Google on Friday said it is taking legal action against a scam-text operation it calls the “Outsider Enterprise,” pairing a civil lawsuit with FBI action and cooperation from AT&T, T-Mobile, and Verizon. The company described the group as a China-based, Telegram-coordinated network that distributes phishing kits used to send fake texts impersonating Google and other trusted brands.
The numbers in Google’s June 12 announcement show why scam texts now look less like isolated spam and more like criminal infrastructure. Google said the operation is connected to 9,000 fake websites and more than 1 million fraudulent URLs. Over a two-week stretch in May, Android users flagged 55,000 spam texts, while 2.5 million messages were sent to Android users with links to Outsider-generated sites.
The case is also a reminder that AI scams are not only about synthetic voices or deepfake video. In many consumer attacks, AI’s biggest effect is scale: more convincing text, faster campaign setup, cheaper localization, and automated testing of lures that look like delivery alerts, bank warnings, account notices, or government messages.
What the alleged operation sold
Google describes Outsider Enterprise as a phishing-kit business. That matters because the buyer does not need to build the scam from scratch. A phishing kit can provide fake login pages, brand assets, templates, dashboards, URL generation, and instructions for moving stolen data. The attacker’s job becomes distribution: get the link in front of enough people and pressure them to act before they think.
That is why text-message scams keep returning under new disguises. One week the message may claim a package is stuck. Another may warn about an unpaid toll, a frozen bank account, a suspicious Google login, or a government fine. The visible story changes, but the underlying workflow is similar: spoof trust, create urgency, send the user to a lookalike site, then collect passwords, payment details, session information, or other sensitive data.
Google’s framing puts the operation in the same family as phishing-as-a-service, where scam tools are packaged, marketed, and reused by many actors. That turns abuse response into a broader infrastructure problem. Blocking one fake site or one sending account helps, but it does not remove the kit, hosting pipeline, distribution channels, or payment and data-resale loops behind the campaign.
Why carriers are part of the story
The involvement of major U.S. carriers is important because the phone number is still one of the most trusted channels in a consumer’s life. Email users have been trained for years to distrust suspicious links. Text messages often feel more immediate, especially when they appear to come from a bank, delivery company, employer, school, government office, or platform security team.
Google said it will continue working with AT&T, T-Mobile, and Verizon to block malicious texts before they reach users. That kind of filtering is not a complete answer. Attackers rotate domains, change wording, use URL shorteners, exploit legitimate cloud services, and move between SMS, RCS, iMessage, messaging apps, and email. Still, carrier-level blocking can reduce the number of people who ever see the lure, which is often the difference between a contained campaign and a mass-victim event.
The company also said the FBI will take law-enforcement actions connected to the operation. Civil lawsuits by tech companies do not replace criminal enforcement, but they can help expose infrastructure, support domain takedowns, preserve evidence, and make it harder for the same service to keep operating openly under the same brand.
Where Android fits
Google used the announcement to highlight its own product defenses, including Android scam detection for suspicious calls and messages, and messaging protections that it says intercept more than 10 billion malicious messages each month. Those protections matter most when they interrupt a scam at the moment of pressure: a fake bank warning, a spoofed delivery link, or a caller trying to keep someone on the phone while they install an app or share a code.
The June 12 action also connects to Google’s broader mobile-scam push. In a separate June fraud advisory, the company warned about mobile extortion apps, fake finance apps, “digital arrest” impersonation scams, QR-code phishing, and adversary-in-the-middle attacks that can steal session cookies even when a user has multifactor authentication enabled.
Some of Google’s Android changes are controversial, especially developer verification for apps installed on certified Android devices. Supporters see identity checks as a way to slow repeat malware distributors. Critics worry that requiring verification, even outside Google Play, gives Google more control over what can be installed on Android. The Outsider Enterprise case will likely strengthen Google’s safety argument, but it does not erase the openness debate.
What users should watch for now
The most useful lesson is that scam texts should be treated as a live attack path, not a nuisance. A message can look routine and still be part of a larger campaign using cloned sites, disposable domains, and brand impersonation at scale.
- Do not open payment, delivery, tax, bank, toll, or account-warning links from unexpected texts.
- Go directly to the company’s app or website instead of using the link in the message.
- Be especially skeptical when a message creates urgency, threatens account closure, or asks for payment details.
- Never enter a one-time passcode, password, or card number on a site reached from an unexpected text.
- Report suspicious texts through the phone’s spam-reporting tools so carriers and platforms can see the campaign pattern.
For businesses, the bigger task is brand-abuse monitoring. If customers receive scam texts impersonating a company, the damage does not stop with the victims. It can erode trust in legitimate alerts, support messages, and account-security communications. Clear short codes, signed messaging where available, predictable customer-contact policies, and fast takedown workflows are now part of consumer trust.
Google’s case may not end large-scale smishing, and another kit can replace a disrupted one. But the action points to where the fight is moving: away from whack-a-mole cleanup of individual fake sites and toward pressure on the services, channels, and business structures that make scam texts cheap to launch and easy to repeat.
