The System Security Alert pop-up scam is a browser-based social engineering attack that mimics legitimate Windows security warnings to frighten users into calling fake tech support numbers or downloading malicious software. Unlike actual malware that infects your operating system, this scam typically runs through compromised or malicious websites that trigger fullscreen alerts designed to look like official Microsoft security notifications. These deceptive pop-ups claim your computer is infected, locked, or at immediate risk, often displaying fake error codes and warning sounds to create panic and bypass your critical thinking.

System Security Alert Pop-up Scam — cybersecurity illustration
Photo by Tara Winstead on Pexels

While the pop-ups themselves don't directly install malware, they're the entry point to more serious problems. Victims who call the displayed phone numbers connect with scammers posing as Microsoft or certified technicians who then convince them to grant remote access to their computers, pay for unnecessary "security services," or deliberately install actual malware disguised as security software. The psychological manipulation is sophisticated—the alerts often disable your ability to close the browser normally, making inexperienced users believe their computer has genuinely been compromised.

If you're seeing this alert right now: Don't call any phone number shown in the pop-up. Don't download anything the alert recommends. Force-quit your browser immediately using Task Manager (Ctrl+Shift+Esc on Windows, Command+Option+Esc on Mac), then follow the removal steps below. These are fake warnings—your computer is not actually locked, and Microsoft never uses pop-ups with phone numbers to notify you of security issues.

Threat Profile

Threat Type Tech Support Scam / Browser-Based Social Engineering Attack
Platform Cross-platform (Windows, macOS, mobile devices via web browsers)
Common Aliases "Windows Defender Alert," "Microsoft Security Alert," "Error Code: 0x80073b01," "Your Computer Has Been Locked"
Distribution Method Malicious advertisements (malvertising), compromised websites, redirect chains, bundled with PUPs
Primary Payload None (browser-level only) unless victim complies with scammer instructions
Persistence Mechanism Browser settings manipulation, homepage hijacking, notification permissions abuse (if granted)
Capabilities Browser hijacking, fullscreen lock simulation, clipboard monitoring (if scripting enabled), redirect loops
Secondary Risks Remote access trojan installation (if victim complies), financial theft, credential harvesting, actual malware deployment
Observable Artifacts Browser homepage changes, suspicious browser extensions, scheduled tasks (if PUP installed), modified shortcut targets
Network Behavior Connections to scam infrastructure domains, redirect chains through multiple domains, aggressive cookie tracking
Removal Difficulty Low to Moderate (browser-level cleanup usually sufficient unless victim installed additional components)
Sophistication Level Medium (relies on social engineering rather than technical exploitation, but execution is increasingly polished)

How It Spreads

The System Security Alert scam reaches victims primarily through malicious advertising networks and compromised legitimate websites. When you visit certain sites—often streaming platforms, adult content sites, or software download portals with lax advertising standards—your browser may be redirected through a chain of increasingly suspicious domains until landing on the scam page. These redirects often exploit legitimate ad networks that have been infiltrated by bad actors who purchase advertising space with seemingly legitimate content, then swap in malicious payloads after approval.

Another common vector involves potentially unwanted programs (PUPs) that users inadvertently install alongside free software. These PUPs often include browser extensions or "search helpers" that modify your browser's homepage, search engine, and new tab behavior to periodically redirect you to scam pages. The bundling is typically accomplished through deceptive installation wizards that pre-check boxes for "additional offers" or use confusing language to obtain consent for unwanted components.

Specific distribution methods include:

  • Malvertising campaigns: Compromised or fraudulent advertisements on legitimate websites that redirect to scam pages when clicked, or sometimes trigger automatically on page load
  • Software bundlers: Free software download sites that package browser hijackers, adware, or extensions that later inject scam alerts
  • Compromised WordPress sites: Legitimate websites running outdated WordPress installations or vulnerable plugins that have been injected with redirect scripts
  • Typosquatting domains: Sites with URLs similar to popular destinations that serve scam content to visitors who mistype web addresses
  • Push notification abuse: Sites that trick users into accepting browser notification permissions, then spam fake security alerts through the notification system
  • Torrent and piracy sites: High-risk download platforms where aggressive pop-up chains frequently lead to scam pages
  • Fake software update notices: Legitimate-looking notices claiming your Flash Player, Java, or browser needs updating, which lead to scam pages when clicked

What It Does On Your Machine

At the browser level, the System Security Alert scam employs several technical tricks to appear more threatening and difficult to dismiss. The scam page typically uses JavaScript to trigger fullscreen mode, displays animated "scanning" interfaces that mimic Windows Defender or other security software, and often plays audio warnings to heighten anxiety. The page may rapidly spawn multiple alert boxes or dialog windows that reappear when dismissed, creating the false impression that your browser has been locked or that closing it will cause data loss. Some variants use JavaScript to detect browser closure attempts and display additional warnings like "Are you sure you want to leave? Your data may be compromised!"

