What is scareware?
Scareware uses fear to trick people into buying useless programs or downloading malware disguised as antivirus software.
Subscribe to the IBM Newsletter Explore IBM Security QRadar
Isometric drawing showing different office personnel, all using IBM Security
What is scareware?

Scareware is a type of social engineering scam that uses fear to trick people into downloading malware, losing money, or handing over personal data. In the classic example, scareware alerts the victim to a virus on their device, then tries to sell the victim a fake antivirus software that does nothing or turns out to be malware. 

Most, if not all, computer users have faced scareware attempts while browsing the web, often in the form of an urgent pop-up warning the user that a “virus scan” has found malware. The earliest scareware attacks caused minor damage, scamming victims out of a few dollars for useless bloatware. Today, scareware has become a vector for nastier cyberthreats like ransomware.

How does scareware work?

Scareware scams start with a message: a spoofed text, a phishing email, or — most often — a browser window pop-up. The hallmark of a scareware message is the use of scare tactics, like threats of a virus or legal action, to get the victim to take immediate action. 

Scareware pop-ups may use the logos of real companies, like Google, to seem legitimate. Scammers may also use URLs and product names that seem legitimate, like “Mac Virus Defense” or “Windows Fixer.” Some scammers disguise their pop-ups as notifications from the device’s operating system, flashing warnings like “Android has detected a problem!” Other scammers make their messages look like reports from a real antivirus program — e.g., “A recent scan found five viruses on your device.”

After scaring victims, scareware messages offer a “solution” to their “problem.” Usually, scammers instruct victims to download fake security software or pay a fee. If users comply, a few things can happen:

  • The user follows the message to a scam website, where they enter their credit card information to buy the software. There is no software, and scammers steal the victim's data to commit identity theft.
     

  • Instead of stealing data, some scammers charge users for software that doesn’t do anything (except maybe slow their device down).
     

  • In the worst case, scareware programs are trojan horses carrying malicious software, like spyware that secretly collects personal data.

Even if a victim doesn’t follow the scammers’ instructions, scareware can get onto their device. Some hackers design their pop-up windows so that clicking the “close” button starts a covert drive-by download. 

Scareware and ransomware

Hackers may use scareware tactics to spread ransomware, a type of malware that holds devices or files hostage and demands a ransom. Convincing victims to download fake antivirus software can be easier than breaking into the network.

Some scareware pretends to be ransomware to extort money. One scareware, called “ALC Ransomware” (link resides outside ibm.com), tells victims their files have been encrypted and demands payment. In reality, nothing is encrypted. Hackers are banking on users being scared enough to send money anyway. 

Other scareware programs might be a form of ransomware in their own right because they can make devices unusable until their demands are met. A fake antivirus program might flood a device with endless pop-up “warnings” that won’t go away until the user pays to “upgrade” the software. 

Examples of scareware

Scareware scams come in many forms. Some of the most common tactics include:

Fake virus scams: The classic scareware pretext uses pop-up messages to warn users their devices are infected with malware. These pop-ups may look like real scan reports from antivirus software. Scammers then direct users to download fake security software that steals their money or installs malware. For example, the scammers behind the fake antivirus program SpySheriff coerced users into paying to remove non-existent malware.

Fake tech support: Scammers pretend to be real support personnel from companies like Apple or Microsoft. These scams usually start with a pop-up that instructs the victim to call a phone number for help, but some scammers may cold call their victims. Once the scammer has someone on the phone, they convince the user to uninstall real security software and grant the scammer remote access to their device. From there, the scammer steals the victim’s data or installs malware. 

Some tech support scams simply charge victims for fraudulent services. Such was the case in the 2019 Office Depot scandal. Office Depot employees were running fake scans on customers’ computers and using the results to sell repair services they didn’t need. When the scandal came to light, the FTC ordered Office Depot and its partner, Support.com, to pay $35 million in settlements. 

Malvertising: Malvertising is a cyberattack in which hackers hijack legitimate ads — or legitimate ad space, like on Facebook or in Google search results — to spread viruses. In the case of scareware, a user might see an ad on a webpage that offers free antivirus software. Because it’s an ad rather than a sketchy pop-up, users might be more likely to click it. 

Law enforcement scams: Cybercriminals pretend to be the police or the FBI. A pop-up warns the victim that “illegal material” was found on their device. If the victim pays a fine, the “problem” will go away. For extra pressure, these pop-ups may lock the screen until the victim pays. 

Scareware removal and protection

Once scareware infects a device, removing it can be difficult. Scareware programs can disable other security software and hide program files, making them harder to detect. Some fake antivirus software has been known the reinstall itself after removal.

To prevent scareware from taking root, organizations and users might consider the following tools and practices: 

  • Cybersecurity awareness training: Like other social engineering tactics, scareware is less effective against users who know the telltale signs of an attack — such as the difference between real antivirus notifications and scam pop-up ads. 

  • Anti-malware tools: Legitimate anti-malware and antivirus software can block users from installing scareware programs. They can also help remove scareware that makes it onto the device. Because some scams convince users to disable antivirus software, security teams may limit users’ permissions for these tools.

  • Network security tools: Firewalls can prevent malicious traffic from reaching users’ web browsers, and URL filters can keep users from visiting scam websites. Ad blockers, pop-up blockers, and spam filters can also stop scareware messages from appearing.

  • Software updates and patches: As with most cyberthreats, scareware programs exploit system vulnerabilities to infect devices. Keeping security tools, web browsers, and other apps updated can help thwart tactics like malvertising and drive-by downloads.

Related solutions
IBM Security® QRadar® SIEM

Catch advanced threats that others simply miss. QRadar SIEM leverages analytics and AI to monitor threat intel, network and user behavior anomalies and to prioritize where immediate attention and remediation are needed.

Explore QRadar SIEM solutions

Threat intelligence services

Without strong, trusted intelligence, you’re unable to glean the insights you need to act swiftly against threats. Trust IBM's global security intelligence experts and industry-leading analysis to simplify and automate your cyber threat platform.

Explore threat intelligence services

IBM Security Trusteer® Pinpoint Malware Detection

Detect malware-infected devices, determine the nature and potential risk of the threat, receive alerts when malware-infected devices are accessing your websites and take action to prevent potential fraud.

Explore Trusteer Pinpoint Malware Detection

Resources What is social engineering?

Social engineering relies on human nature, rather than technical hacking, to manipulate people into compromising personal or enterprise security.

Cost of a Data Breach

Now in its 17th year, this report shares the latest insights into the expanding threat landscape, and offers recommendations for saving time and limiting losses.

What is Ransomware?

Ransomware is a type of malware that locks a victim’s data or device and threatens to keep it locked—or worse—unless the victim pays a ransom to the attacker.

Take the next step

Cybersecurity threats are becoming more advanced and more persistent, and demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM makes it easy to remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others simply miss.

Learn more about QRadar SIEM Request a QRadar SIEM demo