Here’s a scenario that should keep you up at night: your business does everything right. Firewalls? Check. Staff training? Done. Strong passwords and MFA? Absolutely. Then you get breached anyway, because your accounting software vendor got hacked.

Welcome to the world of supply chain cyber attacks. And if you think this only happens to massive corporations, we need to talk.

In 2024 and 2025, a Chinese state-sponsored hacking group called Salt Typhoon infiltrated some of the biggest telecommunications companies on the planet — AT&T, Verizon, T-Mobile, and at least nine others. These aren’t small businesses with outdated firewalls. These are multi-billion-pound enterprises with dedicated security teams numbering in the thousands. And they still got compromised.

The attackers didn’t kick down the front door. They slipped in through the supply chain — exploiting trusted connections between vendors, software providers, and network infrastructure. If that can happen to the world’s largest telcos, what does it mean for your manufacturing firm in Birmingham, your construction company in Leeds, or your engineering outfit in Manchester?

It means supply chain security isn’t optional anymore. It’s survival.

Why This Matters Right Now

Supply chain attacks have exploded. According to the European Union Agency for Cybersecurity (ENISA), supply chain attacks tripled between 2021 and 2024. The UK’s National Cyber Security Centre (NCSC) has issued repeated warnings specifically targeting SMBs about third-party risks.

Why the surge? Because attackers figured out something clever: why hack 1,000 companies individually when you can hack one vendor that serves all 1,000?

For UK SMBs in manufacturing, construction, and engineering, this is especially dangerous. These industries rely heavily on specialist software, subcontractors, and interconnected systems. Your CAD software provider, your project management platform, your payroll company — each one is a potential entry point. If you’re not already thinking about this, check out our managed cybersecurity services to see how we approach this.

What Exactly Is a Supply Chain Cyber Attack?

A supply chain attack happens when hackers compromise your business by targeting a third party you trust — a vendor, supplier, software provider, or service partner. Instead of attacking you directly, they attack someone in your supply chain and use that trusted relationship to reach you.

Think of it like this: you’ve locked your front door, barred the windows, and installed an alarm. But you gave your cleaner a key. If someone breaks into the cleaner’s house and steals that key, they walk straight into yours.

Supply chain attacks come in several flavours:

• Software supply chain attacks: Hackers inject malicious code into a legitimate software update. You install the update trusting the vendor, and boom — malware is inside your network.
• Credential-based attacks: Attackers steal login credentials from a vendor who has access to your systems (think your IT provider, your cloud host, or your managed print service).
• Hardware supply chain attacks: Compromised hardware components are embedded with backdoors before they even reach you. Rarer, but devastating.
• Service provider attacks: Your managed service provider, cloud platform, or outsourced IT team gets breached, giving attackers a direct tunnel into your environment.

The common thread? You didn’t do anything wrong. Your vendor did. But you pay the price.

Real-World Wake-Up Calls

Salt Typhoon (2024-2026)

This one’s still unfolding as you read this. Salt Typhoon is a Chinese state-sponsored hacking group that infiltrated major US telecoms, including AT&T, Verizon, and T-Mobile. The attackers gained access to call records, text messages, and even wiretap systems used by law enforcement.

How? By exploiting vulnerabilities in network infrastructure equipment — the routers, switches, and systems made by trusted vendors that these telcos relied on. The hackers didn’t need to breach the telcos directly. They went after the technology supply chain.

The FBI described it as the “largest telecommunications hack in US history.” And many of the affected companies didn’t even know they’d been compromised for months.

SolarWinds (2020)

The attack that put “supply chain” into the mainstream security conversation. Russian hackers compromised SolarWinds’ Orion software — a network monitoring tool used by around 18,000 organisations, including US government agencies and Fortune 500 companies.

The attackers injected malicious code into a routine software update. Every organisation that installed the update unknowingly opened a backdoor into their own network. It was brilliant, terrifying, and a masterclass in why you can’t just trust your vendors blindly.

MOVEit (2023)

The Clop ransomware gang exploited a vulnerability in MOVEit Transfer, a popular file transfer tool. Over 2,500 organisations were affected, including the BBC, British Airways, and Boots. Again, these companies weren’t directly hacked. Their file transfer vendor was.

See the pattern? The biggest breaches of the last five years weren’t caused by weak passwords or phishing emails (though those are still problems). They were caused by trusted vendors getting compromised.

Why UK SMBs Are Sitting Ducks

“But we’re not AT&T,” you might be thinking. “Why would hackers target us?”

That thinking is exactly why you’re a target. Here’s the reality:

• You’re the path of least resistance. Attackers know that SMBs typically have weaker security than enterprises. If you’re in the supply chain of a larger company, you’re the easy way in. Manufacturing and engineering firms often supply components to defence, aerospace, or critical infrastructure — making you a high-value stepping stone.
• You rely on lots of third parties. Construction firms alone might use dozens of subcontractors, specialist software tools, and cloud platforms. Each one is a potential entry point. How many of those vendors have you actually vetted for security?
• You probably don’t audit your vendors. Be honest — when was the last time you asked a supplier about their cybersecurity posture? Most SMBs never do. You check if they can deliver on time and on budget, but you don’t check if they’ll accidentally let hackers into your network.
• Ransomware gangs love SMBs. You’re big enough to pay a ransom but small enough that you probably don’t have a dedicated security team. The sweet spot for cybercriminals. The UK government’s Cyber Security Breaches Survey 2024 found that 50% of businesses experienced some form of cyber attack in the previous 12 months.
• Regulations are tightening. If you work with larger clients or in regulated industries, you’ll increasingly be asked to demonstrate your cybersecurity credentials. Companies that can’t prove supply chain security will lose contracts. Simple as that.

