Google's AI scam lawsuit and 7 anti-scam bills: what it actually changes for you

What Google actually announced

The article, titled "How we're combatting AI scams with security, legislation and more," was published on the official Google blog on June 12, 2026, and authored by Halimah DeLaine Prado, Google's General Counsel. That byline matters. This was not the security team posting a product update. It was Google's top lawyer announcing legal and policy action, which tells you Google is now treating large-scale AI fraud as a courtroom and legislative fight, not only an engineering one.

The centerpiece is a civil lawsuit Google filed against an organized cybercrime operation it names the "Outsider Enterprise." According to Google's complaint, the group is based in China, coordinates through Telegram, and sells "phishing kits" that let lower-skilled criminals spin up fake-text campaigns impersonating trusted brands. The scam texts Google describes are the ones almost everyone has now received: fake package-delivery alerts, urgent bank warnings, and compromised-account notifications, each carrying a link to a credential-harvesting page.

Google said it is coordinating with the FBI on the case and working with carriers AT&T, T-Mobile, and Verizon to block the fraudulent texts before they reach phones. The FBI's Cyber Division framed the broader trend bluntly in the coverage: criminals are increasingly using AI to make fraud more convincing and harder to detect.

The numbers that should stop you scrolling

Google's complaint puts hard figures on a problem most people only feel as a vague flood of spam. These are Google's own estimates from the filing, not third-party data, and they are worth reading slowly.

• 9,000 fake websites and over 1 million fraudulent URLs tied to this single operation. Not 1 million scams. 1 million distinct web addresses, most of them burned and rebuilt within hours.
• 2.5 million scam messages sent to Android users in a two-week period in May. That is one operation, one platform, fourteen days.
• 55,000 spam texts flagged by users in that same window, which Google notes works out to more than two spam complaints every minute.
• Hundreds of thousands of victims, with losses Google estimates in the millions of dollars.
• Over 10 billion malicious messages intercepted every month by Google's own messaging defenses, the scale figure that shows how much is being stopped before anyone sees it.

Our read on these numbers: the 1 million fraudulent URLs figure is the one that matters most for ordinary users, and it is the one that quietly explains why scam links keep getting through. A blocklist works by listing known-bad addresses. When a single group can generate a million throwaway URLs and cycle them in hours, any defense that depends only on "have we seen this exact link before" is always a step behind. The fresh link in the text you got an hour ago may simply be too new to be on any list yet.

Where Google stands on legislation

The part that makes this announcement different from a normal takedown is the policy push. Google said litigation alone will not end large-scale fraud, and that it is advocating for federal legislation to make anti-scam protections permanent. Specifically, Google said it supports seven bipartisan bills aimed at fighting scams, including those built with AI.

The article named two of the seven directly: the National Strategy for Combating Scams Act and the Stop SCAMS Act. The broad idea behind this class of bills is to create a coordinated national response to fraud, improve information-sharing between platforms, carriers, banks, and law enforcement, and give agencies clearer authority to go after cross-border scam operations like the one Google is suing.

Our view: this is the right instinct. Scam operations exploit the seams between jurisdictions and between companies. A scammer in one country, using a hosting provider in a second, a phone carrier in a third, and a payment rail in a fourth, is hard for any single company or agency to chase alone. Legislation that forces faster information-sharing and gives law enforcement clearer cross-border tools is exactly the kind of structural fix that a single takedown cannot deliver. We hope it passes. We also think it is worth being clear-eyed about what it does not do.

Our honest take: necessary, but reactive

Here is the part we want to say plainly, because it is easy to read a headline like this and feel that the problem is now handled. It is not, and Google did not claim it was.

A lawsuit is a response to harm that already happened. By the time a complaint is filed, the 9,000 fake sites had already gone live, the 2.5 million texts had already been sent, and the hundreds of thousands of victims had already clicked. Litigation can dismantle infrastructure and deter the next operator, which is valuable, but it works on a timeline of months and years. Legislation is slower still. A bill is a process, not a shield, and even a good law does not stop the specific text that lands on your phone tomorrow morning.

