How do I spot a fake computer virus warning email?
Fake virus warning emails claim malware was detected on your device and offer a one-click removal link — real antivirus software never notifies you by email asking you to click an external link to clean your device.
Last reviewed: 10 June 2026
Explanation
Email-based virus warning phishing uses fear of malware to prompt hasty action. The email claims to be from your antivirus provider, Microsoft Defender, or 'your internet service provider' and states that a virus, spyware, or hacker access was detected on your device. You are directed to click a link to run a scan, remove the threat, or call a support number.
The link leads to one of two outcomes: a credential-harvesting page disguised as a security scan, or a malicious download that installs the actual malware the email claimed to be warning you about. The support number routes to a tech-support scam operation.
Real antivirus software like Windows Defender, Malwarebytes, Norton, or Bitdefender alerts you through its own application interface — a notification in the system tray or an in-app alert when you open the software. It does not send you an email asking you to click a link to remove a detected threat.
Your internet service provider does not monitor your device for viruses and does not send you detection alerts. If your ISP has reason to contact you (e.g. your IP address is sending spam from a botnet), they contact you through your account portal, not by an email with a one-click fix link.
Common red flags
- Email claims malware was detected and offers a one-click removal link
- Sender purports to be an antivirus brand but the email address domain does not match
- Link goes to a site unrelated to the named antivirus provider
- Support phone number provided in the email
- Claims your ISP detected suspicious activity on your device
- Urgent language about immediate data loss or account compromise
What to do now
- Do not click any link in the email
- Open your antivirus software directly from your system tray to run a real scan
- Report the phishing email to the brand being impersonated and to your email provider
- Delete the email
- If you clicked the link, run a full antivirus scan and check for newly installed programmes
Frequently asked questions
Can opening the email itself infect my device?
Reading a plain text or HTML email is not enough to install malware. The risk comes from clicking links or downloading attachments.
My real antivirus found a threat — how does it actually notify me?
Genuine antivirus notifications appear as a pop-up or system tray alert from the installed application, or as a banner within the antivirus app when you open it. They do not arrive by email.
What if my ISP sends a legitimate security notice?
Your ISP may send genuine emails about your account, but they will direct you to your account portal using a link matching their official domain — not to a third-party scan tool or phone number.