Almost every serious malware clean we've handled for a Bruntsfield home user this year started the same way: a full-page popup on an otherwise normal website telling them their browser is out of date and needs to be updated right now. It doesn't look like a scam. It uses the correct Chrome or Edge logo, it copies the real update dialog closely, and it appears on sites the customer has visited for years — recipe blogs, news pages, sometimes even a legitimate small business site that has been quietly compromised behind the scenes.
The trick works because it doesn't ask for anything obviously wrong. There's no request for a credit card, no urgent phone number to ring, no "you have a virus" siren. It asks you to update your browser — a thing you already know is a good idea. That's the whole con. This post covers what these popups actually are, what they install, how to tell them apart from the real update prompt, and what to do if you've clicked one already.
What the Fake Update Actually Looks Like
The visual pattern is nearly always the same. You're browsing normally, a page loads, and the entire tab is replaced by a clean white overlay with the Chrome or Edge wordmark, a version number that looks plausible, and a big blue "Update" or "Update Chrome" button. Sometimes the URL bar still shows the site you were on; sometimes the popup opens in a new tab so the URL looks convincing. The wording is usually along the lines of "Your Chrome browser is outdated. Update now to continue browsing safely."
What the button actually does is download a .js file, a .zip containing a .js file, or (more recently) a compact .msi installer. It is never a genuine Chrome or Edge update — Google and Microsoft do not distribute browser updates through a webpage popup. The download itself is often small (a few hundred kilobytes) and completes in under a second, which is the first thing that should feel wrong: a real Chrome update installer is over 100 MB.
Why It Lands on Bruntsfield Home PCs
The Bruntsfield callouts we see for this all share a similar profile — home users on a fibre connection, mostly on Windows laptops, browsing legitimate lifestyle and news sites in the evening. The compromised sites aren't obscure. In the last few months on the bench we've traced fake update popups back to a food blog, a book review site, and a UK-based small-business directory that had all been served the same injected script through a compromised ad network. None of those are places a security-aware user would think of as "risky sites".
The other reason it lands here is that the popup targets exactly the wrong instinct. Most Bruntsfield home users we work with are cautious, prompt-updaters — they know that keeping software patched is the right thing to do. The fake popup exploits that. If you were the kind of person who ignored update prompts, you'd close it out of habit. Because you take security seriously, you click it. The scam is aimed at the good behaviour, not the bad one.
A Bench Example: One Popup, Two Weeks of Cleanup
A recent job from just off Merchiston Crescent: a Windows 11 laptop that had been running slowly for a fortnight, with the fan cycling up whenever the machine was left idle. The owner had clicked an "Update Chrome" popup on a food blog about a fortnight earlier, run the small installer that downloaded, and seen nothing visible happen — no update dialog, no "welcome to the new version" screen. She'd assumed it hadn't worked and forgotten about it.
Two weeks later, LinkedIn had emailed her about a login from Bucharest, Amazon had bounced a login from a Frankfurt IP, and her Outlook had started auto-forwarding a copy of every incoming email to an unfamiliar Gmail address. The initial installer was long gone — that's typical, these "stager" scripts delete themselves once they've done their job — but we found a scheduled task quietly launching a coin miner every time the laptop had been idle for five minutes, a browser extension we hadn't installed, and a stored copy of her saved-passwords file that a second-stage info-stealer had extracted from Chrome. The clean took a full profile wipe, a reset of every saved login from a known-clean device, and two-factor authentication turned on for the accounts that didn't already have it.
What Gets Installed (And Why It's Worse Than Old-Style Viruses)
The old picture of a computer virus — one program that copies itself around and does one bad thing — doesn't fit any of these anymore. What the fake update actually installs is a small "stager" whose only job is to phone home, receive instructions, and download whatever the current campaign is selling. On the same day, two different Bruntsfield laptops with the same stager might end up with two completely different payloads. The most common we see, in rough order of frequency:
Info-stealers that dump saved browser passwords, cookies (which log an attacker straight into your accounts without needing the password), and any crypto wallet files present, then upload the lot. This is often the first thing that runs, because it's the fastest way to monetise the infection.
Remote-access trojans that let an attacker sit on the machine as if they were at the keyboard. These are the ones that lead to email-forwarding rules and unauthorised bank transfers on machines used for online banking.
