Push Notification Spam
The mass delivery of unsolicited browser or app push notifications to trick users into clicking malicious links or approving fraudulent actions.
Also known as: browser push spam, notification spam, MFA push spam
Last reviewed: 1 June 2026
Push notification spam has two distinct fraud contexts. In social engineering, it refers to the MFA fatigue technique of bombarding a target with authentication push prompts to coerce approval. In the broader consumer fraud context, it refers to malicious or deceptive websites that request browser push notification permissions and, once granted, continually send alarming or enticing notifications designed to drive clicks to scam pages, fake virus warnings, or phishing sites.
Deceptive sites obtain notification permission through dark patterns — such as labelling the permission prompt 'Click Allow to confirm you are not a robot' or 'Click Allow to continue.' Once permission is granted, the browser will continue displaying notifications even when the user is not on the malicious site, making it appear as if warnings are coming from the operating system or a trusted application.
Users who have inadvertently subscribed to malicious push notifications should revoke site notification permissions in their browser settings. Organisations should educate users to decline notification requests from unfamiliar sites and to recognise push prompts as a potential social engineering vector.
Examples
- A user visits a pirated streaming site that asks them to 'Allow' notifications to watch content; for months afterwards, their browser displays alarming pop-ups claiming their device is infected.