Introduction
This article explains how to set up and enable Scam, phishing, and malware protection (formerly Threat Protection Pro™) on macOS. The feature automatically blocks ads, trackers, malicious websites, and malicious files, and is only available with selected NordVPN plans. Learn more about Scam, phishing, and malware protection, and Scam and phishing protection (formerly Threat Protection Pro™ and Threat Protection).
Before you start
- Scam, phishing, and malware protection is only available with selected NordVPN plans.
- These instructions are for the latest versions of macOS. If you are using an older version of macOS, check out enabling Scam, phishing, and malware protection on older macOS versions.
- You will need your computer's password and administrative rights to complete the setup.
- The setup wizard verifies the macOS system permissions required for the feature to function. If any permission is missing later, a Permissions alert will appear on the main Scam, phishing, and malware protection page and across all Protection history tabs, with a Let's do it button that reopens this wizard.
Here's what to do
- Open the NordVPN app and click the shield icon on the left side of the NordVPN application to open the Scam, phishing, and malware protection tab.
- In the hero section, click Turn on protection (or Set up on first launch):
- Click Allow extension and follow the on-screen instructions:
- Click Allow configurations and follow the on-screen instructions:
- Click Allow disk access and follow the on-screen instructions:
- Click Next:
NOTE: You may be prompted to enter your computer's password. - Once setup completes, the status badge in the hero section will switch to ACTIVE. If you see OFF or Not active. Waiting for VPN, connecting to a VPN server, and confirming at least one sub-feature is enabled in Advanced settings.
Managing sub-features (Advanced settings)
In the redesigned app, individual sub-feature toggles live in a dedicated Advanced settings screen rather than the main tab. To open it:
- Click the shield icon in the NordVPN app.
- Click the Protection preferences (Advanced settings) card in the bottom-right of the main view.
- Toggle the sub-feature you want under the matching superfeature block:
- Anti-malware - Malware scanner (inner view), Vulnerability scanner.
- Advanced browsing protection - Malicious website blocker, Scam and fraud alert, Hijacked session alert, Search results safety indicator, Email protection, Crypto wallet address checker.
- Ad and tracker blocker - Ad blocker, Tracker blocker, URL cleaner.
- To configure Malware scanner sub-options (Cloud-based threat scanner, Auto-delete malicious files), click the Malware scanner row in the Anti-malware block to open its inner view. Cloud-based threat scanner and Auto-delete malicious files are off by default for privacy and to prevent accidental file loss, and are disabled while the Malware scanner itself is off.
If Scam, phishing, and malware protection is fully off, a Turn on banner appears at the top of Advanced settings. If an entire superfeature is off, a "[superfeature name] · Turned off" banner appears under its tab in Protection history with a one-click Turn on action.
Pausing and resuming protection
- On the main page, click Pause protection and pick a duration: 5 min, 15 min, 30 min, 1 hour, 24 hours, or Turn off.
- While paused, the status badge changes to OFF, the button becomes Resume protection, and a countdown toast appears in the Scam, phishing, and malware protection tab.
- Protection resumes automatically when the timer ends, or instantly when you click Resume protection. Pause state is not preserved across app restarts.
Reviewing detected threats
- When something needs your attention (files in quarantine or vulnerable apps), an Action required banner appears below the hero section with a red counter and a Review and resolve button that opens Protection history → All threats.
- Protection history is filtered with four chips: All threats, Malicious files, Malicious websites, Ads and trackers. Each category stores up to 100 entries; older entries are rotated out (FIFO) as new ones arrive. Quarantined files are not subject to this cap.
- Click any threat row, then Manage threat to act on it. Status badges you may see:
- Ads / Trackers / Malicious websites - BLOCKED, UNBLOCKED
- Scam or fraud alert - DETECTED, BLOCKED (and ALERTS OFF in a later release)
- Malicious files - QUARANTINED, ALLOWED, DELETED, COULDN'T DELETE
- Vulnerable apps - LOW LEVEL VULNERABILITY, MEDIUM LEVEL VULNERABILITY, CRITICAL LEVEL VULNERABILITY
- Quarantined files are automatically deleted after 30 days. Hover the info icon next to Quarantined files for a reminder.
Additional tips
- Restart your browsers after setup for the feature to work correctly.
- Scam and phishing protection (formerly Threat Protection) - the Lite version available on free plans - covers malicious websites and ads/trackers only; anti-malware, vulnerability scanning, and the full set of advanced browsing protections require Scam, phishing, and malware protection.
- If the status badge stays Not active. Waiting for VPN, connect to a VPN server - Scam, phishing, and malware protection activates from the moment a VPN connection is initiated.
- If you experience issues with Scam, phishing, and malware protection on macOS, see our guide on resolving Scam, phishing, and malware protection issues on macOS.
