Google has implemented advanced AI-driven scam defenses within Android that block more than 10 billion suspected malicious calls and messages monthly worldwide. These defenses include on-device AI filtering that automatically moves spam and scam messages to a blocked folder in Google Messages and blocks over 100 million suspicious numbers from using Rich Communication Services (RCS). The scam messages primarily involve phishing tactics such as employment fraud, financial scams involving fake bills and investment schemes, romance scams, government impersonation, and technical support fraud. Attackers employ two main strategies: 'Spray and Pray,' which casts a wide net using urgent lures to induce quick clicks on malicious links often masked by URL shorteners, and 'Bait and Wait,' a patient, personalized approach that builds trust over time to maximize financial loss. Notably, scammers increasingly use group chats to lend legitimacy to their messages by including accomplices, making the scams appear as genuine conversations. The infrastructure behind these scams includes SIM farms for mass messaging, Phishing-as-a-Service kits for credential harvesting, and bulk messaging services for distribution. The scam activity follows distinct temporal patterns, peaking during U.S. workday mornings and Mondays, exploiting times when users are less vigilant. While Google's AI defenses significantly reduce exposure, the threat landscape remains volatile, with scammers shifting operations geographically in response to enforcement. The stolen personal data fueling these scams often originates from dark web marketplaces selling breach data. Overall, this threat represents a sophisticated, large-scale smishing campaign leveraging AI and infrastructure to target mobile users globally.

For European organizations, this threat poses multiple risks including financial loss due to fraudulent transactions, theft of sensitive personal and corporate information, and reputational damage from compromised employee or customer data. The use of RCS and SMS as attack vectors means mobile users are directly targeted, potentially bypassing traditional email security controls. Employment fraud and investment scams can lead to significant monetary losses and legal liabilities. The personalized nature of some scams increases the likelihood of successful social engineering attacks against employees, which could facilitate further network intrusions or data breaches. Additionally, the high volume and evolving tactics strain security teams and user awareness efforts. The presence of SIM farms and bulk messaging services complicates attribution and mitigation, allowing attackers to rapidly shift tactics and targets. European financial institutions, HR departments, and customer service teams are particularly vulnerable due to the nature of the scams. The threat also impacts mobile network operators and messaging service providers, requiring coordinated defense efforts.

European organizations should implement multi-layered defenses that include advanced mobile threat detection solutions capable of analyzing SMS and RCS traffic for phishing indicators beyond basic spam filtering. Employee training programs must emphasize awareness of smishing tactics, especially the risks of group chat scams and personalized social engineering. Organizations should collaborate with mobile network operators to identify and block suspicious numbers and SIM farm activities. Deploying URL filtering and sandboxing for links received via messaging apps can prevent malicious payload delivery. Encouraging the use of secure communication apps with end-to-end encryption and anti-phishing features can reduce exposure. Incident response plans should include procedures for handling smishing incidents and reporting to relevant authorities. Regular threat intelligence sharing within European cybersecurity communities can help track emerging scam campaigns and infrastructure shifts. Finally, organizations should advocate for stronger regulatory controls on bulk messaging services and SIM card sales to disrupt attacker infrastructure.