Fake Antivirus Scams
Bogus 'your device is infected' warnings pushing paid 'security' software or support fees.
Last reviewed: 1 June 2026
What this scam is
Fake antivirus scams — also called scareware — display alarming pop-up warnings claiming your device is infected with viruses, spyware, or malware. The goal is to panic you into taking an action that benefits the scammer: buying useless or outright malicious 'security' software, calling a fake support line, or granting remote access to your device.
These warnings mimic the look of legitimate operating-system alerts, complete with realistic-looking progress bars, scan animations, inflated threat counts, and official-sounding product names. Some go further, locking the browser window so that normal ways of closing it appear to be disabled. The scam can arrive through malicious online advertisements, free software bundled with hidden extras, or by visiting a compromised website.
The software being sold — if you pay for it — either does nothing at all or is itself malware. A variant skips the software purchase entirely: instead you're directed to call a phone number where a 'technician' will helpfully walk you through allowing them remote control of your device to 'remove' infections that never existed.
Scareware has been a persistent threat for many years precisely because urgency and fear are powerful motivators. When something looks like an official warning from your own computer, the instinct to act immediately is hard to override. Understanding that no website has the ability to scan your device is the single most important fact to remember when encountering these warnings.
How it works
The scam typically begins when you encounter a malicious advertisement or visit a website that has been compromised. A pop-up fills or blocks your screen, often accompanied by alarm sounds and an automated voice reading out a warning. A fake 'scan' animation runs and reports finding multiple threats, creating a sense that the danger is real and immediate. A countdown timer may appear, suggesting you have only seconds to act before your data is permanently lost.
At this point you are presented with one or more options: buy a security product with a credit card, call a phone number to speak with 'support', or download a 'removal tool'. Each path serves the scammer in a different way.
If you purchase the software, you may receive something that installs but does nothing, a product that makes your device worse, or simply lose your money with nothing delivered at all. Your card details are also now in the scammer's hands.
If you call the number, you reach someone claiming to be a technician. They will ask you to install remote-access software so they can 'fix' the problem. Once connected, they can read your saved passwords, access online banking, install genuine malware, or demand payment to 'remove' the infections they claim to have found.
If you download the tool, you are installing malware directly. This may operate silently in the background, harvesting credentials and financial data over time.
Some scareware variants use browser full-screen mode to simulate a system-level lockout, making it feel as though your computer — not just a browser window — has been compromised.
Why this scam works
Scareware exploits two powerful psychological forces: fear and urgency. An unexpected warning that your device is compromised triggers an immediate threat response — you want to fix the problem before it gets worse. The countdown timer and alarm sounds amplify this by creating artificial time pressure that discourages calm, rational evaluation.
The design of the warning borrows legitimacy from the visual language of genuine operating-system notifications, making it difficult for someone who doesn't know what a real alert looks like to identify the fake. Many people also hold an implicit assumption that 'my computer told me this, so it must be true' — scareware is designed to impersonate the computer itself.
Finally, the call-to-action is presented as a solution rather than a threat. You're being offered help, and the cost of inaction (losing your data, being hacked) appears much worse than the cost of compliance (paying for software or calling a number).
A typical pattern
A person browsing a free streaming or download site encounters a pop-up that fills the screen with a warning claiming multiple viruses have been detected. The page plays an alarm sound and shows a 'scan' animation. A timer counts down from 60 seconds. The person, alarmed, calls the phone number displayed. A caller posing as a technician asks them to install a remote-access tool. Once connected, the caller navigates to a command prompt and shows the person normal-looking system logs, claiming these are proof of infection. The caller requests payment for a 'clean-up service'. After payment, the caller disconnects. The person later discovers their banking app was accessed during the session.
Common red flags
- Sudden pop-up warning claiming your device is infected
- Fake scan animation with an inflated virus count
- A phone number to call for 'support'
- Pressure to buy security software immediately
- Countdown timer threatening data loss
- Warning that plays alarm sounds or a voice message
- Pop-up or page you cannot easily close
- Download button offering a 'free removal tool'
- Warning that mimics official Windows or macOS design
- Requests for card payment before you can proceed
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
WARNING: 5 viruses detected! Call [phone number] now or your data will be permanently lost.
