Confronted with a message like this, most computer users feel compelled to take urgent action. Fortunately, instructions for what to do are right in front of them: click on a box to scan the computer. Once the scan is complete, and dozens of infections have been identified, they must go to a security website and pay $49.99 to download software that will remove the infections and safeguard their systems.

“A lot of people feel that is $49.99 well spent,” notes Paul Ducklin, head of technology, Asia Pacific, for the security firm Sophos. “They don’t realize they’ve been fleeced.”

At best, the downloaded software will have done nothing. At worst, it could conceivably be malware that could steal financial and password information, or cause the computer to distribute spam. The user has been the victim of “scareware” -- bogus security software that pretends to find infections and then pretends to remove it after the user has paid for a license.

Scareware is a rapidly growing problem. “Approximately five to 50 new samples of scareware are turning up every day,” Ducklin says. There’s a good reason for scareware’s rapid growth: It’s the easiest way for criminals to make money on the Internet, with millions of frightened computer users paying to download the stuff every month. For obvious reasons, it’s hard to get precise information about exactly how much money scareware scares out of users. But by most estimates, scareware is a billion-dollar industry.

Sophisticated deception

One reason scareware is so lucrative is that much of it uses very sophisticated techniques to fool users. Many scareware warnings reference security threats in the news (such as the Conficker worm), or display the four-color shield logo of the Microsoft Windows Security Center. “The design is almost identical to Windows, so it all looks very inviting and non-threatening,” says Dennis Fisher, editor of threatpost, Kaspersky Lab’s security news site.

If users click to accept the scan, a realistic-looking animation will run, showing filenames flying by, much as they would during a real antivirus scan operation. Once the scan is complete the software will report on the viruses it found. “Scareware often promises to find viruses other products miss,” Ducklin explains. “So, to really scare you, it’ll report on all sorts of exotic viruses that infect mobile phones, or unusual applications you probably don’t have installed. If you research them on bona fide websites, you’ll find they are listed as legitimate threats.”

The result of all this sophistication is that most people are deceived. And if you think your company’s users are different, consider this: In a recent experiment at North Carolina State University, 63 percent of participants were fooled into clicking on scareware -- even though they’d been warned that some messages they saw would be fakes.

Protecting users

Given these figures, it’s smart to assume your company’s users are as likely to be sucked in by scareware as everyone else. Here are three steps that can help keep your computers scareware-free:

  1. Make sure security is up-to-date, and consider blocking all pop-ups. Generally, there’s no reason to accept any kind of pop-up advertising, Fisher says. “Even if there’s no malware link in the pop-up, it could be sending users to sites you don’t want,” he says. A pop-up blocker can always be overridden if necessary.
  2. Consider website filtering. “It can help to get some Web filtering software or appliance,” Ducklin says. “It will pre-filter websites your users are visiting, and analyzing the content coming in from them. That way, if a user does fall for the trick, and tries to visit a bad site, you can head it off.”
  3. Make sure users know what not to do. Education is your best tool in fighting scareware. Begin by making sure users know what brand of security software your company is using, and that no other security software should run on company-owned equipment. Next, make sure they know that if a pop-up or balloon appears, they should not click anywhere on it.

“Don’t touch it!” warns David Bateman, who leads the Internet Safety Group at K&L Gates, a law firm representing Microsoft in its joint lawsuits with Washington state against eight scareware purveyors. “Even if you think you’re clicking the X button to close the window, sometimes those are fake and will begin a download. But nothing can download without the user taking some action.”

Instead, users should either use control-alt-delete to close the window from the Windows Task Manager, or call for IT assistance. What if the balloon is a legitimate Windows Security Center warning? “If you need to run security software, open the Control Panel, go to the Windows Security Center, and run it from there,” Bateman advises. “That way, you’re safe.”