Google's June 2026 Scams Advisory: What It Flags

The short answer

On 8 June 2026 Google published a fraud-and-scams advisory citing roughly $580 billion in global losses for 2025 and about one in five adults victimised. It names four threat families: advanced phishing (adversary-in-the-middle kits, QR-code "quishing", "ClickFix" fake-update pages, calendar-invite phishing), AI cryptocurrency investment fraud (over $11 billion lost in the US), malicious finance apps, and police-impersonation "digital arrest" schemes. Several ride Google's own products — Calendar, Chrome, the Play Store. It is a useful, honest disclosure with sensible safety tips. But naming a scam is not the same as closing the door it arrives through, and a predictable next step is impostors invoking "Google security" to run the very scams the advisory describes. The protection is unchanged: verify independently, and never act on an unsolicited message that manufactures urgency.

"Our teams use the latest in AI capabilities to prevent, detect and respond against evolving scam tactics."
— Laurie Richardson, Vice President, Trust & Safety, Google, in the company's June 2026 fraud-and-scams advisory (8 June 2026).

Most scam coverage relays the headline number and moves on. The figure here — Google's estimate of roughly $580 billion lost worldwide in 2025, with about one in five adults affected — is worth a pause, but it is not the interesting part. The interesting part is that Google, one of the largest gatekeepers of how people reach the internet, used its own advisory to describe scams that travel through Google's own products. That candour is useful. It is also an invitation to ask a sharper question than "how big is fraud?"

If you just want the practical takeaway, skip to what this means for you. The short version: the advisory's safety tips are sound, the scams it names are ones we have already taken apart, and the most likely thing to reach you off the back of this news is an impostor invoking it.

What Google actually published

According to the advisory, Google's Trust & Safety teams group the current wave into four families:

—Advanced phishing that beats two-factor login. Adversary-in-the-middle kits (Google names Tycoon 2FA) capture your password and your session cookie, stepping around the 2FA code entirely. Alongside it: 'calendar phishing' through automatic invites, and 'ClickFix' pages that pose as a browser fix and walk you into pasting a malicious command into your own computer.

—AI-assisted crypto investment fraud. Fake token giveaways and bogus 'passive income' mining software that drains wallets when the code runs. Google ties cryptocurrency scams to over $11 billion in US losses in 2025.

—Malicious mobile finance apps. Apps that demand excessive permissions, or carry dormant malware that activates after install — sometimes updated with extortion features only after they have passed a store's review.

—Police impersonation and 'digital arrests'. Video-call scams in which fake officers demand upfront fees, with official-sounding email addresses to match — Google flags them as especially active across South and Southeast Asia and the Gulf.

Each comes with consumer advice we will get to. But first, the detail that deserves more attention than it will get.

The part worth noticing: the call is coming from inside the house

Read the list again and notice where these scams live. A calendar-invite phish arrives in Google Calendar. A ClickFix lure impersonates a Chrome update. A malicious finance app clears review and ships from the Play Store. These are not shady corners of the web; they are trusted, default surfaces that hundreds of millions of people are taught to rely on.

To be fair to Google, it is unusually transparent here — it published these as threats it is actively defending against, and it does invest heavily in detection. But honesty about a problem is not the same as fixing it, and the advisory is structured to hand the final responsibility back to the user: scan fewer QR codes, paste less code, check permissions. That is reasonable advice. It is also a quiet admission that the safety net, for now, is your own vigilance — on platforms whose entire promise is that you should not have to be the safety net. The question the advisory leaves open is the one consumers actually feel: if a scam can ride a Calendar invite or a Play Store listing, how much of stopping it can really be the reader's job?

The scams it names — and where we've taken each apart

The useful thing about an advisory like this is that it is a map of what to learn. Here is each family Google names, matched to the full teardown:

—Police impersonation / 'digital arrest'. The fake-officer video call demanding fees, dissected line by line in the digital-arrest teardown — and, for its German-speaking version with a courier at the door, the falsche-Polizei piece.

—AI crypto investment fraud. The 'guaranteed return' pitch and the romance-to-platform pivot, in the investment-fraud guide and the AI romance-scam piece.

—QR-code 'quishing' and fake-fee texts. The same smishing infrastructure behind the toll and package texts, in the fake-USPS text breakdown and the toll-text piece.

—Advanced phishing generally. How to read any phishing message — the cues that still work in 2026 — in the phishing guide.

The advisory's most quietly important tip is the one people break under pressure: never copy a command from a website and paste it into your computer's terminal because a page told you to. That single instruction is the entire "ClickFix" attack. A real browser update never asks you to run code by hand.

What this means for you

Strip away the headline figure and Google's own tips, sharpened, come down to a short list:

1Never scan a QR code from an unexpected email, text, letter or poster. Navigate to the real site yourself instead. A QR code is just a link you can't read.

2Never paste a command you don't understand into a terminal or 'verification' box because a web page told you to — that is the ClickFix attack, start to finish.

3Treat every 'guaranteed return' crypto or 'passive income' pitch as fraud, especially one that reached you through a stranger, a DM, or a romance.

4Install finance apps only from the official store, and refuse any app that demands permissions it has no reason to need.

5Never act on an unsolicited call, text or email claiming to be a government agency, your bank, or a platform's 'security team' — including a 'Google security alert'. Verify only on a number or site you find yourself. When unsure, run it through the Scam Checker first.

