Why AI-powered cyber fraud is winning — and how we fight back

The era of the clumsy scam is dead. No longer can we rely on obvious red flags — broken syntax, generic headers, or suspicious links. AI-driven threat actors challenge us with high-fidelity deception and cyber-enabled fraud.

Cybercriminals can now automate reconnaissance and engage in sophisticated phishing attacks with surgical precision. They use AI to scrape an executive’s LinkedIn, recent podcast appearances, and company filings to craft a perfectly phrased email or voice clone, then launch their schemes with AI-boosted tactics that can adapt on the fly.

These attacks are skyrocketing in volume and sophistication, and challenging defenders with highly-believable synthetic authenticity.

The financial cost of modern fraud remains staggering. The FBI reported that cyber-enabled fraud cost $17.7 billion in 2025, a 29% increase from 2024, and represented nearly 85% of all financial losses reported in 2025.

Yet the real cost of modern fraud is more devastating than losses against the bottom line. When fraudsters succeed, they break societal trust. Forcing us to view every professional email, personal text, and voice call through a lens of suspicion extracts a psychological tax that stifles innovation and weakens human connection.

Given how lucrative these scams are, it’s critical that organizations develop and implement a fraud-defense strategy. At Google, we take combating fraud very seriously, and we offer a comprehensive suite of AI-driven tools that span our cloud, browser, and mobile ecosystems to help organizations build resilient fraud defense.

10 fraud-fighting capabilities from Google

For both the enterprise and consumers, Google’s anti-fraud capabilities can help detect and neutralize threats in real time. While many are enabled by default, there are additional steps you can take to strengthen your fraud defense posture.

1. Securing the agentic web

We’ve launched Google Cloud Fraud Defense, the next evolution of reCAPTCHA. This comprehensive platform is designed to discern the legitimacy and authorization of bots, humans, and agents. Using the same scale and signals that protect Google’s own ecosystem, including signals from many of the capabilities described below, Fraud Defense will soon offer in preview agent-specific capabilities for human users and AI agents that can help secure the digital commerce journey, from account creation and login to payment and checkout.

2. Android operating system

The latest updates to Android introduce groundbreaking features that use on-device AI to detect theft attempts and provide real-time scam and fraud protection while preserving your privacy. They can also help you create a private space on your phone to shield sensitive apps from prying eyes.

3. Android Enterprise Device Trust

By making it easy to continuously check the security status of a device through the Android Management API, Device Trust from Android Enterprise can help reduce the risk of data breaches caused by outdated security patches, on-device malware, and weak lock screen passcodes. Built on the principles of Zero Trust, this solution gives businesses real-time insight into device posture before granting access to sensitive data — whether or not the device is enrolled with an enterprise mobility management provider.

4. Chrome

Google Safe Browsing can help identify phishing, malware, scams, and other online threats in real time. It’s used by Chrome, Search, Android, Google Ads, Gmail, and others. Following the success of Safe Browsing, we launched the Enhanced Safe Browsing in Chrome to better address the increasingly sophisticated threats people face online.

If you turn on Enhanced Protection, much of the additional protection you receive comes from advanced AI and machine learning models designed to spot dangerous URLs engaging in phishing, social engineering and scam techniques. These models are trained to distinguish between real and malicious websites based on millions of real-world examples.

5. Google Phone and Google Messages apps

Phone by Google automatically blocks known spam calls so your phone never even rings, while Call Screen can answer the call on your behalf to identify fraudsters. If you answer, the protection continues with Scam Detection, which uses on-device AI to provide real-time warnings for suspicious conversational patterns.

To preserve your privacy, this processing is ephemeral, meaning no call content is ever saved or leaves your device. Android also helps stop social engineering during the call itself by blocking high-risk actions like installing unknown apps or disabling security settings, and warns you if your screen is being shared unknowingly.

In Google Messages, spam protection is the broader system that automatically filters unwanted messages. Building on the spam protection mechanism, Scam Detection identifies a wider range of fraudulent activities.

Importantly, Scam Detection specifically targets conversational scams that can often appear harmless but slowly try to manipulate the user into sharing sensitive information and sending funds. The technology uses on-device AI to analyze the patterns of a conversation in real-time, looking for the tell-tale signs of a scam.

