Online scams are a persistent global challenge, fueled by sophisticated transnational crime groups seeking to exploit people for financial gain. With total global fraud losses estimated at nearly $580 billion for 2025 and about one in five adults falling victim to scams, the threat is ever-present. At Google, our dedicated Trust & Safety teams leverage the latest AI capabilities to track, prevent, detect, and respond to these evolving scam tactics.
We’re committed to sharing our observations to protect the public and enhance the broader digital ecosystem. Our latest Scams Advisory highlights both recent and seasonal trends identified by our expert analysts. Understanding these new methods is crucial for staying safe in an increasingly complex digital world.
The Evolving Threat Landscape: New Phishing Tactics
Traditional email phishing has morphed into highly sophisticated attacks, making it harder than ever to distinguish legitimate communications from malicious ones. We’re seeing a rise in Adversary-in-the-Middle (AITM) and “Quishing” (QR code phishing) attacks. These advanced methods can bypass even Multi-Factor Authentication (MFA) by mirroring legitimate login flows to steal your password and session cookies.
Scammers are also cleverly abusing trusted cloud productivity suites to bypass security filters. We’ve observed “Calendar Phishing” where fake renewal notices appear directly in Google Calendar invites. Furthermore, malicious apps are exploiting “invisible pages” within cloud documents to host dangerous instructions or phishing landing pages, effectively evading standard web filters.
Google is actively combating these threats by dismantling the infrastructure powering phishing operations. Our technical mitigations include neutralizing AITM campaigns and deploying Device Bound Session Credentials (DBSC) to secure active session cookies against theft. We also pursue affirmative litigation, building on past legal successes, to hold cybercriminals accountable and disrupt their tools.
- Safety Tip: Never scan a QR code from an unexpected email, especially using your personal phone. Always navigate directly to a service’s official website instead of clicking links or calling numbers found in unexpected notifications.
Protecting Your Investments: Crypto Scams and Mobile Extortion
Investment fraud continues to drive significant cybercrime losses, with Americans reportedly losing over $11 billion to cryptocurrency-related scams in 2025 alone. Scammers exploit the complexity of blockchain technology, luring victims with “too good to be true” opportunities that promise unrealistic financial gains with minimal effort. Common tactics include fake token giveaways, fraudulent “passive income” mining software, and deceptive bot-building tutorials that drain crypto wallets when users run the provided code.
Google maintains strict policies and enforcement actions against deceptive crypto ads and unreliable claims that promise huge, risk-free returns. Our Unacceptable Business Practices policy allows us to act against those impersonating trusted brands or cryptocurrency platforms. When advertisers violate these rules, we swiftly suspend their accounts or disapprove their ads, using predictive analytics to block emerging deceptive patterns.
Beyond crypto, mobile extortion has grown significantly, often through malicious banking and finance applications. These deceptive apps, disguised as legitimate tools, demand excessive system permissions like access to contacts, SMS history, and photos. In some disturbing cases, operators use this stolen data to extort and publicly shame their victims.
Attackers are using sophisticated versioning to bypass app store security: submitting a benign app for initial review, then updating it with extortion malware post-installation. To combat these evasive tactics, our Trust & Safety teams prioritize detecting “dormant” permissions. We’re also implementing an enhanced monitoring system to audit post-installation app behaviors, preventing these apps from silently activating their data-harvesting mechanisms.
- Safety Tip for Crypto: Be extremely skeptical of any crypto investment promising risk-free or “guaranteed” returns. Never copy and paste unknown code from online tutorials into your computer’s terminal, as this is a common tactic for deploying malware and draining cryptocurrency balances.
- Safety Tip for Mobile: Only install loan or finance apps from official app stores. Never grant an app access to personal contacts, photo galleries, or SMS logs unless absolutely essential for its core function. On Android, always heed built-in scam warnings in Google Messages and Phone by Google, as scammers often try to trick you into disabling security protections.
When Trust is Betrayed: Government Impersonation Scams
A disturbing trend involves threat actors exploiting public trust in law enforcement and government institutions for financial extortion. Active particularly across South Asia, Southeast Asia, and GCC countries, these malicious actors often target citizens by impersonating municipal police forces or labor ministries. They initiate contact through unsolicited communications, including fraudulent emails and cross-messaging invitations.
Scammers use sophisticated techniques to register bulk Google accounts, creating official-sounding email addresses that closely mimic legitimate authorities. They then execute hybrid, cross-platform operations, reaching victims on third-party messaging apps with deceptive meeting or calendar invites. These scams culminate in high-pressure voice or video calls, often called ‘digital arrests,’ where victims are convinced they’re under investigation and coerced into paying upfront ‘legal fees’ or divulging sensitive banking credentials.
Google actively fights back against these predatory campaigns with multi-layered defenses to identify and disable coordinated impersonation networks at scale. We rigorously enforce our Gmail Program policies and core impersonation policies to suspend accounts engaged in governmental fraud. Furthermore, building on the success of our Government verified apps program, we’re introducing new security measures requiring app developers to verify their identity for apps installed on certified Android devices, combating malware and scams even for apps installed outside the Play Store.
- Safety Tip: Exercise extreme caution with unsolicited calls, emails, or meeting invitations from personal email accounts claiming to represent law enforcement or government ministries. Real government departments and police forces will never contact you via third-party messaging apps to demand payments, threaten legal action, or ask for sensitive credentials. Consider selecting the ‘Only contacts can call me’ setting in Google Meet for added protection.
We hope this advisory helps you navigate the evolving threat landscape and stay safer online. Google remains committed to developing and deploying advanced protections against scams. For more detailed information and tips on how to protect yourself, visit our help center on avoiding and reporting scams.
Source: Google Blog (The Keyword)