Your PC is infected with spyware. Purchase [software name] immediately to protect your files — EXPIRES IN 2:00.
MICROSOFT ALERT: Unusual activity detected on your device. Do not restart. Call [phone number] for support.
Security scan complete: 3 critical threats found. Download the removal tool at [fake link] to clean your device.
Your subscription to virus protection has expired. Renew now at [fake link] or your device will remain unprotected.
Action required: Your device is sending error reports to our servers. Call [phone number] to stop the attack.
Common variations
- Software purchase scareware — fake security product sold directly through the pop-up
- Phone-based tech support variant — pop-up pushes a call to a fake helpline
- Bundled installer scareware — arrives hidden in free software downloads
- Mobile scareware — fake 'your phone is infected' alerts on Android
- Subscription renewal scam — claims your existing antivirus has lapsed and payment is needed
- Browser-lock variant — full-screen page simulates a system-level lockout
How to verify before you act
The most reliable test is to remember that no website or advertisement can scan your computer. A pop-up claiming to have found viruses is always false — this is technically impossible from within a browser window.
If you are uncertain whether a security warning is real, close your browser entirely (using the taskbar or force-quit) rather than interacting with the pop-up. A real operating-system warning will remain; a scareware page will disappear.
To check your device's actual security status, open the security software you chose and installed yourself — not anything prompted by the warning. On Windows, you can use Windows Security (built in); on Mac, the system has its own malware protection.
If you want to verify whether a security product is legitimate, look it up on a reputable tech publication or consumer advice site before buying or installing it. Legitimate products do not distribute themselves through alarming pop-ups.
Payment methods used
- Credit or debit card
- Remote-access-enabled bank transfer
- Gift cards
Who is usually targeted
- General computer users
- Older adults
- Users on older or unfamiliar devices
What to do immediately
- Do not call the phone number or pay anything
- Close the browser — use force-quit if the window won't close normally
- Restart your computer; a genuine OS warning will reappear, a scam page will not
- Run a scan using security software you installed yourself, not anything the pop-up suggested
- If you already called a number and gave access, disconnect from the internet immediately
- If you paid, contact your bank or card issuer to dispute the charge
- If you installed anything from the pop-up, disconnect, run a security scan, and seek trusted help
How to prevent it
- Remember: no website can scan your device — any pop-up claiming otherwise is false
- Use a reputable ad blocker to reduce exposure to malicious advertisements
- Install software only from official sources; avoid bundled 'free' downloads
- Keep your browser and operating system updated so known vulnerabilities are patched
- Use the security tools built into your operating system or a product you chose yourself
- Practise closing alarming pop-ups without interacting with them
- Talk to family members — particularly older adults — about this scam before they encounter it
Evidence to preserve
- Screenshots of the pop-up warning
- Any phone number displayed
- Name of any software named or installed
- Payment confirmation and card statement
- Name of any remote-access tool you were asked to install
- Record of what the 'technician' did or said during any call
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Can a website really detect viruses on my device?
No. A web page cannot scan your device. 'Infection' pop-ups with phone numbers and urgency are scareware designed to sell useless software or connect you to scammers.
I closed the pop-up — is my computer still at risk?
Closing the pop-up itself is safe. If you did not download anything or call the number, your device is very likely fine. Run a scan with your own security software for peace of mind.
I paid for the software — what should I do?
Contact your bank or card issuer immediately to dispute the payment. Uninstall anything that was installed. Change any passwords you entered while the pop-up was active or during any support call.
I called the number and let someone onto my computer — what now?
Disconnect from the internet straight away, contact your bank to check for unauthorised activity, uninstall the remote-access software, and change all important passwords from a separate, clean device.
Why does the pop-up look so much like a real Windows alert?
Scammers copy the visual design of legitimate security warnings to appear credible. The key difference is that a real OS alert does not appear inside a web browser window and does not include a phone number to call.
How do I stop these pop-ups from appearing?
Use a reputable ad blocker, avoid unofficial download sites, and keep your browser updated. If pop-ups keep appearing even when you're not browsing dodgy sites, run a security scan to check for adware.
Are these scams only on Windows?
No — scareware appears on Mac, Android, and iOS too, though the format varies. On mobile you may see fake 'your phone is infected' notifications from apps or browser pages. The advice is the same: close without interacting and do not call any number displayed.