Norton UK Blog

« Back to Norton Blog

What Is Clickjacking?

by brian cody

You’ve heard of carjacking, and may recall Nicolas Cage’s performance in Con Air—an action-packed thriller about dangerous prisoners hijacking a plane. Now it’s time to familiarize yourself with Clickjacking, an Internet scam that’s out to steal your clicks.


Clickjacking occurs when a scammer crates a layered web interface and steals clicks on the fake site to use on a real one. Users stumble upon these illegitimate layers, assuming that when they fill out a field, click on a link, or type in their passwords they’re gaining access to what they see in front of them.

Instead, the scammer has deceived you. Your click has been ‘jacked’ and used to confirm another action on a different site; your keystroke has also been ‘jacked’ to obtain your password and login to accounts without your knowledge. The applications for this type of fraudulent activity are endless.

Most of the time, these stolen clicks or keystrokes are routed to pages owned by another application or domain. The ruse is right in front of you, and you have no idea it’s even happening.


How Do I Spot a Clickjacking Scam?

In order for the scheme to work, the spammer usually has to incentivize the user to take action. To engage the user, spammers will often make outrageous offers on popular electronics, free gift cards, and so on. If it seems too good to be true, it probably is, and you should avoid any interaction with that site.

In many cases, the HTTP that’s in front of a URL will be missing from a scam site. HTTP headers or Strict Transport Security (HSTS) help lock down communications between an organization’s website and the user. If you don’t see either of these on a websites header, you may want to exit the site.

Remember, a fake website can look almost identical to the real thing; most of the logos, colors, fonts, and images a scammer would need to recreate a convincing website are readily available on the web. Just because it looks authentic, doesn’t mean it’s the real deal. When in doubt, shut it out.


How to Avoid Clickjacking Scams

The best way to stay safe from Clickjacking scams is to avoid them altogether. Keep you web browsers updated with the newest versions available. Newer versions will warn you of suspicious websites.

Also, keep your home computer security updated with reliable software to ensure your personal data doesn’t become compromised.

Always log out of websites you commonly use like email, financial institutions, Facebook, and Amazon. Scammers know that most people don’t regularly log out of these websites and use this to their advantage when building scams. If you leave these accounts open, scammers can Like things on your Facebook page and even make online purchases in your name.

Businesses should also take steps to protect themselves, and their users from Clickjacking scams. The easiest way to do this is to use X-Frame-Options—the HTTP header that decides if a browser has permission to render a page in a <frame>, <iframe>, or <object>. This ensures that the organization’s content is not embedded into a scammer’s fake site.

All users should be vigilant about their online safety and avoid any situation online that doesn’t look or feel authentic. The more everyone practices safe online behaviors, the more secure everyone will become in an online community.

Finally, if you see something that looks suspicious, reach out to the organization and tell someone where and what you saw. You can help protect other online users by reporting Clickjacking to the appropriate authorities.

This entry was posted on Wed May 11, 2016 filed under online safety , online security and online threats

Stealing your identity can be easy. Good thing calling us is too.

Help with identity theft starts here. Trusted by millions of customers around the globe. Get Antivirus, Online Privacy, and in case of identity theft, Identity restoration support.

Get our award winning Norton protection

PC Mag:

A trademark of Ziff Davis, LLC. Used under license. Reprinted with permission. © 2022 Ziff Davis, LLC. All Rights Reserved

No one can prevent all cybercrime or identity theft.

The Norton brand is part of NortonLifeLock Inc.

Copyright © 2023 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.


Follow us for all the latest news, tips and updates.