7 Practical Steps to Protect Your Business

Enough doom and gloom. Here’s what you can actually do about it. These aren’t enterprise-level recommendations that require a six-figure budget. These are practical, SMB-friendly steps you can start implementing this week.

1. Know Your Supply Chain

You can’t protect what you can’t see. Map out every third party that has access to your systems, data, or network. This includes:

• Software vendors (ERP, CRM, CAD, accounting, project management)
• Cloud service providers
• IT support and managed service providers
• Subcontractors with network access
• Payment processors and financial tools

Create a simple spreadsheet. List the vendor, what access they have, and when that access was last reviewed. You’ll be shocked at how many third parties are plugged into your business.

2. Vet Your Vendors’ Security

Before onboarding any new vendor (and when reviewing existing ones), ask basic security questions:

• Do you hold Cyber Essentials or Cyber Essentials Plus certification?
• How do you handle software updates and patches?
• Do you use multi-factor authentication?
• What’s your incident response plan?
• Do you carry cyber insurance?

If a vendor can’t answer these questions, that’s a red flag. You wouldn’t hire a builder without checking their references. Don’t hire a software vendor without checking their security.

3. Implement Least-Privilege Access

Every vendor should have only the minimum access they need to do their job. No more. Your HVAC maintenance company doesn’t need access to your file server. Your accounting software doesn’t need admin rights to your entire network.

Review access rights quarterly. Remove access immediately when a vendor relationship ends. This alone would have prevented several high-profile breaches.

4. Monitor Your Network for Anomalies

You can’t prevent every attack, but you can catch them fast. Network monitoring tools can flag unusual behaviour — like a vendor account suddenly accessing files it’s never touched before, or data being sent to unfamiliar locations. This is where having the right IT support partner makes a massive difference.

At Magnetar, we combine software development expertise with IT support — which means we don’t just monitor your network, we understand how your applications and integrations work at a code level. That’s rare among MSPs, and it gives us a serious edge when detecting supply chain compromises that hide in legitimate software behaviour.

5. Enforce MFA Everywhere

Multi-factor authentication should be non-negotiable — for your team and for any vendor accessing your systems. If a vendor’s credentials get stolen (which is exactly what happens in supply chain attacks), MFA adds another barrier that attackers need to bypass.

It’s not foolproof — Salt Typhoon demonstrated that sophisticated attackers can sometimes work around it — but it stops the vast majority of opportunistic attacks. And most supply chain attacks against SMBs are opportunistic, not state-sponsored.

6. Have an Incident Response Plan

If one of your vendors gets breached tomorrow, do you know what to do? Who do you call? How do you isolate the affected systems? How do you communicate with your customers?

An incident response plan doesn’t need to be a 50-page document. It needs to answer:

• Who is responsible for what?
• How do we contain the breach?
• Who do we notify (ICO, customers, partners)?
• How do we recover and get back to business?

With 89% of issues resolved within the first hour, our team is built for rapid response. When a supply chain incident hits, speed is everything — and that’s something we take seriously.

7. Include Security Requirements in Contracts

Your vendor contracts should include security clauses. This isn’t being difficult — it’s being professional. Include requirements like:

• Mandatory notification within 24-72 hours if they experience a breach
• Minimum security standards (Cyber Essentials, encryption, patching schedules)
• Right to audit their security practices
• Data handling and deletion requirements

If a vendor pushes back on reasonable security requirements, that tells you everything you need to know about how seriously they take this.

The Bigger Picture: Security Is a Team Sport

Here’s the uncomfortable truth: in 2026, your security is only as strong as the weakest link in your supply chain. You can have the best internal security in the world, but if your payroll provider gets hacked and your employees’ data gets leaked, that’s your problem. Your customers don’t care whose fault it was — they care that their data was exposed.

Salt Typhoon proved that even nation-state-level attackers prefer the supply chain route. SolarWinds proved that a single compromised update can cascade to thousands of organisations. MOVEit proved that even well-known, widely-used software can be the entry point.

The good news? You don’t need to figure this out alone. At Magnetar IT, we work with SMBs across the UK to build layered security that accounts for supply chain risk. Our unique combination of software development and IT support means we understand both the technology and the business impact — and with a 98% customer satisfaction rate, we deliver results our clients can feel. Explore our news and insights for more practical cyber security advice.

Don’t Wait for the Wake-Up Call

Supply chain attacks aren’t going away. They’re getting more sophisticated, more frequent, and they’re moving down-market towards SMBs. The companies that take this seriously now will be the ones still standing when the next big breach hits.

The companies that ignore it? They’ll be the cautionary tales in next year’s blog posts.

