Our latest fraud and scams advisory

2026-06-08 · Source: The Keyword · Field: Technology & Digital — Cybersecurity & Data Privacy, Emerging Technologies & Innovation · Depth: Intermediate, long

Summary

Google's Trust & Safety teams released their latest advisory on June 8, 2026, detailing current online scam trends and protective measures. Global fraud losses are estimated at nearly \$580 billion for 2025, with one in five adults falling victim. The advisory highlights four key areas: sophisticated Adversary-in-the-Middle (AITM) and "Quishing" attacks that bypass MFA by mirroring login flows and capturing session cookies; AI cryptocurrency investment scams, which caused over \$11 billion in losses for Americans in 2025, using fake giveaways and malicious code; evolving mobile extortion tactics via finance apps that exploit accessibility services post-installation; and police impersonation schemes, particularly in South Asia, Southeast Asia, and GCC countries, involving "digital arrests" and demands for "legal fees." Google employs AI, policy enforcement, and litigation, including Device Bound Session Credentials (DBSC) and the Android Developer Verification Program, to combat these threats.

Key takeaway

For IT professionals and security engineers managing organizational and user safety, this advisory underscores the need for proactive defense against evolving online threats. You should prioritize implementing advanced security measures like Device Bound Session Credentials (DBSC) to counter AITM attacks and educate users on the risks of QR code phishing and unsolicited communications. Additionally, scrutinize app permissions and post-installation behaviors, especially for mobile finance applications, and reinforce skepticism towards "guaranteed" crypto investments or demands from alleged law enforcement via unofficial channels.

Key insights

Online scams are evolving rapidly, employing sophisticated technical bypasses and social engineering to exploit users for financial gain.

Principles

• Attackers exploit trust in legitimate platforms and institutions.
• Multi-factor authentication can be bypassed by session cookie theft.
• App store security is circumvented by post-installation malware updates.

Method

Google's approach combines AI-driven detection, policy enforcement (e.g., Unreliable Claims, Unacceptable Business Practices), technical mitigations like Device Bound Session Credentials (DBSC), and affirmative litigation against malicious actors.

In practice

• Implement Device Bound Session Credentials (DBSC) to secure active session cookies.
• Audit post-installation app behaviors to detect dormant permissions.
• Verify developer identity for Android apps, even those sideloaded.

Topics

• Adversary-in-the-Middle
• Cryptocurrency Fraud
• Mobile Extortion
• Police Impersonation
• Session Cookie Theft
• Google Trust & Safety

Best for: CTO, VP of Engineering/Data, Executive, General Interest, Security Engineer, IT Professional

Related on AIssential

• Southeast Asia Scam Compounds Turn AI Into a Cybersecurity Threat — AI and automation are scaling Southeast Asian scam compounds, making fraud more sophisticated and harder to detect.
• Chrome stops hackers from stealing your browser cookies now - how its new security feature works — Device Bound Session Credentials (DBSC) cryptographically ties browser cookies to a device's security chip, preventing their use if stolen.
• Popular Codex package caught exfiltrating authentication credentials — Malicious npm packages can embed credential exfiltration, exploiting trust and persistent tokens for indefinite access.
• FBI Warning: World Cup Scammers Are Spoofing FIFA Tickets, Job Sites — Websites use security services to verify users are not malicious bots, protecting against automated threats.
• The average tax scam victim loses $1,020 - and they're younger than you'd think — AI-enhanced tax scams are increasingly sophisticated, leading to significant financial losses and identity theft for taxpayers.
• How recruitment fraud turned cloud IAM into a $2 billion attack surface — Recruitment fraud facilitates cloud IAM compromise via trojanized packages, bypassing traditional security and enabling rapid privilege escalation.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by The Keyword.