Often, nothing obvious appears on screen — no alert, no visible sign that anything has changed.
The first hour matters most
She knew something was off when the broadcast still would not load after the install. So she asked Gemini: Why can’t I install StreamYard? She pasted the meeting link along with the question. Gemini flagged it immediately. StreamYard does not require a download installer, and the link itself triggered a warning: “ STOP IMMEDIATELY: This is a Scam/Phishing Link... Do not run that installer.”
She already had. But she moved quickly. Her MacBook password went first, since that was the credential she had handed over during the install process. Then came her primary email, social media accounts, and anything tied to her store’s payment setup. Credentials changed before they are used are far less useful to whoever stole them.
Her BPI account was not touched, partly because BPI has rolled out device-binding and trusted-device controls that require approval from a registered physical device even when the correct password is entered. That does not mean complacency is safe. Never enter a bank OTP, or one-time password, on any page opened from an unexpected prompt, even if the page looks legitimate.
The power of reporting
She also reported the link to Calendly’s security team. By the time I checked later, the suspicious link was no longer accessible. That report did not just help her. It may also have cut off the same lure before it caught someone else.
After changing her passwords, she audited her system’s Launch Agents — the hidden files that tell a Mac what to run at startup. Malware often tries to leave something behind there so it survives a reboot. Unknown entries, especially those with random-looking names, deserve a closer look. Gemini helped her work through which entries looked normal and what to examine more closely, without waiting for a technician.
Verify before you click
Most people do not pause. A five-second check of the URL and sender address — not just the display name in the email — is often enough to catch something like this. Scammers count on notification fatigue, the habit of clicking through prompts to get back to work. For anyone running an online store, the risk is higher. Emails from couriers, payment platforms, suppliers, and logistics providers come in constantly, and careful reading can feel like a luxury.
For accounts where a breach would do real damage, security teams at Google and Cloudflare have pushed physical hardware keys like the YubiKey for years. It plugs into a computer and acts as a second authentication factor. Without the physical device, a stolen password gets a thief nowhere.
My friend kept her accounts and her finances intact. She told me she felt embarrassed about falling for it. She should not. These pages are built to catch busy, capable people at the wrong moment. The most useful thing she did was talk about it.