Ready to get your supply chain security sorted? Check out our managed cybersecurity services or get in touch for a no-pressure chat about where your business stands. We’ll help you figure out what’s at risk and what to do about it — before someone else figures it out for you.

The post Your Biggest Cyber Threat Might Not Even Be in Your Building first appeared on Magnetar IT.

This month, Amazon revealed that a single Russian-speaking hacker, working alone, used generative AI tools to breach over 600 Fortinet firewalls across 55 countries in just five weeks. Not a well-funded nation state group. Not a team of elite hackers. One person, armed with AI.

That story should be a wake-up call for every business in the UK, especially small and mid-sized ones that assume they are too small to be targeted.

What Actually Happened

The attacker exploited known vulnerabilities in FortiGate firewall appliances. What made this campaign different was the scale and speed. By using generative AI to automate reconnaissance, write exploit code, and adapt attack techniques on the fly, one individual achieved what previously would have required a coordinated team working for months.

FortiGate firewalls are widely used by businesses of all sizes across the UK. If your company uses one and it has not been patched recently, you could have been in the firing line.

The key detail here is “known vulnerabilities.” These were not mysterious zero-day exploits. They were security holes that Fortinet had already released patches for. The businesses that got breached simply had not applied them in time.

Why AI Changes the Game for SMBs

For years, small businesses have relied on a comforting assumption: “Why would anyone bother with us when there are bigger fish to fry?” That logic made some sense when attacks required manual effort. A hacker spending weeks targeting a single company would naturally aim for a large enterprise with deep pockets.

AI dismantles that logic entirely.

When an attacker can use AI to scan thousands of targets, identify vulnerable systems, and launch customised attacks automatically, the cost of targeting a 20-person construction firm is basically the same as targeting a multinational. You are no longer too small to attack. You are just small enough to be easy.

The numbers back this up

Recent data paints a stark picture:

• Ransomware victim numbers rose 30% in 2025 compared to the previous year, according to Searchlight Cyber
• Industrial control system vulnerabilities hit a record 508 advisories in 2025, a particular concern for manufacturing and engineering firms
• DDoS attacks have escalated to what Radware describes as “alarming levels” in both frequency and power
• A new phishing toolkit called Starkiller can now bypass multi-factor authentication, something that was considered a strong defence just two years ago

These are not theoretical risks. They are documented trends from the past few weeks alone.

The Industries Most at Risk

If you work in manufacturing, construction, engineering, or entertainment, pay extra attention. These sectors share common traits that make them attractive targets.

Manufacturing and Engineering

Manufacturers increasingly rely on operational technology (OT) and industrial control systems that were never designed with cybersecurity in mind. With ICS vulnerabilities at record levels, attackers have more entry points than ever. A ransomware attack on a production line does not just mean lost data. It means halted operations, missed deadlines, and broken contracts.

Many manufacturing firms in the Midlands still run legacy systems alongside modern IT infrastructure. That gap between old and new is exactly where attackers love to operate.

Construction

Construction companies handle valuable data: project plans, financial information, client details, supply chain contracts. They also tend to have distributed workforces across multiple sites, making consistent security harder to maintain.

The industry’s reliance on email for document sharing and approvals makes it particularly vulnerable to AI-enhanced phishing. When an AI can craft a perfect imitation of your project manager’s writing style, that dodgy email becomes much harder to spot.

Entertainment and Creative Industries

Entertainment businesses often work with freelancers, contractors, and temporary staff who need quick access to systems and files. That constant turnover of access credentials is a security headache. Add in valuable intellectual property and tight deadlines that pressure people into cutting corners, and you have a recipe for trouble.

What AI-Powered Attacks Actually Look Like

Forget the Hollywood version of hacking. Modern AI-assisted attacks are practical and mundane, which is precisely what makes them dangerous.

Smarter phishing emails

AI can analyse your company’s website, social media, and public documents to craft emails that reference real projects, use the right terminology, and mimic the tone of colleagues. Traditional “Nigerian prince” phishing relied on volume over quality. AI-powered phishing combines both.

Automated vulnerability scanning

Instead of manually probing your systems, attackers use AI to scan and identify weaknesses across thousands of businesses simultaneously. Your unpatched firewall, outdated WordPress plugin, or misconfigured cloud storage gets flagged and exploited before you even know there is a problem.

Adaptive attack techniques

When an AI-assisted attack hits a security measure, it can automatically adjust its approach. Blocked by one method? The AI tries another. This cat-and-mouse game happens at machine speed, far faster than any human security team can respond manually.

Deepfake social engineering

AI-generated voice clones and video deepfakes are becoming increasingly convincing. There have already been cases of employees transferring large sums after receiving phone calls from someone who sounded exactly like their CEO. As these tools get cheaper and better, expect this attack vector to hit smaller businesses.

Practical Steps to Protect Your Business

The good news is that defending against AI-powered threats does not require an AI-sized budget. Most successful attacks still exploit basic security gaps. Here is what to prioritise.

1. Patch everything, promptly

The Fortinet breach happened because patches were not applied. Make patching a weekly discipline, not a quarterly afterthought. If you do not have someone responsible for this, that is your first problem to solve.

