The System Security Alert pop-up scam is a browser-based social engineering attack that mimics legitimate Windows security warnings to frighten users into calling fake tech support numbers or downloading malicious software. Unlike actual malware that infects your operating system, this scam typically runs through compromised or malicious websites that trigger fullscreen alerts designed to look like official Microsoft security notifications. These deceptive pop-ups claim your computer is infected, locked, or at immediate risk, often displaying fake error codes and warning sounds to create panic and bypass your critical thinking.
While the pop-ups themselves don't directly install malware, they're the entry point to more serious problems. Victims who call the displayed phone numbers connect with scammers posing as Microsoft or certified technicians who then convince them to grant remote access to their computers, pay for unnecessary "security services," or deliberately install actual malware disguised as security software. The psychological manipulation is sophisticated—the alerts often disable your ability to close the browser normally, making inexperienced users believe their computer has genuinely been compromised.
Threat Profile
| Threat Type | Tech Support Scam / Browser-Based Social Engineering Attack |
| Platform | Cross-platform (Windows, macOS, mobile devices via web browsers) |
| Common Aliases | "Windows Defender Alert," "Microsoft Security Alert," "Error Code: 0x80073b01," "Your Computer Has Been Locked" |
| Distribution Method | Malicious advertisements (malvertising), compromised websites, redirect chains, bundled with PUPs |
| Primary Payload | None (browser-level only) unless victim complies with scammer instructions |
| Persistence Mechanism | Browser settings manipulation, homepage hijacking, notification permissions abuse (if granted) |
| Capabilities | Browser hijacking, fullscreen lock simulation, clipboard monitoring (if scripting enabled), redirect loops |
| Secondary Risks | Remote access trojan installation (if victim complies), financial theft, credential harvesting, actual malware deployment |
| Observable Artifacts | Browser homepage changes, suspicious browser extensions, scheduled tasks (if PUP installed), modified shortcut targets |
| Network Behavior | Connections to scam infrastructure domains, redirect chains through multiple domains, aggressive cookie tracking |
| Removal Difficulty | Low to Moderate (browser-level cleanup usually sufficient unless victim installed additional components) |
| Sophistication Level | Medium (relies on social engineering rather than technical exploitation, but execution is increasingly polished) |
How It Spreads
The System Security Alert scam reaches victims primarily through malicious advertising networks and compromised legitimate websites. When you visit certain sites—often streaming platforms, adult content sites, or software download portals with lax advertising standards—your browser may be redirected through a chain of increasingly suspicious domains until landing on the scam page. These redirects often exploit legitimate ad networks that have been infiltrated by bad actors who purchase advertising space with seemingly legitimate content, then swap in malicious payloads after approval.
Another common vector involves potentially unwanted programs (PUPs) that users inadvertently install alongside free software. These PUPs often include browser extensions or "search helpers" that modify your browser's homepage, search engine, and new tab behavior to periodically redirect you to scam pages. The bundling is typically accomplished through deceptive installation wizards that pre-check boxes for "additional offers" or use confusing language to obtain consent for unwanted components.
Specific distribution methods include:
- Malvertising campaigns: Compromised or fraudulent advertisements on legitimate websites that redirect to scam pages when clicked, or sometimes trigger automatically on page load
- Software bundlers: Free software download sites that package browser hijackers, adware, or extensions that later inject scam alerts
- Compromised WordPress sites: Legitimate websites running outdated WordPress installations or vulnerable plugins that have been injected with redirect scripts
- Typosquatting domains: Sites with URLs similar to popular destinations that serve scam content to visitors who mistype web addresses
- Push notification abuse: Sites that trick users into accepting browser notification permissions, then spam fake security alerts through the notification system
- Torrent and piracy sites: High-risk download platforms where aggressive pop-up chains frequently lead to scam pages
- Fake software update notices: Legitimate-looking notices claiming your Flash Player, Java, or browser needs updating, which lead to scam pages when clicked
What It Does On Your Machine
At the browser level, the System Security Alert scam employs several technical tricks to appear more threatening and difficult to dismiss. The scam page typically uses JavaScript to trigger fullscreen mode, displays animated "scanning" interfaces that mimic Windows Defender or other security software, and often plays audio warnings to heighten anxiety. The page may rapidly spawn multiple alert boxes or dialog windows that reappear when dismissed, creating the false impression that your browser has been locked or that closing it will cause data loss. Some variants use JavaScript to detect browser closure attempts and display additional warnings like "Are you sure you want to leave? Your data may be compromised!"