This processing happens privately, ensuring the content of your conversations remains private to you. These systems are designed to identify and automatically block a wide range of unsolicited or bulk messages, including general marketing, promotions, and known malicious links.

Android’s Key Verifier tool adds an extra layer of trust to your private conversations by protecting Google Messages users from impersonators and fraudsters. It works by allowing you to scan a QR code for your trusted contacts, adding extra assurance that your end-to-end encrypted messages are truly private with the right person on the other end.

One trending tactic among scammers involves sending fraudulent text messages, either directly to your phone or through messaging apps and social media sites. These messages often solicit or demand money and link out to scammy sites. To help you spot these scams, we’ve now added new capabilities to Circle to Search and Lens that will help you see the telltale signs so you can avoid getting deceived.

6. Android’s in-call scam protection for financial apps

Android’s in-call scam protection for financial apps helps protect you when scammers calling from a number not saved in your contacts attempt to trick you into sharing your screen while using a participating financial app to access sensitive financial information. The feature can issue a warning to the user that the caller might be a scammer, pausing the action for 30 seconds to break the sense of urgency, and offers to terminate the potentially fraudulent call and stop sharing instantly.

7. Google Play

Google utilizes advanced AI to proactively identify and reject malicious apps on the Play Store. If a user tries to install a harmful app, Google Play Protect will scan the app in real time and provide alerts to safeguard the device. For further protection, Google Play Protect’s enhanced fraud protection pilot analyzes and automatically blocks the installation of apps that may use sensitive permissions frequently abused for financial fraud when the user attempts to install the app from an Internet-sideloading source (web browsers, messaging apps or file managers).

8. Google Drive

Similar to Gmail, which blocks 99% of spam messages, Spam view in Google Drive automatically classifies content into spam view, protecting you from seeing dangerous or unwanted files. This view makes it easier to separate and review your files, decide what you might view as spam, and stay safe from potential unwanted or abusive content.

9. Passwords and passkeys

The emerging trend is to move beyond passwords altogether, while keeping sign-ins as easy as possible, so we strongly encourage using modern methods like Sign in with Google and passkeys, which can be stored in and synced across your devices with Google Password Manager. Passkeys are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID), no password required. And when you pair the ease and safety of passkeys with your Google Account, you can then use Sign in with Google to log in to your favorite websites and apps, limiting the number of accounts you have to maintain.

For those who prefer passwords, we have tools like 2-Step Verification (2SV), the Google Authenticator App and Google Password Manager that provide a second line of defense so that a password alone can’t empower a bad actor.

10. Google Account recovery

Guard against account takeover through the Advanced Protection Program which safeguards users with high visibility and sensitive information from targeted online attacks by requiring enhanced identity verification, and Cross Account Protection, through which Google can share security notifications about suspicious events with apps and services you’ve connected to your Google Account. That way, participating third-party apps and services can use Google’s suspicious event detection to help keep you safer online.

Irrespective of whether you use passwords or passkeys, review your account recovery options to ensure you have access in the event you forget your password or lose your phone. Consider Recovery Contacts which lets you choose trusted friends or family members to help if you get locked out of your Google Account. It’s a simple, secure way to turn to people you trust when other recovery options aren’t available.

While some of these are still at the pilot phase in certain countries, we are looking to roll them out around the world.

From fortress mentality to collective defense

The battle against fraud is asymmetric, and we now see attackers using the speed and scale of AI automation with the nuance of psychological manipulation to breach defenses. Defenders are meeting this challenge through technological innovation and human vigilance, and staying one step ahead of the scammers requires that we understand emerging threats and proactively develop countermeasures.

As a massive, interconnected criminal economy that thrives on the information gaps between banks, telecommunications, online platforms, and law enforcement, defeating global scam networks requires a collective defense strategy.

Defenders should develop reciprocal, real-time data sharing so that an abuse report or red flag at one institution becomes an alert for the entire network. While we continue to invest in litigation, research, user awareness, and advanced tooling, to truly move the needle we believe that industry, law enforcement, and governments should collaborate to enact fraud-prevention best practices.

We encourage you to explore these two key initiatives designed as key enablers to disrupt bad actors:

• The Global Signal Exchange can facilitate the strategic sharing of threat intelligence to track and stop criminal organizations.
• The Priority Flagger Program through the Financial Services Information Sharing and Analysis Center (FS-ISAC): can streamline tactical takedowns of fraudulent content.