How to Block Pop-Ups and Phishing on Android and iPhone: Settings, Apps, and One-Tap Fixes

Why Pop-Ups and Phishing Keep Invading Your Phone

You close one pop-up and three more appear. An official-looking text says your package is stuck and you must "verify" your credit card. Welcome to the daily cat-and-mouse game every smartphone user plays. Pop-ups and phishing rely on urgency to bypass your common sense, but you can beat both with five minutes of setup.

The Real Cost of Tapping "Okay"

• Financial theft: A single fake banking pop-up can drain your account within minutes.
• Identity loss: Phishing pages harvest email, social media, and even two-factor codes.
• Speed and battery drain: Auto-redirecting ads force Chrome or Safari to reload endlessly.

Step 1: Toggle the Built-In Pop-Up Blocker

Android (Chrome)

1. Open Chrome → tap the three-dot menu → Settings → Site settings → Pop-ups and redirects.
2. Toggle the switch to Blocked. Gray means it is already off.
3. Go back one level → Ads → also choose Blocked.

Tip: If a trusted site needs pop-ups, tap the lock icon in the address bar → Site Settings, then temporarily allow pop-ups for that specific page.

iPhone (Safari)

1. Open Settings → scroll to Safari.
2. Turn on Block Pop-ups (green switch). iOS does this quietly in the background.
3. While here, flip Fraudulent Website Warning to on for automatic phishing alerts from Google Safe Browsing.

Step 2: Slash Notifications from Rogue Sites

Many pop-ups start as innocent push notifications that slowly morph into spam.

Android

1. Chrome → Settings → Notifications → Sites.
2. Ban any URL you do not recognize or those with endless gambling or coupon offers.
3. Long-press a repeated spam notification, hit Turn off notifications directly when it appears.

iPhone

1. Settings → Notifications → Safari → turn off Allow Notifications. Web pages should not be buzzing your lock screen in the first place.
2. For other browsers, repeat under Settings → Notifications → the browser name.

Step 3: Deploy a Light Ad-Block & DNS Filter

The built-in blockers are good. A DNS-level filter is great. These apps stop threats before they ever reach Safari or Chrome and work on both Wi-Fi and mobile data.

Option A: Blokada (Android & iOS Side-load)

1. Visit blokada.org using your phone browser.
2. Install the lightweight APK on Android or use TestFlight on iOS.
3. Open the app → tap Ad blocking ON. No root or jailbreak needed.
4. Enable Block malware and Phishing protection lists in Ad blocking → Host lists.

Option B: NextDNS (All Devices, No App Required)

1. Create a free account at nextdns.io, grab the unique DNS-over-HTTPS/2 URL.
2. Android: Settings → Network & Internet → Advanced → Private DNS → Enter the provided hostname.
3. iPhone: Download the profile from NextDNS site → open in Settings → Profile Downloaded → install.

Once connected, NextDNS scrubs ads, trackers, and known phishing domains network-wide.

Step 4: Verify Link Safety Before You Tap

Pop-ups often disguise dangerous links as delivery updates, tech-support chat boxes, or fake CAPTCHA pages.

Use the Hover Trick in Gmail or Messages

• Tap-and-hold the link (Android) or long-press (iPhone), then drag slightly until the full URL appears in a preview window.
• Check the domain spelling: amaz0n-support.net is not Amazon.
• If the link is shortened (tinyurl, bit.ly), paste it into CheckShortURL to see the true destination.

Add Google Safe Browsing Search

1. Bookmark https://transparencyreport.google.com/safe-browsing/search in your mobile browser.
2. Paste any link before you open it. Google churns six billion checked URLs each week—good odds it has seen the scam first.

Step 5: Spot the New Phishing Styles in 2025

Criminals keep evolving. These three variants are everywhere right now.

1. Calendar Phishing

A fake appointment like "iPhone 16 giveaway—claim now" pops into your calendar with an embedded link. Tap it and you land on a malware dropper.

• iPhone: Settings → Calendar → Accounts → Delete any unknown subscribed calendar.
• Android/Calendar app → Manage calendars → Unsubscribe shady invites.

