Is that virus warning in my browser real?

Almost certainly not. Real operating system security alerts appear as system notifications, not inside a browser tab or pop-up window. If a browser page claims your device is infected and urges you to call a number or download something, that is scareware. Close the browser tab and do not interact with it.

I already paid to clean my device - what do I do?

Contact your bank or card issuer immediately to dispute the charge as fraud. If you also installed the software, run a scan with a legitimate security tool to check for any real malware that may have been added. Change any passwords you entered while the software was active on your device.

I installed the software - is my device now infected?

Possibly. Some fake antivirus products install adware or spyware alongside the useless scanner. Uninstall the program through your device's normal process, then run a scan with a reputable security tool. Do not pay any fee the fake software requests to remove what it claims to have found.

How is fake antivirus different from real security software?

Real security software is sold through official app stores, the vendor's own website, or bundled with a new device. It does not arrive via browser pop-ups, unsolicited emails with urgent warnings, or download links from unknown sites. Real software also does not fabricate threats to pressure you into an immediate purchase.

How do fake virus pop-ups get on my screen without me downloading anything?

Scareware pop-ups appear through malicious online ads, compromised websites, or browser push notifications you may have approved without realising it. Simply visiting a legitimate website that carries a bad ad can trigger one. You do not need to download or click anything for the pop-up to appear.

Phishing & impersonation Active · 2024–2026 Security software fraud

Got a virus warning on your screen? Here's what it probably is.

ScamChecker.online · Last verified June 2026 · Active and growing · 5 min read

In a nutshell

Browser pop-ups, alarming scan results, and "your subscription expired" emails claiming your device is infected are almost always fake.
Real security software does not arrive via browser alerts, cold emails, or pop-up download links.
The threats shown in a fake "scan" are fabricated numbers - paying to remove them changes nothing because there is nothing to remove.
If you've already paid or installed something, follow the steps below.

Our verdict

This is a scam. The security threats displayed are not real. Paying to "activate" the removal software will not fix anything - the entire premise is false. The FTC has won judgments exceeding $160 million against operators running exactly this scheme.3

Does this sound familiar?

You're browsing normally when your screen fills with an alarming alert: your device is severely infected, your files are at risk, you must act now. Or you get an email warning that your security subscription has expired and your computer is vulnerable. Or a pop-up "scan" runs automatically and reports thousands of critical threats - along with a button to fix them immediately.

Below are reconstructed examples of the alerts and messages people see. Details vary but the pattern is consistent. (Illustrations, not real screenshots. Software names and details shown are fictional.)

Browser pop-ups appearing mid-session are the most common delivery. Real OS security never alerts you through a browser window.

⚠ Scan Complete — Critical Threats Found

Scan finished: 48,291 files checked

Viruses14

Trojans8

Spyware31

Adware22

System filesOK

Activate Full Protection — $39.99

A fake scanner that finishes in seconds and finds precise category-by-category counts. Real malware scanners take minutes and list specific file paths.

SecureGuard Alert

noreply@secureguard-alerts[.]net

⚠ Your Protection Has Expired — Act Now

Dear Customer,

⚠ Your device is no longer protected. Our systems detected 3 active threats on your computer since your subscription lapsed.

Your subscription expired 2 days ago. Renew now to remove detected threats and restore full protection before permanent damage occurs.

Renew Protection — $49.99/year

Email variants invent a lapsed subscription to create urgency. The sender domain is unrelated to any real security company.

The entry point changes - browser redirect, downloaded app, unsolicited email. The structure is always the same: alarming claim, fabricated evidence, urgent payment demand.

How it works

This scam runs in four phases. The first two are designed to feel like legitimate software - the real trap is in phase three. (Screens shown below are illustrations of how these interfaces typically appear.)

The alarming alert

A pop-up appears while you're browsing - triggered by a malicious ad, a compromised website, or a browser notification you once allowed. You don't need to download or click anything. The alert claims your device is severely infected and demands immediate action. Some pop-ups are impossible to close normally - they loop back when you try to dismiss them. When the pop-up also shows a phone number to call, it shifts into a live tech-support phone scam - a closely related but distinct scheme where a caller walks you through giving them remote access.