If you've granted notification permissions to the scam site—or if you inadvertently installed a browser extension or PUP that came bundled with other software—the impact extends beyond a single browser session. The scam infrastructure may have modified your browser's homepage, default search engine, or new tab page to redirect you back to scam domains periodically. Some variants install browser extensions that monitor your browsing activity, inject advertisements into legitimate websites you visit, and trigger the fake security alerts at random intervals to maximize the chance you'll eventually fall for the scam.

In cases where victims have already called the scam phone number and allowed remote access, the damage escalates dramatically. Scammers typically use legitimate remote desktop software like TeamViewer, AnyDesk, or LogMeIn to gain control of the victim's computer, then perform "diagnostic scans" using built-in Windows tools like Event Viewer to show harmless system logs and warnings that they misrepresent as critical infections. They often install actual malware—including remote access trojans for persistent access, password stealers, cryptocurrency miners, or ransomware—while simultaneously collecting payment information. The scammer may also create new administrator accounts, disable Windows Defender, modify firewall settings, and install monitoring software to maintain access even after the "support session" ends.

Typical artifacts if a PUP or extension was installed:
C:\Users\[Username]\AppData\Local\[RandomFolder]\updater.exe
C:\Users\[Username]\AppData\Roaming\[BrowserName]\Extensions\[RandomGUID]\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"BrowserHelper" = "C:\Users\[Username]\AppData\Local\[RandomFolder]\updater.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKLM\Software\Policies\Google\Chrome\ExtensionInstallForcelist
; Modified browser shortcuts with appended URLs:
C:\Users\[Username]\Desktop\Chrome.lnk --target modified with "http://scam-domain.com"
; Scheduled task for persistence:
Task Scheduler Library → [RandomName] → runs hourly

Manual Removal — Step by Step

01

Force-Close Your Browser Without Saving Session

Open Task Manager (Ctrl+Shift+Esc on Windows or Command+Option+Esc on Mac), find your browser process, select it, and click End Task. Do not use the normal browser close button, as the scam page may have disabled it or rigged it to trigger additional pop-ups. On Windows, you may see multiple instances—end all of them. When you reopen your browser, do NOT click "Restore previous session" or it will reload the scam page.

02

Clear Your Browser Cache and Cookies Completely

Immediately after reopening your browser, go to Settings and clear all browsing data. In Chrome, go to Settings > Privacy and security > Clear browsing data, select "All time" as the time range, check all boxes (browsing history, cookies, cached images), and clear. In Firefox, use Options > Privacy & Security > Clear Data. In Edge, use Settings > Privacy > Choose what to clear. This removes any stored session data, tracking cookies, and cached scripts from the scam site that might trigger reinfection.

03

Disable and Remove Suspicious Browser Extensions

Navigate to your browser's extensions or add-ons manager (chrome://extensions/ in Chrome, about:addons in Firefox). Look for any extensions you don't recognize or didn't intentionally install, particularly ones with generic names like "Helper," "Search Manager," "Video Downloader," or random character strings. Disable them first to stop their activity, then remove them completely. Pay special attention to extensions that were installed recently around the time the pop-ups started appearing.

04

Reset Your Browser Homepage and Search Engine

Check your browser settings to ensure your homepage and default search engine haven't been changed. In Chrome, go to Settings > On startup and verify what pages load. Check Settings > Search engine and reset to Google, Bing, or your preferred legitimate search provider if it's been changed to something unfamiliar. Also check Settings > Privacy and security > Site Settings > Notifications and revoke notification permissions for any suspicious domains. Some hijackers modify these settings to maintain persistent access.

05

Check Windows Programs for Unwanted Software

Open Windows Settings > Apps > Apps & features (or Control Panel > Programs > Uninstall a program on older Windows). Sort by install date and look for programs installed around the same time the pop-ups started. Remove anything you don't recognize, especially programs with generic names, publishers you've never heard of, or software claiming to be "PC optimizers," "driver updaters," or "security tools" you didn't deliberately install. Common culprits include names with "search," "manager," "helper," or random combinations of tech-sounding words.

06

Check for Modified Browser Shortcuts

Right-click your browser shortcut (on desktop or taskbar), select Properties, and examine the Target field. It should only contain the path to the browser executable—nothing else. If you see any URLs or additional parameters appended after the .exe path (especially URLs you don't recognize), delete everything after the closing quote of the .exe path. Scammers often modify shortcuts to force your browser to open to their scam page regardless of your homepage settings. Check all shortcuts—desktop, taskbar, and Start menu.