2. Missed-Delivery SMS

"We missed you—pay £2.99 to reschedule redelivery." The link leads to a near-perfect copy of Royal Mail or USPS.

• Sender ID reads "RoyalMail.com" not "+44-mobile-number".
• Web address contains royal-mail.secure.co.uk—note the extra dot, extra domain.

3. Wi-Fi Captive Portal Phishing

Airport or café hotspots that redirect to a fake Google sign-in page.

• On Android: Settings → Network & Internet → Wi-Fi → the network name → click the gear → Advanced → MAC Randomization ON. This limits tracking even if you land on the fake page.
• iPhone: Settings → Wi-Fi → the network → Private Address ON.

Step 6: Lock Down Messaging Apps

WhatsApp

1. Enable Two-step verification: Settings → Account.
2. Turn on Disappearing messages → 24 hours for unknown contacts.
3. For group invites: Settings → Privacy → Groups → My contacts except.

Android Messages

Spam protection is enabled by default. To confirm: Messages → three-dot menu → Settings → Spam protection → On.

iMessage

Open Settings → Messages → Filter Unknown Senders. The spam folder is less tempting when out of sight.

Step 7: Use App Sandboxing to Test Shady Links

If curiosity wins, open the link inside an isolated browser profile so it cannot touch your main device.

Firefox Focus (Android & iOS)

• Install Firefox Focus, a browser that auto-erases cookies and history after every session.
• Open the link in Focus. If it demands login or auto-downloads a file, close and forget.

DuckDuckGo App Tracking Protection (Android)

• DuckDuckGo menu → Settings → App Tracking Protection → Enable.
• The tool blocks hidden trackers in every app, cutting the number of pop-ups at the source thanks to reduced data collection.

Step 8: Factory Reset Pop-Up Sources Instead of the Whole Phone

A errant browser extension or ad-heavy game can hijack your phone repeatedly. Instead of wiping everything, surgically reset the problem app.

Android

1. Settings → Apps → the app → Storage & cache → Clear Storage.
2. Re-open the app and deny any new permission requests that look fishy.

iPhone

1. Settings → General → iPhone Storage → the app → Offload App. Keeps documents, deletes code.
2. Tap the app icon again—it re-installs fresh and annihilates lurking adware.

Step 9: Regular Quick-Check Routine

Slow the invasion with a once-a-week five-minute scan:

Step 10: What to Do if You Already Clicked a Bad Link

1. Disconnect from data: Turn on airplane mode immediately to stop malware from phoning home.
2. Force stop the browser: Android Settings → Apps → the browser → Force stop; iPhone swipe up from the home bar and flick away.
3. Run an extra scan:
   • Android: Install Malwarebytes (free, Google Play), run a quick scan, follow removal prompts.
   • iPhone: No traditional antivirus exists, but reset Safari data: Settings → Safari → Clear History and Website Data.
4. Change any reused passwords: If you entered credentials, change them on another trusted device.

Extra Tips Power Users Love

• Enable automatic website translation only on trusted URLs. Browsers can mis-translate buttons, turning the "cancel" button into a "confirm".
• Get a spare email for sign-ups. Gmail supports username+random@domain.com style addresses, letting you filter phishing tied to that address.
• Use picture-in-picture mode for YouTube. Ads that try to force full-screen redirects cannot escape the small overlay window.

Quick Settings Checklist

Story this list in your phone for one-tap repeat checks.

1. Chrome/Settings → Site settings → Pop-ups → Blocked.
2. Safari/Settings → Block pop-ups → ON.
3. DNS filter app → Status → ON.
4. Notifications panel → search "susc" (subscription) and remove every site not trusted.
5. Trusted keyboard → avoid random "GIF keyboards" that request full network access.

Bottom Line

Pop-ups and phishing are not going away, but your phone already has the tools to outrun the bulk of them. Three settings, one free DNS filter, and a weekly five-second audit will keep your lock screen calm and your data safe—no computer science degree required.

Disclaimer: This article is for educational purposes. Always cross-check official instructions with device manuals or carrier guidance. The piece was generated by an AI assistant and edited by a human journalist based on current reputable sources such as Google Safe Browsing, Android and iOS security documentation, and NextDNS privacy blog.