⚠ "Do not shut down your computer" is a pressure phrase designed to stop you thinking clearly.

The fake scan "finds" threats

Clicking "scan" - or downloading the suggested software - runs an interface that mimics a real security tool. It scans for a few seconds, then fills with alarming category-by-category results: viruses, trojans, spyware, adware. The numbers are invented. The scanner does not actually examine your files in any meaningful way. Its sole function is to present a frightening report that justifies the purchase on the next screen.

⚠ Scan Complete — Threats Found

Scanned 48,291 files in 8 seconds

Viruses14

Trojans8

Spyware31

Adware22

💡 Real scans take minutes, not seconds, and name specific files rather than category totals.

Pay to "activate" removal

The free scan found the threats - but removing them requires "activating" the full version. A payment page appears asking for $29-$99 for a one-year licence. The price often drops dramatically when you hesitate ("Special offer: 70% off today only"). Some victims are charged repeatedly through auto-renewing subscriptions they don't know how to cancel. The FTC's 2024 action against two Cyprus-based scareware companies - Restoro and Reimage - found victims paid up to $500 each for software that accomplished nothing.1

PCGuard Pro — Full Protection

⚡ 75% OFF TODAY ONLY

$29.99

per year (renews automatically)

Remove all 75 detected threats

Real-time protection

Unlimited devices

Activate & Remove Threats Now

🔒 Secure payment · 30-day guarantee

After payment: more demands or real malware

Payment doesn't end the scam - it begins a new phase. Some victims face further charges, subscription renewals they cannot cancel, or follow-up calls from "support" offering additional services. Worse, some fake antivirus products install real adware or spyware alongside the useless scanner - meaning a device that was clean before the download is now genuinely compromised. The FTC documented individual victims of one scheme losing $71 million in aggregate.2

Threats "removed" - but the scan finds the same ones again next week

Subscription auto-renews for $79.99 - cancellation support is unreachable

Adware or spyware quietly installed during setup monitors your activity

"Premium support" upsell call - $199 for one-time deep clean

Payment is the beginning - not the end.

Remember

Real OS security alerts appear as system notifications - never in a browser window.

Closing a browser tab is always safe - you can't get infected by dismissing a pop-up.

Legitimate security software is sold through official stores and vendor sites, not pop-ups.

Scans that finish in seconds and list round threat totals are always fake.

Red flags to catch it early

None of these alone is proof. Several together means stop.

Security warning inside a browser tab

Your operating system security runs separately from your browser. Any security alert appearing as a webpage or browser pop-up is fake, regardless of what logo it shows.

Scan finishes in seconds with category totals

A real security scan checks hundreds of thousands of files against known threat signatures - this takes several minutes. Fake scanners finish in seconds and show tidy category counts rather than specific file names.

Urgency language and do-not-close instructions

"Do not shut down your computer" and "your data is being stolen right now" are pressure phrases. They are designed to prevent you from pausing to think or check with someone else.

"WARNING: Closing this window will allow the virus to spread."

Phone number prominently displayed

When a "security alert" also shows a toll-free number to call, it is setting up a live call. Tech-support phone scams use the same pop-up entry point but shift to voice calls to extract remote access or larger payments.

Download link from a pop-up or unknown site

Real security software is distributed through official app stores (Microsoft Store, Mac App Store, Google Play) or directly from the vendor's own domain - not from a page that appeared uninvited while you were browsing.

Email claiming your subscription expired

Fake expiry emails invent a lapsed security subscription to create fear of being unprotected. They use the same urgency trigger as fake invoice and renewal scams - if you didn't knowingly buy the product, the expiry notice is fabricated.

"Your device is no longer protected - 3 threats detected since your subscription lapsed."

Already clicked, installed, or paid?