The same is true of the carrier-level and platform-level filtering. Intercepting 10 billion messages a month is a genuinely huge defensive achievement, and it absolutely reduces your exposure. But filtering at that scale is a probability game. Some fraction always gets through, and the fraction that gets through is, by definition, the batch that looked clean enough to pass the filter. That is the message you actually have to make a decision about.

So there is a gap, and it is a specific one: the moment between a scam link reaching you and you deciding whether to tap it. Network filtering, lawsuits, and laws all operate before or after that moment. None of them are standing next to you when you are looking at a "your package is held, confirm your address" text at 9pm and your thumb is hovering over the link.

Why this validates detection at the click

We will be upfront that we have a point of view here, because closing that exact gap is what SafeBrowz is built to do. But the case for it is made by Google's own data, not by us.

The 1 million fraudulent URLs figure is the entire argument. When scam links are generated and discarded faster than any blocklist can index them, the defense that holds up is not "is this link on a list of known-bad sites." It is "does this link, right now, behave like a brand-impersonation or credential-harvesting page, regardless of whether anyone has seen it before." That is a question you answer by looking at the structure of the URL, the brand it is imitating, and the content of the page, at the moment of the click, on the device.

This is the reasoning behind our 3-layer approach: a local layer that recognizes lookalike and homograph domains instantly in the browser, an API layer that cross-references the live global blocklists for links that have already been reported, and an AI content layer that catches brand-new pages no list has caught yet. The third layer exists precisely because the first million-URL problem guarantees that "brand-new and unseen" is the normal case, not the rare one. For a fuller walkthrough of how AI-driven scams work end to end, see our complete guide to AI scams in 2026.

The other point Google's announcement underlines is reach. Google's defenses, understandably, are strongest inside Google's ecosystem, Android messaging, Gmail, Chrome. That is excellent if every link you click arrives there. But scam texts get opened on iPhones, links get pasted into other browsers, and the same fake "bank security alert" lands in WhatsApp, Telegram, and SMS. A scam does not care which platform you are on. Protection that only covers one vendor's surface leaves the rest of your day uncovered, which is why we built SafeBrowz to be browser-agnostic across Chrome, Firefox, and Edge, with content analysis that works in over 100 languages rather than only in English-speaking markets.

What this means for you, practically

Strip away the legal and policy layer and the takeaway for an ordinary phone user is simple. The operation Google is suing is one of many, the texts it sent are the exact ones in your inbox, and the link in those texts is designed to look legitimate for the few seconds it takes you to decide.

• Treat every unexpected "act now" text as hostile until proven otherwise. Package held, bank locked, account compromised, refund waiting. These four scripts cover the overwhelming majority of the 2.5 million texts in Google's complaint. The urgency is the attack.
• Never tap the link in the message. If a text claims to be from your bank, your courier, or a service you use, open the app you already have or type the real address yourself. The whole point of the fake URL is that you arrive there from the text instead of from your own bookmarks.
• Check the link before you trust it. If you are not sure, paste it into a scanner first. A link that imitates a brand on a domain that brand does not own is the single clearest signal of a scam, and it is checkable in seconds.
• Report the ones you catch. In the US, forward scam texts to 7726 (SPAM) and report fraud at reportfraud.ftc.gov or ic3.gov. Every report is what feeds the filtering and the lawsuits in the first place.
• Cover the gap with a click-time layer. Network filtering catches most of it. For the fraction that gets through, a browser extension that scans the link at the moment you click is the backstop that does not depend on the message having been caught upstream.

The bottom line

Google's June 12 announcement is one of the more serious moves a major platform has made against AI-scaled fraud: a real lawsuit against a real operation, FBI and carrier coordination, and a public push for seven anti-scam laws. We think all of it is worth supporting, and we are glad the company with that much reach is using its legal weight rather than only its filters.