If you've granted notification permissions to the scam site—or if you inadvertently installed a browser extension or PUP that came bundled with other software—the impact extends beyond a single browser session. The scam infrastructure may have modified your browser's homepage, default search engine, or new tab page to redirect you back to scam domains periodically. Some variants install browser extensions that monitor your browsing activity, inject advertisements into legitimate websites you visit, and trigger the fake security alerts at random intervals to maximize the chance you'll eventually fall for the scam.
In cases where victims have already called the scam phone number and allowed remote access, the damage escalates dramatically. Scammers typically use legitimate remote desktop software like TeamViewer, AnyDesk, or LogMeIn to gain control of the victim's computer, then perform "diagnostic scans" using built-in Windows tools like Event Viewer to show harmless system logs and warnings that they misrepresent as critical infections. They often install actual malware—including remote access trojans for persistent access, password stealers, cryptocurrency miners, or ransomware—while simultaneously collecting payment information. The scammer may also create new administrator accounts, disable Windows Defender, modify firewall settings, and install monitoring software to maintain access even after the "support session" ends.
Manual Removal — Step by Step
Force-Close Your Browser Without Saving Session
Open Task Manager (Ctrl+Shift+Esc on Windows or Command+Option+Esc on Mac), find your browser process, select it, and click End Task. Do not use the normal browser close button, as the scam page may have disabled it or rigged it to trigger additional pop-ups. On Windows, you may see multiple instances—end all of them. When you reopen your browser, do NOT click "Restore previous session" or it will reload the scam page.
Clear Your Browser Cache and Cookies Completely
Immediately after reopening your browser, go to Settings and clear all browsing data. In Chrome, go to Settings > Privacy and security > Clear browsing data, select "All time" as the time range, check all boxes (browsing history, cookies, cached images), and clear. In Firefox, use Options > Privacy & Security > Clear Data. In Edge, use Settings > Privacy > Choose what to clear. This removes any stored session data, tracking cookies, and cached scripts from the scam site that might trigger reinfection.
Disable and Remove Suspicious Browser Extensions
Navigate to your browser's extensions or add-ons manager (chrome://extensions/ in Chrome, about:addons in Firefox). Look for any extensions you don't recognize or didn't intentionally install, particularly ones with generic names like "Helper," "Search Manager," "Video Downloader," or random character strings. Disable them first to stop their activity, then remove them completely. Pay special attention to extensions that were installed recently around the time the pop-ups started appearing.
Reset Your Browser Homepage and Search Engine
Check your browser settings to ensure your homepage and default search engine haven't been changed. In Chrome, go to Settings > On startup and verify what pages load. Check Settings > Search engine and reset to Google, Bing, or your preferred legitimate search provider if it's been changed to something unfamiliar. Also check Settings > Privacy and security > Site Settings > Notifications and revoke notification permissions for any suspicious domains. Some hijackers modify these settings to maintain persistent access.
Check Windows Programs for Unwanted Software
Open Windows Settings > Apps > Apps & features (or Control Panel > Programs > Uninstall a program on older Windows). Sort by install date and look for programs installed around the same time the pop-ups started. Remove anything you don't recognize, especially programs with generic names, publishers you've never heard of, or software claiming to be "PC optimizers," "driver updaters," or "security tools" you didn't deliberately install. Common culprits include names with "search," "manager," "helper," or random combinations of tech-sounding words.
Check for Modified Browser Shortcuts
Right-click your browser shortcut (on desktop or taskbar), select Properties, and examine the Target field. It should only contain the path to the browser executable—nothing else. If you see any URLs or additional parameters appended after the .exe path (especially URLs you don't recognize), delete everything after the closing quote of the .exe path. Scammers often modify shortcuts to force your browser to open to their scam page regardless of your homepage settings. Check all shortcuts—desktop, taskbar, and Start menu.
Scan with Reputable Anti-Malware Software
Download and run Malwarebytes Free (from malwarebytes.com—be careful to get the official site) to scan for browser hijackers, PUPs, and any related components the manual steps might have missed. Malwarebytes is particularly effective at detecting the adware and bundled software that typically delivers these scams. Let it complete a full scan, review what it finds, and quarantine everything it identifies. Even if the browser appears clean, a scan can catch persistence mechanisms or scheduled tasks you might not find manually.
