Fake Software Update Scams
Bogus 'update required' prompts that install malware instead of genuine updates.
Last reviewed: 1 June 2026
What this scam is
Fake software update scams present malware as a necessary update for your browser, operating system, media player, security software, or other commonly used applications. The goal is to get you to download and run a file that installs malicious software — by framing the download as a helpful, even essential, action.
These scams are effective because software updates are genuinely important, and many users are accustomed to seeing update prompts and acting on them promptly. The fake prompt exploits this conditioned behaviour.
The fake update may deliver several types of malicious software: a keylogger that records your passwords, a remote-access trojan that allows the scammer to connect to your device, adware that injects advertising into websites you visit, ransomware that encrypts your files, or credential-stealing malware targeting banking and email accounts.
The malware is often distributed through malicious advertising networks that place these prompts on otherwise legitimate websites, making the context feel less suspicious.
How it works
The prompt appears while you are browsing, typically displayed as a pop-up or a banner that overlays the website you are visiting. It is styled to resemble the genuine update dialogue of the software it claims to update — using the right colours, icons, and language for Chrome, Firefox, Windows, or a media player.
The message creates urgency: your software is critically out of date, you are at risk of attack, or you will be unable to continue using the service without updating. A button labelled 'Update Now', 'Download', or 'Install' is prominently displayed.
Clicking the button initiates a file download — an executable (.exe on Windows, .dmg or .pkg on Mac) or a script. The filename looks plausible, such as 'ChromeSetup.exe' or 'FlashPlayerInstaller.pkg'. Running the file installs malware rather than any legitimate software.
In some cases the fake update prompt leads to a zip file containing a script that, when run, installs a remote-access trojan or downloads further malware in the background. The installation may even show a realistic-looking progress screen to complete the illusion.
Email-delivered variants attach a file described as a critical security update, or link to a download page.
Why this scam works
Software updates are a genuine cybersecurity best practice — users are repeatedly told to keep software current. A fake update prompt fits into this trained behaviour, making it feel like responsible rather than risky action.
The visual mimicry of legitimate update dialogues removes the visual cues that might otherwise signal danger. If the prompt looks exactly like the real Chrome update window, many users will not pause to wonder whether the website serving the prompt is authorised to do so.
The download-and-run action also feels familiar and low-stakes — most users have run installers many times without incident. The association between running a file and something going wrong is not as strong as the association between clicking a link and phishing.
A typical pattern
A person visits a free streaming site and sees a banner saying their media player is out of date and they must update to continue. The prompt uses familiar design elements. They click 'Update Now' and a file downloads. They run the file, which shows a short progress animation, then disappears. Over the following days, they notice their saved passwords being used to access accounts they had not logged into, and advertising pop-ups appearing on every website they visit. A security scan reveals a keylogger and adware installed via the file they ran.
Common red flags
- Update prompt appearing on a website rather than within the software itself
- Urgency and security scare language in the prompt
- Download button for an .exe, .dmg, .pkg, or .zip file from an unfamiliar domain
- Browser or software branding on a page that is not the official website
- Update prompt that appears even though your software was recently updated
- File named to resemble a genuine installer but downloaded from an unknown site
- Email attaching a file described as a critical update
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Your media player is outdated. Download the critical update now to keep watching: [fake link].
Critical Chrome update required. Your browser is at risk. Update now: [fake link].
Your Windows Defender needs an urgent update to protect against a new threat. Download here: [fake link].
Flash Player is out of date. Update required to continue playing media: [fake link].
Your antivirus has expired. Download the free update to restore protection: [fake link].
Security patch required. Install the attached update to protect your account.
Common variations
- Fake browser update — most commonly impersonates Chrome or Firefox
- Fake media player update — historically used Flash Player; now uses other players
- Fake Windows/macOS update — mimics operating system update prompts
- Fake antivirus update — impersonates the user's security software
- Email-delivered update — attachment or link presented as a critical patch
- Fake app update notification — mobile push notification directing to a sideloaded install
How to verify before you act
Legitimate software updates happen through the software itself, not through webpages. Chrome, Firefox, Windows, macOS, and virtually all mainstream applications have built-in update mechanisms accessible through the application's own menu.
To check whether an update is genuinely needed, open the application and find its built-in update option (Help > About, or a menu item labelled 'Check for updates'). This will show the current version and apply any real updates directly.
Never run a file downloaded from a pop-up. If you are uncertain whether a download is legitimate, search for the software by name on a reputable tech news site or security forum before running it.
For operating system updates, use the built-in update tool (Windows Update on Windows, Software Update on Mac) rather than any download prompted by a webpage.
Payment methods used
- Account and data theft via installed malware
- Ransomware extortion payment
Who is usually targeted
- General computer users
- People who regularly update their software and recognise the prompts
What to do immediately
- Do not run the downloaded file if you have not already
- Delete any file downloaded from a popup update prompt
- Update software legitimately through the app itself or the official website
- If you already ran the file, disconnect from the internet and run a full security scan
- Change passwords on important accounts from a clean device
- If ransomware is suspected, do not pay the ransom and seek specialist help
- Report the website to your browser's built-in abuse reporting tool
How to prevent it
- Update all software through the application's own built-in update feature or the official website
- Never download or run files prompted by a webpage pop-up
- Use an ad blocker to reduce exposure to malicious advertisements
- Enable automatic updates where available so you are always current
- Be sceptical of urgency in update prompts — genuine updates rarely threaten immediate consequences
- Check the URL of any download page carefully before downloading
- Avoid running executable files from email attachments
Evidence to preserve
- The URL of the page that displayed the update prompt
- The name of the file that was downloaded
- Screenshot of the update prompt
- Any email that prompted the download
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How should I update software safely?
Use the software's built-in update feature or download from the official website. Be suspicious of any update prompt that appears on a web page or pushes you to download and run a file.
I ran a file from an update popup — how do I know if I'm infected?
Run a full security scan with reputable security software. Signs of infection can include slow performance, unfamiliar programs appearing, passwords stopping working, or unexpected pop-ups. Some malware operates invisibly, so a scan is advisable regardless.
Is it safe to update my browser from the browser's own menu?
Yes. Updating through the browser's own Help > About menu or built-in update function is safe and is the correct way to update. Only be suspicious of update prompts that appear on external websites.
Do legitimate websites ever prompt for software updates?
Some legitimate sites may suggest that your browser is outdated and recommend you update, but they do so by linking to the browser's official download page — not by providing a direct download from their own domain. If the update file comes from the website itself rather than the software's official source, treat it as suspect.
What happens if I accidentally downloaded but didn't run the file?
If you have not run the file, you are not yet infected. Delete the file from your downloads folder. Running it is what causes harm — merely downloading does not trigger infection in most cases.