But the announcement is also a precise description of a problem that outpaces takedowns. A million disposable URLs, generated with AI, cycled in hours, sent by the millions. Laws and lawsuits raise the cost of running that machine. They do not stand between you and the one link that reaches you tonight. That last step, the click, is still yours to defend, and the defense that fits there is detection that runs on your device, before the page loads, no matter which browser or app the link arrived in.

Last updated 2026-06-13

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1, Local detection: 60+ URL patterns and 550+ brand-specific signatures run directly in your browser, including Cyrillic and Punycode homograph detection. This is the layer that catches lookalike package-tracking and bank domains at click time, before the credential-harvesting page loads, even when the link is brand new.
• Layer 2, API checks: Google Safe Browsing, PhishTank, and URLhaus cross-references run server-side. This catches the scam URLs that have already been reported anywhere in the world, including the throwaway domains from operations like the one Google is suing the moment they are flagged.
• Layer 3, AI deep scan (Premium): Content analysis flags brand-new fake-brand pages that no blocklist has seen yet, which, given a million disposable URLs, is the normal case rather than the exception. Works in over 100 languages.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

FAQ

What did Google announce on June 12, 2026?

Google's General Counsel, Halimah DeLaine Prado, published an article titled "How we're combatting AI scams with security, legislation and more" on the official Google blog. It announced a civil lawsuit against a China-based cybercrime operation Google calls the "Outsider Enterprise," which Google says ran phishing-kits-as-a-service tied to 9,000 fake websites and more than 1 million fraudulent URLs. Google also said it is coordinating with the FBI and the carriers AT&T, T-Mobile, and Verizon, and that it supports seven bipartisan anti-scam bills.

What is the "Outsider Enterprise"?

According to Google's complaint, the Outsider Enterprise is an organized cybercrime operation based in China that coordinates through Telegram and sells phishing kits to other criminals. Those kits let buyers send mass scam-text campaigns impersonating trusted brands, using scripts like fake package-delivery alerts, urgent bank warnings, and compromised-account notices, each linking to a page designed to steal login or payment details. Google estimates the operation sent about 2.5 million scam messages to Android users in a two-week period in May.

Which anti-scam bills does Google support?

Google said it is advocating for seven bipartisan bills to fight scams, including those created with AI. The article named two of them directly: the National Strategy for Combating Scams Act and the Stop SCAMS Act. Google's broader argument is that litigation alone will not end large-scale fraud, so it wants federal legislation to make anti-scam protections permanent and to improve coordination between platforms, carriers, banks, and law enforcement.

Does Google's lawsuit make me safe from scam texts now?

Not directly. A lawsuit dismantles infrastructure and deters operators over a timeline of months and years, but it does not stop the specific scam text that reaches your phone tomorrow. The same is true of legislation, which is a slow process, and of carrier filtering, which catches most but not all messages. Some scam texts always get through, and those are the ones you have to make a decision about. That is why a click-time defense, checking the link before you tap it, still matters even after announcements like this one.

Why do scam links keep getting through filters?

Because the scammers generate them faster than any list can keep up. Google's complaint describes more than 1 million fraudulent URLs tied to a single operation, most of them used briefly and discarded. Any defense that relies on recognizing a link from a list of known-bad addresses is always behind, because the link in the text you just received may be only hours old and not yet on any list. The defense that holds up looks at how a link behaves, whether it imitates a brand on a domain that brand does not own, rather than only whether it has been seen before.

How does SafeBrowz help with the kind of scam Google described?

SafeBrowz scans the link at the moment you click it, on your device, before the page loads. Its local layer recognizes lookalike and homograph domains instantly, its API layer cross-references the global blocklists for links already reported, and its AI layer flags brand-new fake-brand pages no list has caught yet, which, given a million disposable URLs, is the common case. It runs across Chrome, Firefox, and Edge and analyzes content in over 100 languages, so it covers links no matter which app the scam text arrived in. It does not replace carrier filtering or law enforcement, it is the backstop for the messages that get past them.