2. Enable multi-factor authentication everywhere

Yes, new tools like Starkiller can bypass some MFA implementations. But MFA still blocks the vast majority of automated attacks. Use app-based authenticators rather than SMS codes, and consider hardware security keys for admin accounts.

3. Train your people (properly)

Annual security awareness training is not enough when AI is generating new phishing techniques weekly. Run regular simulated phishing tests. Make it easy and blame-free for staff to report suspicious emails. The goal is a culture where questioning unexpected requests is normal, not awkward.

4. Segment your network

If an attacker gets into one system, can they reach everything else? Network segmentation limits the blast radius of a breach. Keep your operational technology separate from your corporate IT. Put IoT devices on their own network. The principle is simple: do not let one compromised device become a skeleton key.

5. Back up properly (and test your backups)

Follow the 3-2-1 rule: three copies of your data, on two different types of storage, with one copy offsite. More importantly, test your restore process regularly. A backup you have never tested is just a hope, not a plan.

6. Monitor your systems actively

You cannot defend against what you cannot see. Implement logging and monitoring across your network. Even basic tools that alert you to unusual login patterns or unexpected data transfers can catch an attack in its early stages when damage can still be contained.

7. Have an incident response plan

When (not if) something happens, who does what? Having a documented, rehearsed plan means the difference between a contained incident and a full-blown crisis. Include contact details for your IT provider, your insurance company, and the ICO (you have 72 hours to report certain breaches under UK GDPR).

The Role of Your IT Partner

This is where having the right IT support becomes critical. A reactive IT provider who only shows up when things break is not going to protect you from AI-powered threats. You need a partner who is proactively monitoring, patching, and testing your defences.

At Magnetar IT, we combine IT support with software development expertise, which means we understand both the infrastructure side and the application side of your security posture. When 89% of support issues are resolved within an hour, your team spends less time exposed to workarounds and shadow IT that create security gaps.

Whether you are a manufacturing firm in Birmingham worried about OT security, a construction company in Coventry managing multi-site access, or an engineering business in Leamington with legacy systems to protect, having an IT partner who understands your industry makes a real difference.

The Bottom Line

AI has not invented new types of cyber attacks. It has made existing attacks faster, cheaper, and more effective. The businesses that will weather this shift are the ones that treat cybersecurity as an ongoing practice rather than a one-off project.

You do not need to outrun the bear. You just need to outrun the business next door that still has not patched their firewall.

If you are not sure where your business stands, get in touch with Magnetar IT (https://magnetarit.co.uk/contact/) for a no-obligation chat about your security posture. We will give you an honest assessment and practical next steps, no jargon, no scare tactics, just straight answers.

The post AI-Powered Cyber Attacks – What UK Businesses Need to Know first appeared on Magnetar IT.

But here is the problem nobody warned you about: those same AI tools are now being used against you.

In the past week alone, two major incidents showed just how dangerous AI productivity tools can be when attackers get creative. And these are not theoretical risks. They are happening right now, to real businesses.

A Zero-Click Bug That Turns Excel Into a Spy

Microsoft’s March 2026 Patch Tuesday included a vulnerability that should make every business owner sit up and pay attention.

CVE-2026-26144 is a critical flaw in Microsoft Excel that weaponises Copilot Agent mode to silently steal your data. No clicking required. No malicious links to spot. Just opening (or even previewing) a compromised spreadsheet is enough.

Here is how it works: an attacker crafts an Excel file with hidden cross-site scripting code. When Copilot Agent processes the file, it triggers unintended network requests that send your data to an external server. The user sees nothing unusual. No pop-ups, no warnings, no suspicious behaviour.

“Information disclosure vulnerabilities are especially dangerous in corporate environments where Excel files often contain financial data, intellectual property, or operational records. If exploited, attackers could silently extract confidential information from internal systems without triggering obvious alerts.” — Alex Vovk, CEO, Action1

Think about what lives in your Excel files. Client pricing. Staff salaries. Project costings. Tender submissions. Financial forecasts. All of it potentially exfiltrated without anyone noticing.

This is not a bug in some obscure tool. This is Microsoft Excel with Copilot, the exact combination that millions of UK businesses are actively rolling out right now.

An AI Chatbot Hacked in Two Hours Flat

The second incident is arguably even more alarming.

Security researchers at CodeWall pointed an autonomous AI agent at McKinsey’s internal AI platform, Lilli. This is a chatbot used by over 40,000 McKinsey employees, processing more than 500,000 prompts every month.

Within two hours, the AI agent had achieved full read and write access to the entire production database. That included:

• 46.5 million chat messages about strategy, mergers, and client engagements, all in plaintext
• 728,000 files containing confidential client data
• 57,000 user accounts
• 95 system prompts controlling the AI’s behaviour, all writable

Let that sink in. An attacker could not only read everything the chatbot knew, they could change how it responds. Every consultant asking Lilli for advice could have been fed manipulated, poisoned information without knowing it.

The attack was fully autonomous. The AI agent researched the target, found exposed API documentation, identified 22 endpoints that required no authentication, discovered a SQL injection vulnerability, and exploited it. No human hacker sitting at a keyboard. Just one AI attacking another.

McKinsey patched the issues within hours of disclosure. But the lesson is clear: if one of the world’s most prestigious consultancies can get caught out, your business is not immune.

