Few organizations see the scam economy from as high an altitude as Google. Its filters sit in front of billions of inboxes, its app store gatekeeps most of the world’s Android phones, and its ad systems are a perpetual battleground with fraudsters. So when the company publishes a fraud advisory, it’s less a public service announcement than a reconnaissance report — and the June edition of its 2026 advisory describes a threat landscape that is professionalizing fast.

The backdrop numbers are grim. Global fraud losses reached an estimated $580 billion in 2025, roughly one in five adults has fallen victim to a scam, and Americans alone lost more than $11 billion to cryptocurrency scams last year. Against that baseline, Google flags four trends it says are accelerating — and each one chips away at a defense consumers have been told to rely on.

Phishing That Steals the Session, Not Just the Password

The most consequential shift is technical: adversary-in-the-middle (AiTM) phishing. Traditional phishing harvests your password and hopes you haven’t enabled two-factor authentication. AiTM kits sit invisibly between you and the real login page, relaying everything in both directions — which means they capture not only your password but the session cookie your browser receives after you pass the multi-factor check. With that cookie, the attacker simply is you, no code from your phone required.

The delivery mechanisms are getting craftier too. Google highlights quishing — QR-code phishing that moves the malicious link off your screen and onto a poster, parking meter, or emailed PDF where security software can’t inspect it — a trend we’ve been tracking since QR scams began surging in 2025. It also flags calendar phishing, where fraudulent event invitations land directly in your calendar app carrying poisoned links, bypassing the inbox entirely. To evade filters, attackers increasingly host lures on legitimate cloud services and build “invisible pages” that show scanners harmless content while serving victims the trap.

Crypto Fraud Gets an AI Upgrade

The second trend is the industrialization of cryptocurrency investment fraud. The classic shapes are all still here — fake token giveaways riding on celebrity or brand names, and “passive income” mining schemes that promise effortless yields and deliver nothing. What’s changed is the polish: AI tooling now generates the websites, testimonials, and chat personas that once required a whole scam-compound shift to maintain.

Google calls out one lure that deserves special attention because it targets the technically confident: deceptive bot-building tutorials. Videos and articles walk would-be traders through setting up an “arbitrage bot,” complete with code to copy and paste. Execute it, and the script quietly transfers your wallet’s contents to the scammer. It’s a neat inversion of the usual dynamic — the victim does the hacking, on themselves. The tell is universal, though: any scheme promising unrealistic, exaggerated, or guaranteed returns is a scheme, full stop.

The Banking App That Isn’t

Trend three lives on your phone. Malicious apps disguised as legitimate finance and banking tools are proliferating, and their permission requests are the giveaway: a “banking” app that demands access to your contacts, SMS messages, and photo library isn’t checking your balance — it’s building an extortion file. Some of these operations harvest enough personal material to blackmail victims directly.

The supply chain is evolving as well. Rather than sneaking malware past app-store review, developers increasingly submit a clean app first, then push the malicious payload in a later update once it has installs and reviews. That tactic undermines the reasonable-sounding advice that a well-rated app from an official store is automatically safe — and it’s why Google says it now monitors for “dormant” permissions that suddenly activate long after installation.

The “Digital Arrest” Goes Global

The fourth trend is the continued spread of police impersonation. In digital arrest schemes — a fraud we’ve covered extensively as it devastated victims across India — scammers posing as police or customs officials accuse victims of crimes, isolate them on video calls, and extract “legal fees” or bank credentials to resolve the fabricated case. Google’s data shows the model expanding across South Asia, Southeast Asia, and the Gulf countries, powered by official-sounding email addresses and documents convincing enough to survive a panicked victim’s scrutiny.

The persistence of this scam is a reminder that the most effective fraud tools aren’t technical at all. Fear of authority, deployed at scale, beats most firewalls.

What Google Is Doing — and What It Can’t Do

The countermeasures are a mix of engineering and enforcement. The most interesting is Device Bound Session Credentials, which cryptographically ties session cookies to the hardware they were issued on — a direct answer to AiTM cookie theft, because a stolen cookie becomes useless on the attacker’s machine. Alongside it: predictive analytics to spot deceptive patterns before victims click, the dormant-permission monitoring described above, an Android Developer Verification Program requiring identity verification from app publishers, account suspensions, and lawsuits against malicious actors.

All of it raises the cost of fraud. None of it eliminates the step where a human being decides to trust the wrong message. That part is still on us.

Protecting Yourself

Google’s advisory closes with guidance that maps cleanly onto each threat:

  • Don’t scan QR codes you weren’t expecting. Type the organization’s address into your browser instead, and treat unsolicited calendar invitations as you would suspicious email.
  • Assume “guaranteed returns” means guaranteed loss. No legitimate crypto investment promises risk-free profit, and no trustworthy tutorial requires you to run code you don’t understand against your own wallet.
  • Install finance apps only from official stores — then stay skeptical. Deny permissions an app doesn’t plainly need, and review what existing apps can access after updates.
  • Know how police actually work. No law enforcement agency conducts arrests over video calls, demands fees through personal messaging apps, or needs your banking credentials to “clear your name.” Hang up and call the agency through a published number.
  • Slow down. Every one of these schemes — the fake login, the trading bot, the uniformed officer on camera — depends on urgency. The scam that can’t rush you usually can’t catch you.