Need the steps by payment method? See what to do if you've been scammed.

If you're in this situation right now

Stop, close, check - in that order

What you do in the next few minutes matters. Steps differ depending on how far in you are.

If you haven't clicked or downloaded anything - close the browser tab Press Ctrl+W (Windows) or Cmd+W (Mac) to close the tab. If it won't close, force-quit the browser entirely. You will not get a virus from seeing a pop-up. Do not call any number shown in the alert.

If you installed software - uninstall it and run a real scan Remove the program through Control Panel / Apps & Features (Windows) or by dragging to Trash (Mac). Then run a scan using a well-known, independently reviewed security tool. Your device may or may not have real malware from the download - a legitimate scan will tell you.

If you paid - dispute the charge immediately Contact your bank or card issuer and tell them the charge is fraudulent. Credit card chargebacks succeed in many of these cases. Act quickly - windows for disputes are typically 60–120 days. Also cancel any subscription the company may have set up.

If you gave someone remote access to your device - act now This is the most serious outcome. Disconnect from the internet immediately. Change passwords for email, banking, and any accounts accessible from that device - from a different, clean device. Check for any software they may have installed while connected.

Report it Even if you lost no money. Your report helps authorities identify patterns and disrupt operators. See the reporting section below for agencies by country.

Ignore anyone who later offers to "get your money back" People who've lost money to scareware are quickly targeted by a follow-up money recovery scam - a second fraud charging an upfront fee to recover funds. No legitimate service or agency works that way.

Where to report it

For the full country guide - agencies, phone numbers, and what happens after you report - see how to report a scam by country.

Start here

FTC - ReportFraud.ftc.gov

Federal Trade Commission. Covers software fraud, fake security products, and subscription scams. Reports feed directly into investigator databases and have resulted in major enforcement actions against scareware operators.

reportfraud.ftc.gov

If you lost money or gave remote access

FBI - IC3.gov

Internet Crime Complaint Center. Especially relevant if significant money was lost or if someone remotely accessed your device.

ic3.gov

If you shared personal or financial information

IdentityTheft.gov

FTC tool that creates a personal step-by-step recovery plan if your bank details, SSN, or passwords were exposed.

identitytheft.gov

You can also report to your state attorney general. Some states have dedicated consumer protection units that follow up on software fraud complaints.

Start here

Action Fraud

UK national fraud and cybercrime reporting. Reports go to the National Fraud Intelligence Bureau. Online or phone: 0300 123 2040.

actionfraud.police.uk

If malicious software was installed

NCSC - National Cyber Security Centre

Report cyberattacks and malicious software. Also provides guidance on recovering a compromised device.

ncsc.gov.uk

Also report to your bank's fraud team if you paid. UK banks have strong chargeback rules for fraudulent card transactions.

Start here

Scamwatch (ACCC)

Australian Competition and Consumer Commission. Report fake software and scareware here.

scamwatch.gov.au/report-a-scam

If software was installed on your device

Australian Cyber Security Centre

cyber.gov.au/report-and-recover/report

If personal information was shared

IDCARE

Australia and New Zealand's national identity and cyber support service. Free specialist help for identity theft victims.

idcare.org

Start here

Europol - Report Cybercrime

This page links to the official cybercrime reporting service for every EU member state. Use it to find where to file in your country.

europol.europa.eu/report-a-crime

Report to your national police cybercrime unit. Many EU countries also have consumer protection agencies that handle software fraud cases.

If you lost money

Policia SR - trestne oznamenie

File a criminal complaint at any police station, electronically through the slovensko.sk government portal (needs eID), or call 158. A loss over EUR 266 is treated as a criminal offence.

slovensko.sk

If malicious software was installed

SK-CERT (NBU) - Nahlasit incident

Slovakia's national cybersecurity unit. Report malware installations and phishing pages here, or email [email protected].

sk-cert.sk

Canada

Canadian Anti-Fraud Centre

antifraudcentre-centreantifraude.ca

European Union

Europol Cybercrime Reporting

europol.europa.eu

Anywhere

FBI IC3 (accepts international reports)

The FBI accepts scareware and cybercrime reports from victims outside the US, particularly for operations with US-based infrastructure.

ic3.gov

Not sure where to report? Search "[your country] report online fraud" or "[your country] cybercrime report."

