Why this matters more than it used to

The tactic has not changed much in years: create a page that looks like the real thing, add a prominent download button, and wait.

What has changed is the quality of the fakes. A deceptive page can now look official enough to pass at a glance, complete with plausible branding, support-style layout, and a very convincing installer name.

The check against this is not technical. It is visual, and it takes about fifteen seconds.

Sign 1: The download button is bigger and flashier than everything else on the page

Legitimate vendor pages have design consistency. The download button matches the rest of the site and uses the same colors, fonts, and sizing as other buttons on the page.

A fake or deceptive download button is almost always trying to get your attention. It is large, brightly colored, and visually disconnected from the rest of the page. If the button looks like it belongs on a different website, it probably does.

What to do: hover over the button before clicking. In most browsers, the bottom of the screen shows you the actual URL a link goes to. If the URL is different from the site you are on, you are looking at an ad, not the real download.

Sign 2: There are multiple download buttons and they look identical

A real software page has one download button for the product, maybe two if there are separate versions for Windows and Mac.

If a page has three or four download buttons that look the same size and style, most of them are ads placed to catch people who click the first thing they see.

The real button is usually smaller and placed lower on the page, near the product name or version number. Scam pages invert this: the fake buttons are the most prominent elements, and the real download, if there is one, is buried.

Sign 3: A pop-up or banner tells you your software needs updating

Legitimate software updates happen through the software itself or through your operating system update mechanism, not through a random page you happened to visit.

If a website tells you to download an update, the correct response is to close the tab and check for updates through the official app or through system settings. A website has no reliable ability to know the version of software on your computer.

If the pop-up claims it scanned your system and found threats, it is lying. Close the tab.

Sign 4: The URL is one letter off from the real site

Legitimate software comes from the company that makes it. Attackers register domains that are one character off, add a hyphen, or switch to a different domain ending specifically to catch people who are not reading carefully.

  • Does the domain match exactly what you expect? A zero instead of an o or a different domain ending is enough to be dangerous.
  • Is there an extra word in the URL? Something like official-download in the domain is a bad sign.
  • Did you arrive here from a search result rather than typing the address yourself? Search ads have delivered fake software pages for well-known products.

The safest path to any software download is to type the company name into the browser address bar directly or navigate from a source you already trust.

Sign 5: The installer asks you to click Express or Recommended and hides what that includes

This is the most common trick that reaches your computer without looking dangerous at all. You may have found the real page and downloaded a real file, but during installation the setup wizard offers Express Install and Custom Install.

Express Install is often pre-configured to install the software plus whatever else the distributor is being paid to include: a toolbar, a browser extension, a separate optimizer, or a changed homepage.

This practice is called bundling. It is technically disclosed, but the disclosure is usually buried in a screen you are expected to skip.

What to do: always choose Custom or Advanced installation when the option exists. Review every screen. Uncheck anything that is not the software you actually came to install.

Sign 6: The page creates urgency or uses alarm language

Urgency is a design choice, not information. Legitimate software pages describe what the product does. They do not tell you that something bad will happen if you do not download immediately.

Real antivirus alerts come from software already installed on your device, displayed in your system notification area or the application itself, not from a webpage.

If a webpage claims to have scanned your computer and found threats, it is lying.

Sign 7: No publisher name, no version number, no last updated date

A legitimate software vendor page usually includes the company name, the software version number, system requirements, a changelog or release notes, and often a link to support or documentation.

A fake or low-quality page has none of this. It has a product name, a vague description, and a big download button.

When these details are missing, ask yourself: who made this, and where would I go if something went wrong? If you cannot answer both questions, do not download.

What a legitimate vendor page usually includes

  • The company name prominently and consistently throughout the page
  • A version number and a release date
  • System requirements
  • SHA or checksum information for the file, or at least a file size
  • A single, clearly labeled download button that matches the site design
  • A privacy policy and terms of service link in the footer
  • Contact or support information

The closer a page is to this baseline, the more trustworthy the download. The further it strays, no version, no publisher, multiple buttons, urgency language, the more caution is warranted.

The short checklist before clicking anything

  1. Did I type this address myself, or did I arrive from a search or link?
  2. Does the URL match exactly what I expect with no extra words or character substitutions?
  3. Is there one clearly labeled download button, or several large flashy ones?
  4. Did any pop-up on this page tell me something needs updating?
  5. Does the page list a version number, publisher name, and system requirements?
  6. If I choose Custom Install, what else is being offered?

Most dangerous downloads fail at least two of these checks. Most legitimate downloads pass all of them.

TotalAV and Surfshark add another safety layer before you download anything. TotalAV Web Shield flags deceptive download pages in real time, and Surfshark CleanWeb helps block ads and trackers often used to serve fake download buttons on otherwise legitimate sites. Neither replaces the visual checks above, but both catch a meaningful share of traps that look normal enough to pass a quick glance.