Millions of people have been tricked into installing fake anti-virus software on their computers that actually makes them more vulnerable to fraud and identity theft, a leading report into online crime revealed yesterday.

Cybercriminals are profiting from the practice, which is known as “scareware”. Users are fooled into clicking on to authentic-looking websites that promise to clear their computers of viruses. In fact, these sites dupe people into handing over their credit card details or allow fraudsters to steal from their computers directly.

More than 40 million people have fallen victim to the scam in the past 12 months, according to a new report from Symantec, the web security analysts. Experts said that scareware was on the rise because it has proven effective and it preys on current public fears about online identity fraud.

Scareware leaves computer users open to attack in three different ways. First, people spend £20 to £60 on software they believe is protecting their PC from viruses, but is actually fake. Second, the programs are often malicious, allowing hackers to raid personal computers for financial and personal details that can then be traded on the web.

Finally, users often hand over their credit card details in paying for the fake software.

In a typical scareware racket, sellers use “pop-up” advertisements that are designed to look legitimate: for example, using the same fonts and style as Microsoft or any other well known software provider. The ads tell a user that his or her computer’s security has been compromised.

When users click on the message, they are redirected to another website where they download anti-virus measures that will supposedly clean up their computers.

Con Mallon, a senior analyst from Symantec, said that scareware attacks can often be the starting point for even more elaborate frauds.

“Cybercriminals could hold your computer to ransom where they will stop your computer working or lock up some of your personal information, your photographs or some of your Word documents,” he said.

“They will extort money from you at that point. They will ask you to pay additional money, then release your machine back to you." Because the amounts demanded are relatively small, it is believed that the police rarely get involved.

Graham Cluley, from Sophos, the internet security specialists, said his own research showed that the problem was set to increase, with 15 to 20 new websites appearing every day hosting scareware cons.

“We’ve seen such a dramatic rise in scareware this year, fundamentally because it works,” said Mr Cluley. “Everyone is paranoid about their computers and identity theft, and hackers are taking advantage of people being worried about this.

“If you see something with a different name or different look you should be careful. But it is hard. Your granny could be looking at it, and it’s human nature to believe a warning once it is given.”

Symantec said it has identified 250 different versions of the scam, which it believes is netting cybercriminals around £850,000 a year. The company analysed data across the web between July 2008 and June 2009.

Security experts warned that cybercriminals ran sophisticated scareware operations, with many even using ads placed on search engines such as Google to ensure users see their websites.

Mr Cluley said: “When there’s a hot news story that people are searching for, you type in a Google search, and click on a webpage. Suddenly, there’s a warning that pops up telling you to update security, and the messages get more and more insistent.

“You panic at the thought of identity theft. It can happen to anyone.”