Skip to content
SupportedSecurityLast updated: July 10, 2026

Fake antivirus / scareware

Fake antivirus software, sometimes called scareware, tricks users into installing malicious or useless programs by displaying alarming but fabricated warnings about nonexistent infections, then charges for a fake fix or installs actual malware, a scam that peaked in the late 2000s and continues in updated forms today.

What we know

Fake antivirus scams, also called scareware, present a user with an alarming pop-up or full-screen warning claiming their computer is infected with numerous viruses, often displaying a fabricated scanning animation and a long fake list of detected threats, designed to create panic and urgency. The warning prompts the user to download and install a program to remove the supposed infections, but the downloaded software is either entirely fake, performing no real scanning or removal function while displaying more alarming messages until the user pays a licensing fee, or it is itself genuine malware that compromises the system once installed.

This scam pattern was especially widespread in the late 2000s and early 2010s, when security researchers and companies including Symantec documented large criminal operations distributing fake antivirus products through malicious advertising, compromised legitimate websites, and search engine manipulation. A 2011 study by researchers at UC Santa Barbara, Georgia Tech, and other institutions, examining the fake antivirus ecosystem, estimated that these operations generated substantial illicit revenue, with some individual campaigns reportedly earning scammers hundreds of thousands to millions of dollars before being shut down.

Modern variants of this scam have evolved alongside browser and operating system security improvements but retain the same core deception. Fake alerts today often mimic the visual style of legitimate operating system warnings, such as a fraudulent Windows Defender or Apple security alert, and are frequently delivered through malicious advertisements on otherwise legitimate websites, a distribution method known as malvertising, or through compromised websites that redirect visitors to a scareware page.

Some fake antivirus scams function as an entry point into the broader tech support scam ecosystem, where the fabricated infection warning includes a phone number connecting the victim to a live scammer posing as a technician who then requests remote computer access and payment for a supposed fix, blending the scareware pop-up with a live social engineering component.

Browser makers including Google and Microsoft have implemented technical countermeasures over the years, including Google Safe Browsing warnings that flag known scareware distribution sites before a user can load them, and improved pop-up blocking that limits a malicious page's ability to lock the browser in a way that pressures the user to act quickly. These measures have reduced but not eliminated the prevalence of fake antivirus scams, since new distribution domains and slightly modified techniques continue to appear faster than blocklists can be updated in every case.

Consumer protection guidance from the FTC and cybersecurity researchers recommends closing suspicious security warning pop-ups using the task manager or force-quitting the browser rather than clicking any button within the warning itself, verifying antivirus software status only through a device's actual pre-installed security settings, downloading antivirus software only from a well known vendor's official website rather than a link in a warning message, and never granting remote computer access to anyone contacted through a pop-up warning.

Common claims

  • Pop-up warnings saying your PC is infected are legitimate urgent alertsFalse. Legitimate antivirus software does not display browser pop-ups demanding immediate payment.
  • Paying for the software the warning recommends will fix the infectionFalse. The software is either useless or itself malicious.
  • Scareware is a minor nuisance, not a serious crimeFalse. It constitutes wire fraud and has resulted in federal prison sentences.