Google on Thursday revealed that its built-in fraud protection features in Android protect users around the world from more than 10 billion potentially malicious calls and messages each month.
The company also said it has blocked more than 100 million suspicious numbers from using its Rich Communications Service (RCS), an evolution of its SMS protocol, to prevent fraud before it’s sent.
The company has introduced a number of safeguards in recent years to combat phone scams, using on-device artificial intelligence to automatically filter known spam and automatically move it to the “Spam and Block” folder in the Google Messages app for Android.
Google also rolled out safer links in Google Messages globally earlier this month, warning users that they will be visiting a potentially harmful website when they try to click on a URL in a message flagged as spam, unless the message is marked as “not spam.”
Google announced that after analyzing user-submitted reports in August 2025, employment fraud was found to be the most prevalent fraud category. This is where individuals looking for work are lured with false opportunities to steal personal and financial information.
Another prominent category relates to financial scams and fraudulent investment schemes that revolve around fake unpaid invoices, subscriptions, and fees. To a lesser extent, scams related to package delivery, government impersonation, romance scams, and technical support scams have also been observed.
In an interesting development, Google said it is increasingly seeing scam messages arriving in the form of group chats rather than direct messages to a large number of potential victims.
“This change may have occurred because group messages become less suspicious to recipients, especially if the scammers validate the initial message and include fellow scammers in the group to make it appear as a legitimate conversation,” Google said.
The company’s analysis also found that the malicious messages follow a “clear daily and weekly schedule,” with activity beginning around 5 a.m. Pacific Time and peaking between 8 a.m. and 10 a.m. Pacific Time. Typically, the highest volume of fraudulent messages are sent on Mondays, the start of the workday, when recipients are busiest and likely to be less wary of incoming messages.
Some of the common aspects that link these scams are that they begin with a “spray and pray” approach that induces a false sense of urgency through decoys related to current events, package delivery notifications, or billing, casting a wide net in hopes of reeling in some of the victims.
The goal is to make potential targets act on the message without much thought, making them click on malicious links that are often shortened using URL shorteners to hide dangerous websites, and ultimately steal information.
Alternatively, the scam may employ something called “Bait and Wait.” This refers to a more calculated and personalized targeting method in which the attacker establishes a trusting relationship with the target over time before going for the kill. Scams such as romance baiting (aka pig butchering) fall into this category.
 |
| Top 3 Scam Categories |
“Scammers pretend to be recruiters or old friends and get you into a longer conversation,” Google said. “They may also include personal information collected from public websites, such as names and job titles. All of this is aimed at building trust. The tactics are more patient and aim to maximize long-term financial losses.”
Whether the tactics used are high-pressure or slow-moving, the end goal is the same. It involves stealing information and money from unsuspecting users, whose phone numbers and other details are often obtained from dark web marketplaces that sell data stolen in security breaches.
This operation is also supported by suppliers that provide the hardware necessary to operate the telephone and SIM farms used to send smishing messages at scale, Phishing-as-a-Service (PhaaS) kits that provide turnkey solutions to collect credentials and financial information and manage campaigns, and third-party bulk messaging services that deliver the messages themselves.
“(The messaging service) is the delivery engine that connects the fraudster’s infrastructure and target list to the final victim, delivering malicious links that lead to PhaaS-hosted websites,” Google said.
The search giant also explained that the scam message landscape is highly volatile, with scammers looking to buy SIM cards in bulk from markets with the least obstacles.
“While it may appear that waves of fraud are moving across countries, this constant movement does not mean that fraudsters are physically moving.
“When enforcement increases in one area, it simply redirects to another, creating a perpetual cycle of hotspots moving,” he added.
“While it may appear that waves of fraud are moving between countries, this constant movement does not mean that fraudsters are physically moving,” it added. “When enforcement increases in one area, that enforcement simply shifts to another area, creating a perpetual cycle of moving hotspots.”
