That 'Windows update' pop-up might be a trap: the ClickFix scam explained

One of 2026's fastest-growing scams doesn't exploit a software bug — it exploits you. It's called ClickFix, and if you know the one move it relies on, you'll never fall for it.

Here's how it works. A hacked or malicious web page throws up a convincing full-screen "Windows Update" (or a fake CAPTCHA, or a "fix this error" box) with realistic progress bars. Then it asks you to do something a real update would never ask: open the Run box (Win+R), paste what's on your clipboard, and press Enter. That pasted text is a command that silently downloads malware — typically an infostealer that grabs your saved passwords, browser cookies and crypto wallets. 2026 campaigns have hidden the payload inside ordinary-looking images and hijacked thousands of websites to spread it.

The rule that keeps you safe: no legitimate update, error, or CAPTCHA ever asks you to paste a command into Run, PowerShell, or a terminal. If a web page tells you to, close the tab.

The deeper fix is to never go hunting for "update" buttons on the web at all. Tendvane gives you one trusted place to update your apps and drivers — pulled from Windows' own package manager (winget) and the Microsoft Update Catalog — so the only update prompts you ever act on are the ones inside the app.