Check Task Scheduler for Suspicious Tasks
Press Windows+R, type taskschd.msc, and press Enter to open Task Scheduler. Expand Task Scheduler Library in the left pane and look through the scheduled tasks for anything you don't recognize, particularly tasks with random names or generic names like "Update," "Browser Update," "System Task," etc. that aren't from Microsoft or known software publishers. Right-click suspicious tasks, select Properties to see what they run, and if they point to executables in AppData folders or launch scripts, disable and delete them.
Consider Resetting Your Browser to Default Settings
If pop-ups persist after the above steps, use your browser's built-in reset function. In Chrome, go to Settings > Reset settings > Restore settings to their original defaults. In Firefox, use Help > More Troubleshooting Information > Refresh Firefox. This removes all extensions, resets settings, but preserves bookmarks and passwords. It's the nuclear option but often necessary when hijackers have deeply embedded themselves. Be prepared to reinstall legitimate extensions and reconfigure preferences afterward.
Verify Removal and Monitor Behavior
Restart your computer and use your browser normally for a few hours, visiting a variety of sites. Watch for any return of pop-ups, unexpected redirects, or homepage changes. Open Task Manager periodically to check for suspicious processes consuming resources. If you called the scam number or granted remote access before following these steps, immediately change passwords for all important accounts (email, banking, social media) from a different, known-clean device, and consider enabling two-factor authentication. Monitor your financial accounts for unauthorized activity and consider placing a fraud alert with credit bureaus.
Prevention
- Use a reputable ad blocker: Install uBlock Origin or similar browser extensions that block known malvertising domains and aggressive pop-up scripts. Ad blockers significantly reduce exposure to the redirect chains that deliver these scams.
- Keep your browser and operating system updated: Many scam delivery mechanisms exploit outdated browser features or unpatched vulnerabilities. Enable automatic updates for your browser and Windows to ensure you have the latest security patches and exploit mitigations.
- Never call phone numbers displayed in pop-ups: Microsoft, Apple, Google, and legitimate security companies never use browser pop-ups with phone numbers to notify you of infections. Real security alerts come from your installed antivirus software or Windows Security, not from websites.
- Be extremely cautious with browser notification requests: When websites ask to "Show notifications," click Block unless you have a specific, legitimate reason to allow it (like wanting updates from a news site you trust). Scammers abuse the notification permission to spam fake alerts even after you've left their site.
- Download software only from official sources: Avoid third-party download sites that bundle software with unwanted extras. Get Chrome from google.com/chrome, Firefox from mozilla.org, applications from their official websites or the Microsoft Store. Free software download aggregators are common vectors for PUP bundling.
- Read installation prompts carefully: When installing any software, choose "Custom" or "Advanced" installation and uncheck any pre-selected boxes offering "additional software," browser toolbars, "PC optimizers," or homepage changes. Legitimate software doesn't require you to install unrelated programs.
- Maintain skepticism about urgent security warnings: Real malware infections don't announce themselves with pop-ups demanding immediate payment or phone calls. If you see an urgent warning, close your browser and run a scan with your installed security software. If you don't have security software, that's a separate problem to address calmly, not by trusting a pop-up.
- Use strong, modern security software: While Windows Defender is adequate for most users, consider supplementing it with periodic scans from Malwarebytes. Keep whatever solution you choose updated and perform regular full system scans, especially after visiting unfamiliar or high-risk websites.
Bring It In
If you've already called the scam number and allowed remote access, or if the pop-ups keep returning no matter what you try, bring your computer to Computer Repair Roswell. What looks like a simple browser hijacker on the surface often masks deeper compromises—especially if you granted remote access to scammers who had free rein to install backdoors, stealers, or monitoring software. Our technicians have dealt with hundreds of tech support scam victims and know exactly where scammers hide their access tools, how to verify complete removal, and when a system needs more aggressive remediation.
We're located in Roswell, Georgia, and we handle both PCs and Macs. Call us at (770) 667-9491 or stop by the shop. We'll thoroughly clean your system, verify no remote access tools remain, help you secure your accounts if credentials were compromised, and explain exactly what happened so you can recognize these scams in the future. Most browser hijacker removals are completed same-day, and we'll make sure you leave with a clean machine and the knowledge to keep it that way.