It’s probably happened to most people by now: You’re viewing a web page on your phone and, suddenly, you see a popup saying you’ve won a $1000 Amazon gift card or similar fake prize. What’s going on?

Your Phone is Fine; the Web Page Has a Problem

Pop-ups like this in your phone’s browser are not malware. It’s not a problem with your phone or your web browser. It’s a problem with the web page. The web page you were viewing had code on it that took you to a new page with a scammy message. The process of automatically taking you from your current page to a new one is known as a “redirect.”

This type of scam primarily appears on mobile websites, but you’ll occasionally stumble onto similar nefarious advertisements in a desktop PC’s web browser.

Deceptive pop-ups we’ve seen on our phones include “Congratulations Amazon.com User,” “Congratulations Apple User,” “You are the chosen,” “Amazon Promotional Contest,” and “Amazon Rewards Event.” They often promise a $1000 Amazon gift card, an Apple iPhone X, or the latest Samsung Galaxy smartphone. Other redirects might take you directly to a page on your phone’s app store, hoping you’ll install the app. Or they might show you scantily clad women and push a dating website.

A Bad Advertisement Redirected You

These pop-ups are a scam, just like the scammy phone calls that tell you you’ve won a fabulous free vacation. You didn’t win anything. If it sounds too good to be true, it probably is.

But how did a fake message like that get on an otherwise legitimate website? Simple—it’s a bad advertisement.

This advertisement contains JavaScript code that navigates away from the current web page to a new web page, and that new web page includes a scammy pop-up message.

The website owner doesn’t want this junk on their website. Legitimate ad networks don’t want this garbage, either. But bad actors sometimes sneak their shady ads through.

How Bad Ads Get Through

Understanding what’s going on here requires understanding the basics of how advertisements work online.

On most websites, ad networks dynamically load advertisements. When you visit a website, it requests ads from the networks selected by the website owner. Ads on the network compete for your attention via an automated “bidding” process that happens almost instantaneously, and the sites show the ads that pay the most to reach you. Ads are targeted to you in a variety of different ways, from your geographical location to your browsing activity.

If a bad ad gets through, it can run code on the web page and take you to a new web page full of scammy pop-ups. The website owner and ad network don’t want this to happen, but it does.

These same ads don’t appear for everyone viewing the web page. They’re targeted, so someone else viewing the same page might not see that junk. That makes them harder to stomp out. Websites can blacklist specific ads, and ad networks can remove them, but this generally happens after the ad appears.

Ads like these shouldn’t exist, but they sometimes pop up. They should be more rare with higher-quality ad networks that police their ads better. You’re more likely to encounter these nefarious pop-ups on low-quality sites filled with questionable ads from networks that aren’t as good at policing their ads, but it can happen anywhere.

How to Avoid Scammy Redirects

The problem is with the website and its code, so you can’t fix it. The website owner and ad network have to.

If you encounter this junk on a random web page you find from Google or Facebook, just tap the back button and get away from it. Forget about viewing the page. It’s a big internet, and you can find something similar elsewhere.

On the other hand, if you run into this type of redirect on a website you’re familiar with and expect better from, you might want to contact the website owner or the website’s support team and report a problem. They won’t be happy about that scammy pop-up either, and they’ll want to fix it.

What About Blocking Ads on Your Phone?

There is one way to potentially avoid the problem: You can run an ad-blocking app on your phone. These should block these deceptive pop-up ads along with other types of ads.

We’ve encountered a bunch of problems with ad-blocking on mobile. We’ve seen online shopping and other web pages break while this software was enabled, and we’ve heard similar reports from other people. We tend to just navigate away from websites that show scammy pop-ups and look for better ones.

On an iPhone, you can install a content blocker like AdGuard from the App Store and enable it to block ads in Safari. On an Android phone, Google Chrome is designed to block ads like this with its built-in ad-blocker, but you can also download an app like Adblock Plus for Android to be even more aggressive.

There are also many other ad-blocking solutions for both iPhone and Android, including browsers with built-in ad-blocking, so you can find something that works for you even if the above solutions don’t.

Pop-ups like this are terrible, and no one online likes them—except for the people who create them and make a profit off tricking people. Luckily, we’ve noticed these scammy ads become rarer, at least on big-name legitimate websites. Schemes like Google’s built-in ad-blocker for Chrome are gradually helping to clean up the web.