6If money has already moved, don't wait — your bank and card issuer are the fastest levers, acting within hours. See the 72-hour recovery playbook.

A recreated example of a phishing email impersonating Google: a Gmail message with the display name 'Google' but a lookalike sender domain, a 'critical security alert' claiming a sign-in from a new device, a threat of account suspension within 24 hours, and a 'Secure my account' button linking to a defanged scam URL — shown beside red-flag tells about the sender domain, the false deadline, and checking your account directly. — A recreated example of the fake “Google security alert” email — exactly the kind of impostor message that rides an advisory like this. The giveaway is the lookalike sender domain, not the display name. Example only; not from Google, link disabled.

Expect this advisory to become bait. Every big fraud headline does. The predictable next move is impostors posing as "Google security", a "fraud team", or an account-recovery service — citing the very advisory above — to harvest your login or a payment. Google does not phone ordinary users to fix their account or collect money, and no legitimate body charges an upfront fee to recover your losses. If a "Google" or "recovery" contact wants money or your details, it is the next scam, not the cure. We take that pattern apart in the recovery-scams piece.

From the field. A platform publishing a clear-eyed list of the scams running through its own products is rare, and worth crediting — most companies would rather not draw the map. But read it for what it is: an advisory, not a wall. Naming the Calendar invite, the fake Chrome update, the app that turned after review tells you the threat is real and current; it does not remove it from your inbox, your browser, or your phone. Until the door is closed at the platform, the lock is still your own habit of slowing down — and of treating anyone who waves a famous name at you, Google's included, while asking for money or a code, as exactly what they are.

If you take one thing from Google's advisory, take this: the scams it named arrive through the products you trust most — so the message you least expect is the one to slow down on, and verify on a number you found yourself.

Got a "Google security alert" or a too-good crypto tip? Send it to us first.

Paste the message, the link, the app, the "agent" who contacted you. A real expert reviews every case and replies within 24 hours. Free, confidential, no pressure.

Submit a free case review →Try the Scam Checker

Common questions about Google's 2026 scams advisory

What is Google's June 2026 scams advisory?

It is a public fraud-and-scams advisory Google published on 8 June 2026 through its Safety & Security blog, summarising the scam tactics its Trust & Safety teams are seeing and the defences it is building against them. Google cites roughly $580 billion in global fraud losses for 2025 and says about one in five adults fall victim to scams. The advisory groups the current threats into a few families — adversary-in-the-middle phishing and QR-code 'quishing', AI-driven cryptocurrency investment fraud, malicious mobile finance apps, and police-impersonation 'digital arrest' schemes — and gives consumers a short list of defensive habits. It is an awareness document, not a new law or product.

What scams does Google warn about for 2026?

Google's advisory flags four broad families. First, advanced phishing: adversary-in-the-middle kits (like Tycoon 2FA) that steal passwords and session cookies to bypass two-factor login, plus 'calendar phishing' through fake invites and 'ClickFix' pages that trick you into pasting malware-laden commands while posing as a browser fix. Second, AI-assisted crypto investment fraud — fake token giveaways and bogus 'passive income' mining software that drains wallets — which Google ties to over $11 billion in US losses in 2025. Third, malicious banking and finance apps that demand excessive permissions or activate dormant malware after install. Fourth, police-impersonation and 'digital arrest' scams, especially active across South and Southeast Asia and the Gulf.

What are 'quishing', 'ClickFix' and calendar phishing?

They are three of the delivery methods in Google's advisory. 'Quishing' is QR-code phishing — a QR code in an email, poster or letter that sends you to a credential-stealing site instead of a real one. 'ClickFix' is a fake error or 'verify you're human' page that instructs you to copy a command and paste it into your computer, which quietly installs malware — Google's advice is to never paste code you don't understand into a terminal. 'Calendar phishing' abuses automatic calendar invites to plant scam links directly in your schedule. All three exploit trusted, everyday surfaces rather than an obvious dodgy link.

Is a 'Google security alert' about my account a scam?

Treat any unsolicited 'Google security alert' that arrives by phone call, text, or a link demanding urgent action as a scam until you prove otherwise. A predictable side effect of an advisory like this is that impostors invoke it — posing as 'Google security', a 'fraud team', or an account-recovery service to harvest your login or a payment. Google does not phone ordinary users to fix their account or collect money. Check account security only by navigating directly to myaccount.google.com yourself, never through a link or number someone sent you. The same rule defeats the police-impersonation scams in the advisory: verify independently, on a contact you found yourself.

How do I protect myself from the scams Google flagged?

Google's own tips, plus the habits that defeat every version: never scan a QR code from an unexpected message and never paste a command you don't understand into your computer; treat any 'guaranteed return' crypto pitch as fraud; install finance apps only from official stores and refuse apps that demand excessive permissions; and never act on an unsolicited call or email from someone claiming to be a government agency, a bank, or a platform's security team. The single rule underneath all of it: when a message manufactures urgency, slow down and verify it independently — using a number or website you find yourself, never one you were handed.

Sources & further reading

Claims in this piece are attributed to these sources. Click any of them to verify.

Google says scams took $580 billion last year — and named the ones riding its own products. So who is supposed to stop them?