You’re casually browsing the internet – maybe checking the news or searching for a recipe – when you receive a pop-up on the screen that your phone is infected. You’re urged to download an antivirus app before it’s “too late”.

It’s jarring. It feels urgent. And that’s exactly the point. 

This is a classic example of scareware, a manipulative cyber tactic that preys on fear to get users to download unnecessary (mostly malicious) software or disclose personal information. These attacks blur the line between real warnings and fraudulent ones, making it difficult for even tech-savvy users to distinguish between the two. 

Scareware is more than a nuisance. It is an increasingly sophisticated and profitable industry, built on psychological manipulation and enabled by a shadow ecosystem of malicious advertising technology (AdTech) and affiliate marketing networks. And the numbers show – in Singapore alone, scam victims lost a staggering S$385.6 million in the first half of 2024, with the number of reported cases climbing to 26,587. 

To better understand the impact of scareware, I decided to step into the shoes of the average user.

Renée Burton from Infoblox explores the rising cost of DNS-based investment scams

Intentionally stepping into the trap

Using a burner phone and a secure testing environment, I deliberately visited a compromised website known for serving scareware campaigns. Within seconds, the familiar pattern emerged: a cascade of system-style warnings, claims of viruses detected, and countdown timers to create a false sense of urgency. 

The links didn’t direct me to obviously obscure websites or suspicious downloads. Instead, they led to branded fake pages for established and well-known antivirus software providers. 

Behind these operations are Traffic Distribution Systems (TDS) — networks that redirect users through layers of infrastructure. Some of these redirects stem from compromised websites. Others are driven by deceptive ad placements, often bought and sold through legitimate ad exchanges.

The result? A seamless user journey that exploits trust in known brands to monetise fear. Everyone in the chain — from the rogue affiliates to the advertising platforms — gets paid, except the victim.

The real-world impact

In Singapore, where internet connectivity and digital literacy are high, scareware finds fertile ground. The attacks are subtle, embedded in websites people visit every day. And because the scareware ecosystem often piggybacks on legitimate services, it’s easy to fall prey, particularly for small business owners who may not have dedicated IT resources to scrutinise every digital touchpoint.

For individuals, the damage can range from unnecessary financial expenditure on software they didn’t need, to compromised personal data and even exposure to threats like malware, phishing or identity theft. Once attackers know a user can be manipulated through fear, the same target may be marked for more aggressive schemes later.

The implications for businesses are even broader. Compromised websites can unknowingly serve as gateways to scareware campaigns. A single malicious redirect can undermine customer trust, tarnish brand reputation, and even lead to legal or compliance consequences if user data is mishandled. 

The most dangerous part of scareware is its stealth. Unlike ransomware or obvious data breaches, there’s often no clear signal that something has gone wrong. Until a customer complains. Until trust is broken. Until it’s too late.

Staying ahead of scareware

Cybercriminals thrive on distraction, urgency, and fear. As such, defence requires both individual vigilance and systemic safeguards. Here’s how users — and more critically, businesses — can respond effectively:

  • Validate before you act: Whether you’re a business or an individual, always verify alerts through official channels. Legitimate system warnings will not come through your browser. Avoid downloading any applications or software directly from pop-ups – instead, navigate independently to official app stores or company websites. 
  • Treat Domain Name System (DNS) as your first line of defence: Much of scareware’s success depends on redirecting users through malicious domains. DNS-layer security acts as a control point to detect and block access to these infrastructure layers before any harm is done. Think of it as cutting off the route before the scam can even begin.
  • Continuous monitoring: Businesses must treat their digital assets as living systems. Compromised code can be injected into websites without your knowledge. Regular scanning for anomalies and monitoring outbound traffic to unfamiliar domains is essential for maintaining a secure online environment. 
  • Educate for digital resilience: For organisations, empowering teams with security awareness, especially about social engineering tactics like scareware, is just as critical as the technology you deploy. Through education on the latest scareware tactics, everyone can become more aware and conscientious of their digital activity. 

The bigger picture

Ultimately, scareware is not just about pop-ups or fake warnings. It’s a reflection of a broader trend – cybercrime as a well-oiled business model, capitalising on every weakness in the digital value chain. 

At Infoblox, our work in threat intelligence continues to expose these hidden systems, not just to block a specific attack, but to understand the ecosystem behind them. Because ultimately, the most powerful weapon against fear-driven scams isn’t technology alone — it’s transparency, vigilance, and informed action.

In today’s connected world, the line between safety and vulnerability often lies in a single click. Let’s make sure it’s the right one.

The article titled “Playing on fear: the lucrative business of scareware” was authored by Renée Burton, Vice President of Threat Intel, Infoblox

About the author

Dr. Burton is the Vice President of Threat Intel for Infoblox. She is a subject matter expert in DNS-based threats and leads the algorithm development and research in DNS intelligence. With over 20 years of experience at the NSA before joining Infoblox, she shaped Infoblox Threat Intel to be the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators.