Fraud remains an ongoing global challenge, driven by sophisticated transnational criminal groups seeking to exploit people online for financial gain. According to the NASDAQ Global Financial Crime Report, total global fraud losses are estimated at nearly $580 billion by 2025. Furthermore, global studies show that approximately one in five adults fall victim to fraud.
At Google, our teams are committed to tracking these changing tactics, sharing and acting on our observations to protect the public and the wider digital ecosystem. Our teams use the latest in AI capabilities to prevent, detect and respond to evolving scam tactics, and we regularly release updates to share our observations with others.
Our latest fraud advisory details both recent and seasonal fraud trends identified by our analysts.
1. Adversary-in-the-Middle (AITM)
Traditional email phishing has evolved into sophisticated Adversary-in-the-Middle (AITM) and “Quishing” (QR code phishing) attacks. Despite industry actions against major Phishing-as-a-Service (PhaaS) kits such as Tycoon 2FA (Barracuda April 2026), phishing volume remains high. Attackers are increasingly able to mirror legitimate login streams to capture a user’s password and session cookie and bypass Multi-Factor Authentication (MFA). To avoid security scanners, attackers use techniques that host malicious payloads on reputable cloud properties.
Fraudsters misuse trusted cloud productivity suites to bypass security filters. We investigated “Calendar Phishing” bypasses where fake renewal notices were added directly to Google Calendar invitations. Scam apps also abused “invisible pages” in cloud documents to host malicious instructions and phishing landing pages that evade standard web filters (also known as “reputation bypass”). Additionally, we investigated AITM campaigns that targeted email users by impersonating recognized brands to steal session tokens, as well as the “ClickFix” campaign (which uses fake browser updates) that distributes malware on Google Sites.
Google continues to track and dismantle the infrastructure that powers these phishing operations. In addition to technical limitations, such as neutralizing AITM campaigns, implementing Device Bound Session Credentials (DBSC) to secure active session cookies against theft, and strengthening defenses against reputation-based bypasses, we actively pursue affirmative litigation to disrupt malicious actors. Building on our successful previous lawsuits against Lighthouse phishing kits, we are committed to holding cybercriminals accountable in court and dismantling the tools they use or sell to other fraudsters.
Safety tips: Never scan a QR code from an unexpected email using your personal phone, and always navigate directly to a service’s official website instead of clicking on links or calling phone numbers found in unexpected messages. For more information on how to protect yourself from these tactics, see our latest security tips.
2. AI cryptocurrency investments
Investment fraud leads to significant cybercrime losses, with Americans reportedly losing more than $11 billion to cryptocurrency-related scams by 2025. Fraudsters exploit the complexity of blockchain technology to promote “too good to be true” opportunities and deceive users by promising unrealistic or exaggerated financial gains with minimal effort.
We track cryptocurrency scams that use tactics such as fake token giveaways, fraudulent “passive income” mining software, and misleading bot-building tutorials. In these schemes, individuals provide step-by-step guides on how to set up crypto nodes to earn rewards, but when users run the provided code, it drains their crypto wallets. Scammers use QR codes or on-screen description links to direct victims to phishing forms or malicious software downloads.
To combat these deceptive crypto ads, Google maintains policies aimed at protecting users from financial harm. We also enforce our Untrustworthy Claims Policy, which prohibits ads that make unrealistic promises of large financial returns. Additionally, our Unacceptable Business Practices Policy enables us to take action against actors who attempt to impersonate trusted brands or cryptocurrency platforms. When advertisers violate these rules, we suspend their accounts or reject their ads. Alongside these rigorous policy enforcement efforts, we use predictive analytics to systematically identify and block emerging deceptive crypto patterns.
Safety tips: Be skeptical of any crypto investment that promises risk-free or “guaranteed” returns. Never copy and paste unknown code or commands from an online tutorial into your computer’s terminal, as this is a common tactic used to deploy malware and drain cryptocurrency balances.
3. Mobile fraud
As highlighted in our November 2025 Scams Advisory, mobile extortion has grown, particularly through malicious banking and financial applications (McAfee research). Disguised as personal finance apps, many of these malicious apps require excessive system permissions (contacts, SMS history, photos). And in some cases, the operators of these apps use the stolen data to blackmail and publicly shame the victim.
Although these types of scams are known, the tactics used by attackers to reach users have mutated. With app stores like Google Play raising the bar for security, actors are increasingly using versioning, submitting a legitimate-looking helper app for initial app store review, and later updating the app with ransomware that exploits accessibility services after it’s been installed by the user. To combat these evasive tactics, Trust & Safety teams prioritize the discovery of “dormant” permissions. We are also prioritizing an improved monitoring system designed to audit app behavior after installation, preventing these apps from silently activating their data collection mechanisms.
Safety tips: Only install loan or finance apps from official app stores, and never give an app access to your personal contacts, photo gallery, or SMS logs unless it’s fundamentally necessary for the app’s core functionality. If you are using an Android device, pay close attention to the built-in fraud alerts in Google Messages and Phone by Google. Always follow these warnings, as scammers often try to trick you into downloading malicious apps or disabling security protections.
4. Impersonation of the police
Threat actors are increasingly exploiting the public’s trust in law enforcement and government institutions to conduct coordinated impersonation and financial extortion campaigns. Active across South Asia, Southeast Asia and the Gulf Cooperation Council (GCC) in particular, these malicious actors target citizens of countries such as Oman, Singapore, India and the United Arab Emirates. Posing as municipal police forces or labor ministries, these fraudsters exploit vulnerable individuals through unsolicited communications, including scam emails and cross message invitations.
To carry out these operations, fraudsters use sophisticated account creation techniques to register bulk Google accounts. They register official-sounding email addresses that closely mimic legitimate authorities and regional law enforcement. Once these accounts are established, bad actors conduct a cross-platform hybrid operation. They typically reach victims on third-party messaging applications and present a deceptive meeting or calendar invitation sent from these official-looking addresses. Fraudsters then conduct high-pressure voice or video calls, sometimes referred to as ‘digital arrests’, using government branding and aggressive social engineering to convince victims they are under investigation for financial crimes, ultimately demanding upfront ‘legal fees’ or harvesting sensitive bank details.
Google is fighting back against these malicious campaigns by deploying multi-layered defenses at every stage of the abuse lifecycle to identify and disable coordinated impersonation networks at scale. We enforce our Gmail program policies along with Google’s central impersonation policies to immediately suspend accounts involved in government fraud. As malicious actors attempt to circumvent our detection capabilities, our teams use advanced tools to act in addition to developing our defenses. This extends to the user experience on mobile devices, e.g. via Android Developer Verification Program: Two years ago, we introduced the Government Verified Apps program, designed to tackle the problem of fraudsters using fake apps that mimic official government apps. We are now building on this protection by introducing a new security measure that requires app developers to verify their identity (name, address, ID) for apps installed on certified Android devices to combat malware and fraud by creating accountability for developers, even for apps installed outside of the Play Store (sideloading).
Safety tips: Be cautious when engaging with unsolicited calls, emails or meeting invitations from personal email accounts claiming to represent law enforcement or government departments. Real government departments and police forces will never contact you via third-party messaging apps to demand payments, threaten legal action, or ask for sensitive credentials. Users also have the option to select the ‘Only contacts can call me’ option in Google Meet. See here to learn more about fraud and scam protection.
We hope this latest advisory helps you stay secure in an evolving threat landscape. For more on the latest ways Google is protecting you from fraud, see our recent blog on how to protect yourself from impersonation fraud with fake call detection, and visit our Help for more on avoiding and reporting fraud.