How big is this problem?

Scareware has existed for decades - the FTC's first major enforcement actions date to 2008 - but the playbook remains profitable because it reliably exploits genuine security anxiety, particularly among older users less familiar with how real security software behaves.

$26M

FTC settlement from Restoro and Reimage (2024) - two companies that charged victims up to $500 each for fake "repair services"1

$163M

Judgment against a scareware operator in a landmark FTC case, confirmed on appeal - one of the largest in enforcement history3

1M+

Consumers deceived in a single scareware scheme documented by the FTC, with $71 million in actual losses2

More likely: adults over 60 are five times more likely than younger people to lose money to tech support and fake security scams4

The FTC's repeated enforcement actions against scareware companies demonstrate both the scale of harm and the difficulty of stopping it - operators frequently restart under new names and domains after settlements. The 2024 Restoro/Reimage settlement required not just payment but a permanent ban on selling computer repair services and a prohibition on misrepresenting product capabilities.1

A distinct but related category is the fake subscription renewal email - a message claiming your security product has lapsed, sent by a company you never had an account with. This variant relies on the same anxiety trigger but typically does not involve downloading anything: the goal is to get a phone call or a payment for a product that was never purchased. The mechanics closely mirror fake invoice and renewal scams more broadly.

Frequently asked questions

Is that virus warning in my browser real?: Almost certainly not. Real operating system security alerts appear as system notifications, not inside a browser tab or pop-up window. If a browser page claims your device is infected and urges you to call a number or download something, that is scareware. Close the browser tab and do not interact with it.
I already paid to clean my device - what do I do?: Contact your bank or card issuer immediately to dispute the charge as fraud. If you also installed the software, run a scan with a legitimate security tool to check for any real malware that may have been added. Change any passwords you entered while the software was active on your device.
I installed the software - is my device now infected?: Possibly. Some fake antivirus products install adware or spyware alongside the useless scanner. Uninstall the program through your device's normal process, then run a scan with a reputable security tool. Do not pay any fee the fake software requests to remove what it claims to have found.
How is fake antivirus different from real security software?: Real security software is sold through official app stores, the vendor's own website, or bundled with a new device. It does not arrive via browser pop-ups, unsolicited emails with urgent warnings, or download links from unknown sites. Real software also does not fabricate threats to pressure you into an immediate purchase.
How do fake virus pop-ups get on my screen without me downloading anything?: Scareware pop-ups appear through malicious online ads, compromised websites, or browser push notifications you may have approved without realising it. Simply visiting a legitimate website that carries a bad ad can trigger one. You do not need to download or click anything for the pop-up to appear.

Sources

Federal Trade Commission, "Tech Support Firms Will Pay $26 Million to Settle FTC Charges", March 2024. Source of Restoro/Reimage settlement figure and victim payment amounts.
Federal Trade Commission, "Court Halts Bogus Computer Scans", December 2008. Source of 1M+ victim count and $71M aggregate loss figure from WinFixer/ErrorSafe scheme.
Federal Trade Commission, "FTC Case Results in $163 Million Judgment Against Scareware Marketer", October 2012. Source of $163M judgment figure, confirmed on appeal February 2014.
Federal Trade Commission, "How to Spot, Avoid, and Report Tech Support Scams", FTC Consumer Advice. Source of 5x likelihood figure for adults over 60 and general scam mechanics.

Researched and maintained by ScamChecker.online

We document recurring online scam patterns using primary sources - government agencies, law enforcement, and security researchers. We do not accuse named businesses, and ads on this page do not influence our reporting. Read about how we research or who we are.

Last verified: June 2026 · Reviewed against current FTC and FBI IC3 guidance