Why This Matters for UK SMBs

You might be thinking: “We are not McKinsey. We do not have a custom AI platform.” Fair point. But the underlying risk applies to every business adopting AI tools.

You are probably already exposed

If your business uses any of the following, you have AI-related attack surface to think about:

• Microsoft 365 Copilot in Word, Excel, Outlook, or Teams
• AI chatbots for customer service or internal knowledge bases
• AI-powered CRM tools that summarise client interactions
• Code assistants like GitHub Copilot for your development team
• AI features in accounting software like Xero or QuickBooks

Each of these tools processes your sensitive data. Each one introduces new ways that data can be accessed, manipulated, or stolen.

The attack surface is growing faster than your defences

Traditional cybersecurity focuses on firewalls, antivirus, email filtering, and access controls. These are still essential. But AI tools create entirely new categories of risk:

• Prompt injection: Attackers hide malicious instructions inside documents, emails, or web pages that your AI tools process.
• Data exfiltration via AI agents: As the Excel bug showed, AI assistants can be tricked into sending your data to external servers.
• Shadow AI: Staff using free AI tools to process company data without IT’s knowledge or approval.
• Supply chain AI risk: Third-party software you rely on is embedding AI features. Each one is a potential entry point.

The sectors most at risk

Manufacturing, construction, and engineering firms often handle sensitive project data, tender documents, and intellectual property. Entertainment and media businesses deal with contracts, financial negotiations, and pre-release content. These are exactly the types of data that attackers target, and exactly the types of data your new AI tools are processing.

What You Can Do Right Now

The good news: you do not need to ban AI tools or go back to doing everything manually. You just need to be smart about how you adopt them.

1. Patch immediately, every time

The Excel Copilot bug was fixed in Microsoft’s March 2026 Patch Tuesday release. If you have not applied it yet, do it today. Not next week. Today. Set up a patching schedule that prioritises security updates. If you cannot patch immediately, restrict outbound network traffic from Office applications and monitor for unusual network requests from Excel processes.

2. Audit your AI tool usage

Do you actually know every AI tool your team is using? Conduct a quick audit: Which AI tools are officially approved? Which AI features are enabled in your existing software? Are staff using personal AI tools for work tasks? What data is each tool processing? You cannot secure what you do not know about.

3. Implement an AI acceptable use policy

Your team needs clear guidelines on which AI tools are approved, what types of data can and cannot be processed by AI tools, how to report suspicious AI behaviour, and rules around using personal AI accounts for company data. This does not need to be a 50-page document. A single clear page that everyone reads and signs is enough.

4. Apply the principle of least privilege to AI tools

Not every employee needs every AI feature. Consider disabling Copilot Agent mode for users who do not need it, restricting AI chatbot access to only the data each team requires, reviewing API permissions for any AI integrations, and segmenting sensitive data away from AI-accessible systems.

5. Monitor AI tool behaviour

Set up monitoring for unusual activity from AI-enabled applications: unexpected outbound network connections from Office apps, large data transfers from AI chatbot platforms, changes to AI system prompts or configurations, and unusual API call patterns.

6. Train your team

Your staff are your first line of defence. Make sure they understand that AI tools can be manipulated through the documents and emails they process, not to open unexpected Excel files from unknown sources, how to spot unusual AI behaviour and who to report it to, and why using unapproved AI tools puts the company at risk.

The Bigger Picture

AI adoption is not slowing down. UK businesses that embrace these tools will be more competitive, more efficient, and better positioned for growth. That is not in question.

But adopting AI without updating your security posture is like fitting a new front door while leaving the back windows wide open. The technology is powerful, and that power cuts both ways.

The businesses that will thrive are the ones that adopt AI tools thoughtfully, with proper security controls, clear policies, and ongoing monitoring. Not the ones that rush to enable every new feature without understanding the risks.

Need Help Securing Your AI Tools?

This is exactly the kind of challenge where having the right IT partner makes all the difference. At Magnetar IT, we help businesses across the Midlands adopt new technology securely, without slowing them down.

Whether you need help auditing your current AI tool usage, implementing security policies, or setting up monitoring, we have got you covered. With over 10 years of experience and a 98% client satisfaction rate, we do not just fix problems. We prevent them.

Get in touch today for a free consultation on securing your AI tools. Or call us to chat about your specific setup. No jargon, no pressure, just practical advice from people who understand both the technology and the business.

The post Your AI Tools Are Now a Cybersecurity Risk first appeared on Magnetar IT.

If your team uses the internet (so, everyone), this one’s worth paying attention to.

What Is a ClickFix Attack?

ClickFix is a social engineering technique that’s been gaining traction since late 2025, and in March 2026, Microsoft and multiple security researchers have linked it to active ransomware campaigns targeting businesses.

Here’s how it works in practice:

1. An employee visits a website, either through a phishing email, a malicious advert, or even a compromised legitimate site
2. A pop-up appears that looks like a CAPTCHA verification, a browser error, or a software update prompt
3. The pop-up instructs the user to “verify they’re human” or “fix an error” by pressing a specific key combination and pasting text
4. What they’re actually pasting is a hidden command that downloads and runs malware on their machine

The clever part? The malicious command is copied to the clipboard automatically. The employee just has to follow the on-screen instructions and paste it. They think they’re completing a routine verification. In reality, they’ve just handed their machine over to an attacker.

