Google on Thursday revealed that the scam defenses built into Android safeguard users around the world from more than 10 billion suspected malicious calls and messages every month.
The tech giant also said it has blocked over 100 million suspicious numbers from using Rich Communication Services (RCS), an evolution of the SMS protocol, thereby preventing scams before they could even be sent.
In recent years, the company has adopted various safeguards to combat phone call scams and automatically filter known spam using on-device artificial intelligence and move them automatically to the "spam & blocked" folder in the Google Messages app for Android.
Earlier this month, Google also globally rolled out safer links in Google Messages, warning users when they attempt to click on any URLs in a message flagged as spam and step them visiting the potentially harmful website, unless the message is marked as "not spam."
Google said its analysis of user-submitted reports in August 2025 found employment fraud to be the most prevalent scam category, where individuals searching for work are lured with fake opportunities in order to steal their personal and financial information.
Another prominent category relates to financially-motivated scams that revolve around bogus unpaid bills, subscriptions, and fees, as well as fraudulent investment schemes. Also observed to a lesser extent are scams related to package deliveries, government agency impersonation, romance, and technical support scams.
In an interesting twist, Google said it has increasingly witnessed scam messages arrive in the form of a group chat with a number of potential victims, as opposed to sending them a direct message.
"This shift may have happened because group messages can feel less suspicious to recipients, particularly when a scammer includes a fellow scammer in the group to validate the initial message and make it appear to be a legitimate conversation," Google said.
The company's analysis also found that the malicious messages stick to a "distinct daily and weekly schedule," with the activity commencing around 5 a.m. PT in the U.S., before peaking between 8 a.m. and 10 a.m. PT. The highest volume of fraudulent messages is typically sent on Mondays, coinciding with the start of the workday, when recipients are likely to be the busiest and less wary of incoming messages.
Some of the common aspects that tie these scams together are that they begin with a "Spray and Pray" approach by casting a wide net in hopes of reeling in a small fraction of victims by inducing a false sense of urgency through lures related to topical events, package delivery notifications, or toll charges.
The intention is to rush prospective targets into acting on the message without thinking too much, causing them to click on malicious links that are often shortened using URL shorteners to mask dangerous websites and ultimately steal their information.
Alternatively, scams can also embrace what's called as "Bait and Wait," which refers to a more calculated, personalised targeting method where the threat actor establishes rapport with a target over time before going for the kill. Scams like romance baiting (aka pig butchering) fall into this category.
 |
| Top three scam categories |
"The scammer engages you in a longer conversation, pretending to be a recruiter or old friend," Google explained. "They may even include personal details gathered from public websites like your name or job title, all designed to build trust. The tactics are more patient, aiming to maximize financial loss over time."
Regardless of the high-pressure or slow-moving tactic employed, the end goal remains the same: to steal information or money from unsuspecting users, whose details, such as phone numbers, are often procured from dark web marketplaces that sell data stolen from security breaches.
The operation is also supported by suppliers that provide the necessary hardware for operating phone and SIM farms that are used to blast smishing messages at scale, Phishing-as-a-Service (PhaaS) kits that deliver a turnkey solution to harvest credentials and financial information and manage the campaigns, and third-party bulk messaging services to distribute the messages themselves.
"[The messaging services] are the distribution engine that connects the scammer's infrastructure and target lists to the end victim, delivering the malicious links that lead to the PhaaS-hosted websites," Google said.
The search behemoth also described the scam message landscape as highly volatile, where fraudsters seek to purchase SIM cards in bulk from markets that present the fewest obstacles.
"While it may appear that waves of scams are moving between countries, this constant churn doesn't mean scammers are physically
relocating," it added. "Once enforcement tightens in one area, they simply pivot to another, creating a perpetual cycle of shifting hotspots."
"While it may appear that waves of scams are moving between countries, this constant churn doesn't mean scammers are physically relocating," it added. "Once enforcement tightens in one area, they simply pivot to another, creating a perpetual cycle of shifting hotspots."
