Scams remain a major global challenge, with transnational crime groups continually refining how they target people online. According to the NASDAQ Global Financial Crime Report, total global fraud losses are estimated at close to $580 billion for 2025, and roughly one in five adults are affected by scams at some point. Google track these evolving tactics closely, using AI to prevent, detect and respond to new scam patterns, and regularly publish updates to help others stay ahead of them. Here's a look at what their latest advisory has identified from "quishing" to mobile extortion apps.
Phishing is getting harder to spot
Traditional phishing has evolved into more sophisticated Adversary-in-the-Middle (AITM) attacks and QR code-based "quishing." Despite industry action against major phishing kits like Tycoon 2FA (Barracuda, April 2026), these techniques can mirror legitimate login pages closely enough to capture both passwords and session cookies, allowing attackers to bypass multi-factor authentication altogether. Scammers are also exploiting trusted cloud platforms, including fake calendar invites and hidden phishing pages embedded in cloud documents, to slip past standard security filters. Google continues to dismantle the infrastructure behind these campaigns, deploy Device Bound Session Credentials to strengthen session security, and pursue legal action against the groups developing and distributing phishing tools.
Safety tip: Avoid scanning QR codes from unexpected emails, and always go directly to a service's official website rather than clicking links in unsolicited messages.
Crypto scams are exploiting complexity
Investment fraud remains a major driver of cybercrime losses, with crypto-related scams alone costing Americans more than $11 billion in 2025. Common tactics include fake token giveaways and "passive income" mining tutorials that, once followed, drain victims' wallets. Google enforces policies against unrealistic financial claims, including its Unreliable Claims policy and Unacceptable Business Practices policy, and uses predictive analytics to catch emerging scam patterns early.
Safety tip: Be wary of any investment promising guaranteed returns, and never copy unfamiliar code into your computer's terminal.
Mobile extortion apps are evolving
As highlighted in Google's November 2025 advisory, malicious finance apps disguised as legitimate tools continue to request excessive permissions, sometimes using stolen data to extort victims. A newer tactic involves submitting a clean app for initial review, then quietly adding malicious functionality after approval. With Google Play raising the bar for security Google is responding with stronger post-installation monitoring to catch this kind of delayed activation.
Safety tip: Only download finance apps from official app stores, avoid granting access to contacts, photos or SMS unless genuinely necessary, and pay attention to built-in scam warnings in Google Messages and Phone by Google
Police impersonation scams are spreading
Particularly active across South Asia, Southeast Asia and the Gulf region, these scams involve fraudsters posing as police or government officials, often via official-looking email accounts and high-pressure video calls demanding payment for fabricated "investigations."
Google is countering this through stricter Gmail Program and impersonation policies, alongside developer identity verification requirements under the Android Developer Verification Program for apps installed on certified Android devices.
Safety tip: Genuine government agencies won't contact you through third-party messaging apps to demand payment or threaten legal action.
Learn more about fraud and scam protections here