Why This Attack Is So Effective

Traditional phishing relies on getting someone to click a dodgy link or open a suspicious attachment. Most employees have been trained to watch for those red flags. ClickFix sidesteps all of that.

It exploits trust in familiar interfaces. Everyone has clicked through a CAPTCHA before. Everyone has seen a “your browser needs updating” message. These prompts feel normal, which is exactly what makes them dangerous.

It bypasses technical defences. Because the user is manually executing the command, your email security gateway never sees it. Your antivirus does not flag it at the point of entry.

It does not require a sophisticated attacker. The ClickFix technique has been packaged and shared across criminal forums. Ransomware affiliates are adopting it because it works and because it is simple to deploy at scale.

Real Attacks Happening Right Now

This is not theoretical. In the first week of March 2026, security firm MalBeacon published research showing that a ransomware group called Velvet Tempest used ClickFix as their primary method of gaining access to a large organisation. They have been behind attacks using Ryuk, REvil, Conti, BlackCat, and LockBit. Now they are using ClickFix with fake CAPTCHA pages to deploy the Termite ransomware.

The attack played out over 12 days: Day 1, an employee encounters a malicious advert leading to a ClickFix page and pastes a command that downloads malware. Days 2 to 5, attackers quietly explore the network, map Active Directory, and harvest saved passwords from Chrome. Days 6 to 12, additional malware is deployed including the CastleRAT backdoor for persistent remote access.

Why UK SMBs Should Care

You might be thinking, “We are a 30-person construction firm in Birmingham, not a Fortune 500 company.” That is exactly why you should pay attention. Ransomware groups increasingly target small and medium-sized businesses because SMBs are less likely to have dedicated security teams, ransom amounts are calibrated to what the business can afford (often 10,000 to 50,000 pounds), SMBs often have weaker backup strategies, and supply chain access matters.

For manufacturing, construction, and engineering firms in the Midlands, the operational impact goes beyond data loss. If your project management systems, CAD files, invoicing, or site communications go down, work stops. Every day of downtime costs real money.

How to Protect Your Business

Train Your Team (But Make It Specific)

Generic “don’t click suspicious links” training is not enough anymore. Your employees need to know:

• Legitimate websites will never ask you to open the Run dialog (Windows key + R) or a terminal
• No real CAPTCHA requires you to paste anything into your computer
• If a website asks you to run a command to “verify” or “fix” something, close the tab immediately
• Browser updates happen automatically. Any pop-up telling you to manually update is almost certainly fake

Restrict PowerShell and Command Line Access

Most office workers never need PowerShell or the command prompt. Consider restricting PowerShell execution policies, blocking cmd.exe and PowerShell for standard users, using application whitelisting, and disabling the Windows Run dialog for non-admin users via Group Policy.

Implement DNS Filtering

ClickFix attacks rely on redirecting victims to malicious domains. DNS filtering services can block known malicious domains before the connection is even made, catching a significant portion of ClickFix infrastructure before the fake CAPTCHA page ever loads.

Keep Endpoint Detection Updated

Modern EDR tools can identify the suspicious command chains that ClickFix attacks use. If you are still relying solely on traditional antivirus, it is time to upgrade. EDR solutions provide the behavioural analysis needed to catch attacks that signature-based tools miss.

Lock Down Browser Extensions and Ads

Many ClickFix attacks begin with malicious advertisements. Use an ad blocker across company devices, restrict browser extension installation to approved extensions only, and configure browsers to block pop-ups from unknown sites.

Implement Proper Backup and Recovery

Even with all the right defences, no security is 100% effective. Follow the 3-2-1 rule (three copies of data, two different media types, one stored offsite). Test your backups regularly. Keep at least one backup offline or air-gapped. Know your recovery time.

The Bigger Picture: Social Engineering Is Evolving

ClickFix is part of a broader trend. Attackers are moving away from purely technical exploits and towards social engineering methods that trick humans into doing the technical work for them. Microsoft’s latest threat intelligence report (6 March 2026) highlighted that threat actors are now using AI to generate more convincing phishing lures and scale their social engineering campaigns.

The takeaway? Technical defences matter, but human awareness is your most important security layer. Firewalls do not help when an employee willingly pastes a command into their own machine.

What to Do This Week

1. Brief your team on ClickFix attacks. Even a two-minute explanation helps
2. Check your PowerShell policies. Are standard users restricted from running scripts?
3. Review your DNS filtering. If you do not have any, get it set up
4. Verify your backups. When was the last test restore?
5. Talk to your IT provider about endpoint detection capabilities

Need Help Locking This Down?

At Magnetar IT, we help businesses across the Midlands, from manufacturing firms in Coventry to construction companies in Birmingham, build IT environments that can withstand modern threats. With over 10 years of experience and a 98% client satisfaction rate, we combine proactive security with responsive support (89% of issues resolved within one hour).

Whether you need a full security review, endpoint protection upgrades, or just want to know where you stand, get in touch for a no-obligation chat.