Coin miners that use your CPU or GPU to mine cryptocurrency for someone else. This is the noisy one — the fan running at full speed, the laptop hot to the touch on a cold desk, the battery dying in half the usual time. Related reading: how a hot laptop can be a malware symptom.
Ransomware, occasionally, on home users but far more often on small businesses whose staff clicked the popup on a work laptop. Once the info-stealer has finished, the same stager can drop a ransomware payload as a parting gift.
How to Spot a Genuine Browser Update vs a Fake One
The single rule that catches every fake update popup ever made: real browser updates never come from a webpage. Chrome updates itself silently in the background — the only sign is a small coloured arrow in the top-right of the browser toolbar after a restart. Edge does the same. Firefox does the same. If you want to check the version manually, you go to the browser's own menu (three dots → Help → About) and it updates itself from there — you do not go to a webpage, and a webpage does not open that dialog for you.
Related tells that we look for on the bench: the popup opens on a site that has nothing to do with browsers; the download is tiny; the file name ends in .js, .zip, .msi or .hta rather than .exe from Google's own domain; the file is not digitally signed by Google or Microsoft when you right-click → Properties → Digital Signatures. Any single one of those is enough to bin the file.
If You've Already Clicked One — What to Do
Assume the worst and act quickly. Disconnect the laptop from the network (unplug Ethernet, turn off Wi-Fi) to stop any active data upload. From a different device — your phone, a partner's laptop, anything else — change the password on your email account first, then your bank, then any account with saved card details, and turn on two-factor authentication on anything that supports it. Do not sign back into anything from the affected laptop until it's clean. If you spot familiar signs of an active infection, the wider virus-symptom guide covers what to look for.
Then get the laptop looked at properly. A quick antivirus scan is often not enough — these stagers are written specifically to slip past consumer antivirus, and the payloads they deliver include tools designed to disable protection once they're in. A proper clean means removing the scheduled task, removing any planted browser extensions, checking for hidden user accounts, resetting the browser profile fully, and — because saved credentials have almost certainly been exfiltrated — treating every password saved in that browser as compromised. That's what our virus and malware removal process covers, and for jobs where the malware has hooked into corporate email or business accounts, remote support can start on the account-reset side while the laptop is still on the way to us.
Prevention: Two Habits That Kill the Threat
First, treat every "update your browser" popup on a webpage as a fake. There is no exception to this rule that a home user needs to know about. The real update lives inside the browser's own menu, not on a webpage.
Second, use a browser password manager — or better, a standalone one — with a separate strong master password, and turn on two-factor authentication on every account that supports it. When (not if) a stealer eventually gets one set of credentials, 2FA is often the only reason the attacker doesn't walk straight into the account. This is exactly the same defensive layer we recommend after a tech support scam call — the recovery afterwards leans heavily on 2FA already being in place.
If the popups themselves are appearing on sites that should be safe, that's often a sign the browser or router has already been tampered with. A proper cleanup — see our note on Chrome browser hijackers — often reveals a rogue extension or a DNS setting that's turning ordinary sites into ad-injection landing pads. On the software side, our software troubleshooting covers the same kind of profile-level clean-up remotely where the machine hasn't been fully compromised.
Neighbourhood Notes
The exact same fake-update pattern shows up on jobs from Marchmont, Morningside, Tollcross and Fountainbridge in more or less identical form — it's not a Bruntsfield-only problem. What we do see slightly more of here is the "quiet" version: laptops that are used mostly for browsing, home admin and email rather than gaming, where a coin miner or info-stealer can sit for weeks before anyone notices the fan noise or the strange login alert. If your laptop is quieter than a gaming rig and lives mostly on lifestyle sites, that's exactly the profile these campaigns are built for. Home users elsewhere in Leith or Newington see the same infections; on the business side, we cover the equivalent cleanup in Leith and across the wider Lothians.
The Short Version
If a website tells you your browser needs updating, it's lying. Close the tab, don't download anything, and check the browser's own menu if you're worried. If you've already clicked one, treat every saved password as compromised, get 2FA on everything, and get the machine cleaned properly rather than trusting a quick antivirus scan. The Bruntsfield jobs we see are almost always fixable — the ones that turn into a nightmare are the ones where the popup was clicked, the "installer" ran, and nothing visible happened, so nobody knew to act.
Last updated: 14 July 2026