When you buy through affiliate links in our content, we may earn a commission at no extra cost to you. Learn 
Google’s legal teams has set its sights on an AI-powered network that it claims is helping scammers turn fake text messages and copycat websites into a large-scale phishing operation.
On June 12, the company announced that it had filed a lawsuit against an alleged China-based cybercrime network known as the Outsider Enterprise.
The complaint, filed in the U.S. District Court for the Southern District of New York, targets 25 as-yet unnamed defendants accused of operating a phishing network that sold access to “Outsider” software. Scammers could then use the software to build fake websites, send fraudulent texts, and collect personal and financial information from their targets.
Google presents the case as an effort to keep the internet safe. However, its legal basis for filing the suit is the alleged misuse of Google’s brand and services by Outsider Enterprise. It says the Chinese group used its logo and Google Cloud, Google Drive, and Gemini, to make parts of the scheme look legitimate. Google says the alleged network also used AI-generated code to help create fake websites.
“You’ve seen the texts: fake package alerts, urgent bank warnings, panicked messages about your compromised account. Behind them is an AI-powered cybercrime network built to steal your passwords and credit cards,” Google said in its announcement.
The operation was linked to 9,000 fake websites and more than 1 million fraudulent URLs, according to Google. In May, Android users flagged 55,000 spam texts connected to the scheme over a two-week period, while the alleged network sent 2.5 million messages to Android users containing links to Outsider-generated websites during that same span.
The scale of the operation shows it was built for volume. Instead of individual scammers having to build their own fake pages, write their own messages, and handle stolen data manually, Google said Outsider packaged those steps into a repeatable system.
That means we’re all facing a new and improved version of an old-school threat. Scam texts and the pages behind them aren’t as easy to detect as they once were. AI has made them cleaner, faster, and more believable than the typo-filled phishing attempts people were once told to watch for.
Google’s Outsider Lawsuit Shows How Text Phishing Is Scaling
In the lawsuit, Google describes Outsider as a phishing-as-a-service product and alleges that it turned fraud into a subscription business. Google says the alleged network sold its licenses for as little as $88 a week.
For that price, it says, scammers got access to more than 290 pre-built website templates mimicking financial firms, wireless carriers, government agencies, retailers, toll services, and shipping companies.
“Defendants are a group of foreign-based cybercriminals who have made sophisticated fraud as simple as a few clicks of the mouse,” Google alleges in the complaint.
“They built, maintain, and use a turn-key, online software suite that enables criminals, regardless of technical skill, to publish fraudulent websites designed to rob victims and enrich themselves.”
The complaint goes on to call the software “phishing-for-dummies” and alleges that the workflow began the same way many modern scams do: with a text message.
From there, the scammers used SMS, RCS, and iMessage to send links to fake websites. Once they landed on those sites, victims were asked to enter their personal information, including credit card numbers, bank credentials, authentication codes, or other sensitive details.
Google says Outsider tutorials showed scammers how to use AI-generated code to make phishing pages look more convincing.
“Following those instructions, Enterprise members can use AI tools to generate programming code for a shell website, and copy and paste that code into Outsider to transform that shell into a fraudulent site that can be used to steal personal or financial information from their victims,” Google alleged.
In the complaint, Google argues that this setup lowered the barrier for scammers wanting to run large phishing campaigns:
“As a result, a criminal with no programming knowledge can, for example, generate a near-perfect replica of a cellular provider’s website in minutes, coordinate to send ‘bait’ text messages to thousands of targets, and begin harvesting stolen data with little effort.”
Text Phishing Was Already Costing Users Before AI Made It Easier
“Smishing,” a portmanteau for phishing attacks sent by SMS text message, is nothing new. However, adding AI to the mix can make an already profitable way of committing fraud even harder to detect.
According to the Federal Trade Commission, imposter scams were the most reported type of fraud in 2025, extending a nine-year streak. The agency says it received more than 1 million imposter scam reports last year, with reported losses going up by almost 20% to $3.5 billion.
Recent research on SMS phishing helps explain why these scams can be so effective. A 2026 systematic review of SMS phishing attacks and defenses said smishing attacks “often use urgency or fear tactics to deceive recipients into clicking malicious links or revealing personal information.”
The same review said defenses such as blacklisting can fall short because attackers “continuously adapt their tactics.”
There are several reasons that SMS is such a popular choice for scammers. Text messages arrive instantly on devices most of us keep close on hand throughout the day. They’re short enough that we can read them quickly.
It’s not difficult to compose messages in a way that creates pressure, such as a missed delivery, unpaid tolls, frozen bank accounts, or a reward that’s about to expire. They also send users to mobile webpages that look a lot like typical login, payment, or verification screens.
Google’s complaint included examples of the kinds of messages its users reported receiving.
In one, the alleged scam text said, “Your vehicle registration renewal is suspended due to unpaid tolls. Use this official link to pay.”
Another said, “We attempted to deliver your package on May 19, but were unable to complete the delivery. A signature was required at the time of delivery, and no one was available to sign for the item at the address on file.”
The risk went well beyond the simple act of tapping the link in a text. Google alleges that Outsider could create fake multi-factor authentication pages, allowing scammers to prompt victims for codes while trying to access the real account in the background.
“The Outsider software undermines MFA protections by issuing its own fraudulent request for MFA and then using the victim-supplied information to log into the real site,” the complaint says.
AI Scams Are Making Old Phishing Red Flags Less Reliable
For years, warnings from government agencies, banks, and major companies have taught us to look for the signs of a fake text message.
We should be on the lookout for misspellings, strange grammar, broken logos, and clumsy webpage design. Those once helpful clues can still come in handy, but AI makes them much less reliable.
With generative AI, scammers can write cleaner text, localize messages, create more convincing layouts, and more easily test different versions of the same scam.
A 2024 paper titled AbuseGPT warned that AI chatbots could help attackers run “craftier smishing campaigns with very little knowledge required.”
The FBI stressed this point in the statement Google released announcing its lawsuit against the Outsider Enterprise.
“The criminals behind the Outsider Enterprise built a business out of impersonating trusted brands to defraud hundreds of thousands of victims,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said. “Criminals increasingly use AI to make fraud like this more convincing and harder to detect.”
How To Spot AI-Powered Text Scams
One problem users are facing as they confront the AI smishing threat is that they’re being asked to spot better scams while brand guidance remains inconsistent.
A 2026 study of 149 well-known brands across 25 categories found “significant gaps” in smishing information, with only 46% of brands defining smishing, less than 1% offering a video tutorial, and 50% explaining how customers should report suspicious texts.
That leaves too much room for guesswork. A website free of typos doesn’t mean a text message is legit. A familiar logo doesn’t prove a link is safe. A text that names a real company, toll agency, carrier, or delivery service can still be part of a mass scam campaign.
The best way to protect yourself from these sophisticated AI-powered scams is through verification. You should avoid tapping on links in texts and instead go to the company’s official app, type the known website address directly into a browser, or contact customer service through a verified channel.
If you receive a text about account problems, surprise rewards, requests for authentication codes, or urgent payment warnings, you should exercise extra caution.
Google’s lawsuit very well may disrupt one alleged network, but the bigger lesson shouldn’t be ignored. Text phishing is starting to look a lot more like a professional digital service and a lot less like spam.
As AI makes fake messages and websites easier to produce, we’ll all have to rely less on how a message looks and more on whether we can verify it somewhere else.