The post ClickFix Attacks – The Fake CAPTCHA Trick Installing Ransomware first appeared on Magnetar IT.

It sounds like a spy thriller, but it is happening right now, to real businesses, across 40 countries. And if you are a UK SMB hiring remote IT contractors, you need to pay attention.

What Is Actually Going On?

This month, researchers from IBM X-Force and Flare Research published a report that maps out, in detail, how North Korea operates an army of approximately 100,000 fake IT workers. These are not hackers trying to break into your systems from outside. They are people who apply for legitimate IT jobs, get hired, and then quietly siphon data and money back to Pyongyang.

The numbers are staggering. According to the US Government, these workers can earn over $300,000 per year each, generating roughly $500 million annually for the North Korean regime. They are spread across 40 countries, working as remote developers, system administrators, and IT support staff.

That is not a niche problem. That is an industrial-scale operation.

How the Scam Works

The operation is surprisingly well-organised, with clear roles and a structured hierarchy that mirrors a legitimate recruitment business.

The Recruitment Pipeline

• Recruiters screen potential IT workers and record interviews, much like a normal hiring process
• Facilitators review candidates and decide who gets placed, acting as hiring managers
• IT Workers are the operatives, typically skilled in full-stack web development, .NET, and WordPress
• Western Collaborators provide their real identities for the workers to use, sometimes knowingly, sometimes not

Many candidates may not even realise who they are really working for. Recruiters tell them they are joining an “early-stage stealth startup” with no public information. They are given a US or UK-based identity to use, complete with fabricated credentials and work history.

How They Get Hired

The fake workers target freelancing platforms like Upwork, LinkedIn, and Freelancer. Researchers found timesheets detailing how many “bids” workers made on freelancing sites each day and how many messages they sent on professional platforms.

They use counterfeit accounts or verified profiles linked to real people. Their applications look legitimate because they are crafted using professional templates and translated through Google Translate.

Once hired in a full-time role, these workers are often highly productive. Why? Because multiple people may be collaborating behind the scenes to do the work. The goal is to perform well, earn promotions, and gradually gain more privileged access to company IT systems.

Why UK SMBs Should Care

You might think this only affects large enterprises or American tech companies. It does not.

UK SMBs are increasingly turning to remote contractors for IT work. It makes sense: you get specialist skills without the overhead of a full-time hire. But this trend also makes smaller businesses a prime target.

Here is why SMBs are particularly vulnerable:

• Smaller HR teams with less capacity for thorough background checks
• Tighter budgets that make affordable remote contractors attractive
• Less sophisticated identity verification processes
• IT contractors often get broad access to systems, networks, and sensitive data
• Manufacturing, construction, and engineering firms may not consider themselves cybersecurity targets, making them less vigilant

If you run a manufacturing company in the Midlands and you hire a remote developer to build an internal tool, that person could potentially access your production systems, customer data, financial records, and intellectual property.

The Real-World Damage

This is not just about money being funnelled to North Korea. A fraudulent IT worker inside your business can:

• Steal customer data and intellectual property
• Install backdoors for future attacks
• Exfiltrate financial information
• Deploy ransomware (North Korea’s Lazarus Group is already targeting UK organisations with Medusa ransomware)
• Use their access to pivot into more sensitive systems over time

The Stryker cyberattack this month, where Iran-linked attackers used Microsoft Intune to remotely wipe employee devices, shows what happens when hostile actors get inside your management tools. A fake IT worker with admin access could do the same thing.

How to Spot a Fake IT Worker

The IBM/Flare report identifies several red flags that businesses should watch for during the hiring process.

During Video Interviews

• Fake or blurred backgrounds that seem inconsistent with where they claim to live
• Signs of AI face-changing or deepfake technology (unnatural facial movements, lighting inconsistencies)
• AI voice changers (slight robotic quality, delays between question and answer)
• Reluctance to turn on the camera or meet in person
• Discrepancies between their CV and what they say in conversation, especially around location and language skills

During the Hiring Process

• Employment history that does not quite check out when you contact references
• Portfolio work that seems inconsistent in quality (suggesting multiple people contributed)
• Unusually low rates for highly skilled work
• Profiles on freelancing platforms with very recent creation dates but extensive claimed experience
• Multiple accounts or profiles that share similar photos or details

After Hiring

• Unusual working hours that do not match their claimed timezone
• Use of VPN connections from unexpected locations
• Requests for unnecessary access to systems or data
• Reluctance to participate in team video calls or company events
• Performance that varies dramatically (because different people may be doing the work at different times)

7 Steps to Protect Your Business

You do not need to stop hiring remote workers. But you do need to be smarter about it. Here are practical steps every UK SMB should take.

1. Verify Identity Properly

Do not rely on a CV and a video call. Use identity verification services that check government-issued ID. For UK-based contractors, verify their right to work. For international hires, use platforms that include identity verification as part of the process.

2. Conduct Thorough Video Interviews

Insist on camera-on interviews. Ask candidates to show their physical workspace. Ask spontaneous questions that require real-time thinking rather than scripted answers. Watch for signs of deepfake technology or AI voice manipulation.

3. Check References Independently

Do not just call the number on the CV. Look up the company independently and call their main line. Verify that the reference person actually works there. Cross-reference LinkedIn profiles with company websites.

