Scams continue to be a persistent global challenge, fueled by sophisticated transnational crime groups who seek to exploit people online for financial gain. According to the NASDAQ Global Financial Crime Report, total global fraud losses are estimated at nearly $580 billion for 2025. Furthermore, global surveys indicate that approximately one in five adults fall victim to scams.
At Google, our teams are committed to tracking these evolving tactics, sharing and acting on our observations to protect the public and the broader digital ecosystem. Our teams use the latest in AI capabilities to prevent, detect and respond against evolving scam tactics, and we regularly publish updates to share our observations with others.
Our latest Scams Advisory describes both recent and seasonal scam trends identified by our analysts.
1. Adversary-in-the-Middle (AITM)
Traditional email phishing has evolved into sophisticated Adversary-in-the-Middle (AITM) and “Quishing” (QR code phishing) attacks. Despite industry actions against major Phishing-as-a-Service (PhaaS) kits like Tycoon 2FA (Barracuda April 2026), phishing volumes remain high. Attackers are increasingly able to mirror legitimate login flows to capture a user’s password and session cookie, bypassing Multi-Factor Authentication (MFA). To evade security scanners, attackers use techniques that host malicious payloads on reputable cloud properties.
Scammers are abusing trusted cloud productivity suites to bypass security filters. We investigated “Calendar Phishing” bypasses, where fake renewal notices were added directly to Google Calendar invites. Scam apps also abused “invisible pages” in cloud documents to host malicious instructions and phishing landing pages that evade standard web filters (also known as “reputation bypass”). Furthermore, we investigated AITM campaigns targeting email users by impersonating recognized brands to steal session tokens, as well as the “ClickFix” campaign (which uses fake browser update lures) distributing malware on Google Sites.
Google continues to track and dismantle the infrastructure powering these phishing operations. Beyond technical mitigations, such as neutralizing AITM campaigns, deploying Device Bound Session Credentials (DBSC) to secure active session cookies against theft, and strengthening defenses against reputation-based bypasses, we actively pursue affirmative litigation to disrupt malicious actors. Building on our successful past legal actions against Lighthouse phishing kits, we are committed to holding cybercriminals accountable in court and dismantling the tools they use or sell to other scammers.
Safety tip: Never scan a QR code from an unexpected email using your personal phone, and always navigate directly to a service’s official website rather than clicking links or calling phone numbers found in unexpected notifications. For more information on how to protect yourself from these tactics, check out our latest security tips.
2. AI cryptocurrency investments
Investment fraud drives significant cybercrime losses, with Americans reportedly losing more than $11 billion to cryptocurrency-related scams in 2025. Scammers exploit the complexity of blockchain technology to promote “too good to be true” opportunities, deceiving users by promising unrealistic or exaggerated financial gains with minimal effort.
We are tracking cryptocurrency scams that use tactics such as fake token giveaways, fraudulent “passive income” mining software, and deceptive bot-building tutorials. In these schemes, individuals provide step-by-step guides on how to set up crypto nodes to earn rewards, but when users run the provided code, it drains their crypto wallets. Scammers use on-screen QR codes or description links to direct victims to phishing forms or malicious software downloads.
To combat these deceptive crypto ads, Google maintains policies aimed at protecting users from financial harm. We also enforce our Unreliable Claims policy, which prohibits ads making unrealistic promises of large financial returns. Additionally, our Unacceptable Business Practices policy enables us to take action against actors attempting to impersonate trusted brands or cryptocurrency platforms. When advertisers violate these rules, we suspend their accounts or disapprove their ads. Alongside these strict policy enforcement efforts, we use predictive analytics to systematically identify and block emerging deceptive crypto patterns.
Safety tip: Be skeptical of any crypto investment that promises risk-free, or “guaranteed” returns. Never copy and paste unknown code or commands from an online tutorial into your computer’s terminal, as this is a common tactic used to deploy malware and drain cryptocurrency balances.
3. Mobile scams
As highlighted in our November 2025 Scams Advisory, mobile extortion has grown, and particularly through malicious banking and finance applications (McAfee research). Disguised as personal finance apps, many of these malicious apps demand excessive system permissions (contacts, SMS history, photos). And in some cases, the operators of these apps use the stolen data to extort and publicly shame the victim.
While these types of scams are known, the tactics attackers are using to reach users have mutated. With app stores like Google Play raising the bar for security, actors are increasingly using versioning, submitting a legitimate-looking utility app for initial review by app stores, and then later updating the app with extortion malware that exploits accessibility services after it has been installed by the user. In order to combat these evasive tactics, Trust & Safety teams prioritize the detection of “dormant” permissions. We are also prioritizing an enhanced monitoring system designed to audit post-installation app behaviors, stopping these apps from silently activating their data-harvesting mechanisms.
Safety tip: Only install loan or finance apps from official app stores, and never grant an app access to your personal contacts, photo gallery, or SMS logs unless it is fundamentally required for the app’s core function. If you use an Android device, pay close attention to the built-in scam warnings in Google Messages and Phone by Google. Always heed these alerts, as scammers frequently try to trick you into downloading malicious apps or turning off security protections.
4. Police impersonation
Threat actors are increasingly exploiting the public trust in law enforcement and government institutions to execute coordinated impersonation and financial extortion campaigns. Active across South Asia, Southeast Asia and the Gulf Cooperation Council (GCC) countries in particular, these malicious actors often based in other countries target citizens in countries like Oman, Singapore, India and the United Arab Emirates. By masquerading as municipal police forces or labor ministries, these scammers exploit vulnerable individuals through unsolicited communications, including fraud emails and cross-messaging invitations.
To conduct these operations, scammers use sophisticated account-creation techniques to register bulk Google accounts. They register official-sounding email addresses that closely mimic legitimate authorities, and regional law enforcement. Once these accounts are established, bad actors execute a hybrid, cross-platform operation. They typically reach victims on third-party messaging applications, presenting a deceptive meeting or calendar invite sent from these official-looking addresses. Scammers then conduct high-pressure voice or video calls, sometimes referred to as ‘digital arrests’, utilizing government branding and aggressive social engineering to convince victims they are under investigation for financial crimes, ultimately demanding upfront ‘legal fees’ or harvesting sensitive banking credentials.
Google fights back against these predatory campaigns by deploying multi-layered defenses at each stage of the abuse lifecycle to identify and disable coordinated impersonation networks at scale. We enforce our Gmail Program policies, alongside Google’s core impersonation policies to immediately suspend accounts engaging in governmental fraud. While malicious actors attempt to circumvent our detection capabilities, our teams use advanced tools to take action in addition to evolving our defenses. This extends to the user’s experience on mobile devices for example via the Android Developer Verification Program: Two years ago, we introduced the Government verified apps programme designed to tackle the issue of scammers using fake apps impersonating official government apps. We are now building on this protection by introducing a new security measure requiring app developers to verify their identity (name, address, ID) for apps installed on certified Android devices to combat malware and scams by creating developer accountability, even for apps installed outside the Play Store (sideloading).
Safety tip: Use caution when engaging with unsolicited calls, emails, or meeting invitations from personal email accounts claiming to represent law enforcement or government ministries. Real government departments and police forces will never contact you via third-party messaging apps to demand payments, threaten legal action, or ask for sensitive credentials. Users also have the option to select the ‘Only contacts can call me’ setting in Google Meet. See here to learn more about fraud and scam protections.
We hope this latest advisory helps you stay safe in an evolving threat landscape. For more on the latest ways Google is keeping you safe from scams, check out our recent blog on how to protect yourself from impersonation scams with fake call detection and visit our help center for more on avoiding and reporting scams.