07

Scan with Reputable Anti-Malware Software

Download and run Malwarebytes Free (from malwarebytes.com—be careful to get the official site) to scan for browser hijackers, PUPs, and any related components the manual steps might have missed. Malwarebytes is particularly effective at detecting the adware and bundled software that typically delivers these scams. Let it complete a full scan, review what it finds, and quarantine everything it identifies. Even if the browser appears clean, a scan can catch persistence mechanisms or scheduled tasks you might not find manually.

08

Check Task Scheduler for Suspicious Tasks

Press Windows+R, type taskschd.msc, and press Enter to open Task Scheduler. Expand Task Scheduler Library in the left pane and look through the scheduled tasks for anything you don't recognize, particularly tasks with random names or generic names like "Update," "Browser Update," "System Task," etc. that aren't from Microsoft or known software publishers. Right-click suspicious tasks, select Properties to see what they run, and if they point to executables in AppData folders or launch scripts, disable and delete them.

09

Consider Resetting Your Browser to Default Settings

If pop-ups persist after the above steps, use your browser's built-in reset function. In Chrome, go to Settings > Reset settings > Restore settings to their original defaults. In Firefox, use Help > More Troubleshooting Information > Refresh Firefox. This removes all extensions, resets settings, but preserves bookmarks and passwords. It's the nuclear option but often necessary when hijackers have deeply embedded themselves. Be prepared to reinstall legitimate extensions and reconfigure preferences afterward.

10

Verify Removal and Monitor Behavior

Restart your computer and use your browser normally for a few hours, visiting a variety of sites. Watch for any return of pop-ups, unexpected redirects, or homepage changes. Open Task Manager periodically to check for suspicious processes consuming resources. If you called the scam number or granted remote access before following these steps, immediately change passwords for all important accounts (email, banking, social media) from a different, known-clean device, and consider enabling two-factor authentication. Monitor your financial accounts for unauthorized activity and consider placing a fraud alert with credit bureaus.

Prevention

  1. Use a reputable ad blocker: Install uBlock Origin or similar browser extensions that block known malvertising domains and aggressive pop-up scripts. Ad blockers significantly reduce exposure to the redirect chains that deliver these scams.
  2. Keep your browser and operating system updated: Many scam delivery mechanisms exploit outdated browser features or unpatched vulnerabilities. Enable automatic updates for your browser and Windows to ensure you have the latest security patches and exploit mitigations.
  3. Never call phone numbers displayed in pop-ups: Microsoft, Apple, Google, and legitimate security companies never use browser pop-ups with phone numbers to notify you of infections. Real security alerts come from your installed antivirus software or Windows Security, not from websites.
  4. Be extremely cautious with browser notification requests: When websites ask to "Show notifications," click Block unless you have a specific, legitimate reason to allow it (like wanting updates from a news site you trust). Scammers abuse the notification permission to spam fake alerts even after you've left their site.
  5. Download software only from official sources: Avoid third-party download sites that bundle software with unwanted extras. Get Chrome from google.com/chrome, Firefox from mozilla.org, applications from their official websites or the Microsoft Store. Free software download aggregators are common vectors for PUP bundling.
  6. Read installation prompts carefully: When installing any software, choose "Custom" or "Advanced" installation and uncheck any pre-selected boxes offering "additional software," browser toolbars, "PC optimizers," or homepage changes. Legitimate software doesn't require you to install unrelated programs.
  7. Maintain skepticism about urgent security warnings: Real malware infections don't announce themselves with pop-ups demanding immediate payment or phone calls. If you see an urgent warning, close your browser and run a scan with your installed security software. If you don't have security software, that's a separate problem to address calmly, not by trusting a pop-up.
  8. Use strong, modern security software: While Windows Defender is adequate for most users, consider supplementing it with periodic scans from Malwarebytes. Keep whatever solution you choose updated and perform regular full system scans, especially after visiting unfamiliar or high-risk websites.
Our Guarantee: When Computer Repair Roswell removes malware from your system, we back our work with a 90-day reinfection warranty. If the same threat returns within 90 days through no fault of your own, we'll remove it again at no additional charge. We don't just clean infections—we identify how they got in and help you close those security gaps for good.

Bring It In

If you've already called the scam number and allowed remote access, or if the pop-ups keep returning no matter what you try, bring your computer to Computer Repair Roswell. What looks like a simple browser hijacker on the surface often masks deeper compromises—especially if you granted remote access to scammers who had free rein to install backdoors, stealers, or monitoring software. Our technicians have dealt with hundreds of tech support scam victims and know exactly where scammers hide their access tools, how to verify complete removal, and when a system needs more aggressive remediation.

We're located in Roswell, Georgia, and we handle both PCs and Macs. Call us at (770) 667-9491 or stop by the shop. We'll thoroughly clean your system, verify no remote access tools remain, help you secure your accounts if credentials were compromised, and explain exactly what happened so you can recognize these scams in the future. Most browser hijacker removals are completed same-day, and we'll make sure you leave with a clean machine and the knowledge to keep it that way.