4. Apply the Principle of Least Privilege

Give every contractor the minimum access they need to do their job, and nothing more. This limits the damage if someone turns out to be fraudulent. Review access permissions regularly and revoke anything that is no longer needed.

5. Monitor Access and Behaviour

Use endpoint management tools to monitor what devices are connecting to your network. Log access to sensitive systems. Set up alerts for unusual activity, like data downloads outside normal hours or connections from unexpected locations.

6. Use Managed IT Support

One of the best ways to reduce risk is to work with a trusted, local IT support provider rather than hiring unknown remote contractors. A managed service provider gives you vetted professionals, proper security controls, and accountability. You know exactly who has access to your systems.

7. Train Your Team

Make sure anyone involved in hiring IT staff, whether that is HR, department managers, or directors, knows about this threat. The warning signs are not obvious unless you know what to look for.

The Bigger Picture

This is not just a North Korea problem. The techniques being used, fake identities, AI deepfakes, stolen credentials, will inevitably be adopted by other threat actors. Criminal groups, corporate espionage operations, and other state-sponsored programmes are all watching how this plays out.

The shift to remote work has created enormous opportunities for businesses. But it has also created new attack surfaces that did not exist five years ago. Your hiring process is now part of your cybersecurity strategy, whether you like it or not.

What to Do Next

If you are hiring remote IT contractors, review your vetting process this week. If you are not sure whether your current setup is secure, that is exactly the kind of thing a good IT partner can help with.

At Magnetar IT, we help businesses across the Midlands build secure IT operations without the guesswork. From endpoint management and access controls to vetting and monitoring, we handle the security so you can focus on running your business.

89% of our support tickets are resolved within an hour, and we have over 10 years of experience keeping SMBs safe.

Get in touch for a free consultation and let us make sure your hiring process is not your weakest link.

The post Fake IT Workers: The Cyber Threat Hiding in Your Hiring Process first appeared on Magnetar IT.

That might make for good television, but it rarely leads to good business outcomes.

In our experience working with organisations on their IT systems, infrastructure, and technology strategy, negotiation is something quite different. It is not about squeezing suppliers. It is about finding the right solution to the problem in front of us.

And that process requires careful listening, clear thinking, and sometimes a little creativity.

IT Projects Are Rarely Simple Purchases

Very few IT decisions are straightforward.

A business might need to modernise its infrastructure, strengthen cybersecurity, migrate systems to the cloud, or replace ageing hardware. But every organisation operates differently, and every environment comes with its own constraints.

When we support our clients, we often find that the discussion involves balancing several factors at once:

• Budget and investment priorities

• Security and compliance requirements

• Operational impact on staff and customers

• Scalability for future growth

• Risk management

These are not decisions that can be solved by simply comparing price lists.

They require discussion, exploration and — importantly — good negotiation between all parties involved.

Listening Comes Before Our Solutions

One of the most important parts of our work happens before any solution is proposed.

We listen.

Understanding what a client actually needs, what challenges they are facing, and what their long-term goals look like is essential. Without that understanding, any technical solution is likely to miss the mark.

Often the first problem presented is only part of the story.

Through discussion and questioning, we can help uncover the real issues and identify options that may not have been obvious at the outset.

That process is, in many ways, negotiation in its most constructive form.

Negotiating With Suppliers on Behalf of Our Clients

Another key part of our role is working with technology vendors, software providers and service partners.

Our clients rely on us to navigate these discussions and secure outcomes that support their business objectives.

That means negotiating not just on price, but on:

• service levels

• implementation timelines

• licensing structures

• support arrangements

• flexibility for future changes

By understanding both the technical landscape and our clients’ priorities, we are able to negotiate solutions that work in practice, not just on paper.

Better Conversations Lead to Better Technology Decisions

Technology investments often last for years.

A poorly aligned decision today can create operational problems long into the future. That is why constructive negotiation is such an important part of our work.

It allows everyone involved — the client, the technology providers and our own team — to explore the options properly and arrive at a solution that genuinely supports the business.

This collaborative approach almost always leads to stronger results than a simple price-driven conversation.

Why Negotiation Is a Skill Worth Developing

Negotiation is not something that only happens in procurement departments.

It happens whenever businesses make important decisions with partners, suppliers, or customers.

The organisations that tend to achieve the best outcomes are those that invest in developing these skills across their teams.

That is one of the reasons we take an interest in initiatives that promote negotiation as a problem-solving skill rather than a bargaining tactic.

For example, organisations such as The Negotiation Club focus on helping professionals develop negotiation capability through practice and real-world exercises rather than theory alone.

You can learn more about their approach here:

• https://www.thenegotiationclubs.com/

Supporting Our Clients Through Better Negotiation

At the end of the day, our role is to help our clients make the right technology decisions.

That often means asking the right questions, exploring the right options, and negotiating with the right partners to ensure the final outcome genuinely supports the business.

If you are considering changes to your IT infrastructure, cloud strategy, or technology environment, we would be very happy to discuss your situation and explore the options available.

A good conversation is often the first step towards a better solution.

The post Why Negotiation Skills Matter in IT… And Why They Matter to Our Clients first appeared on Magnetar IT.