B (3:08)

So maybe we could start with sort of defining the problem because again most of my background and experience is more in enterprise security where you know, especially coming from the Mandian side, you're looking at things like in intrusion based threats where an apt group or a fin group is trying to compromise an organization. Maybe they're deploying ransomware, maybe they're stealing data. But again, I think increasingly this year it seems like this topics, these topics around fraud and scams and there's many different forms and I guess the way that these play out and a lot of them are targeted to more of the consumer oriented audience, but that seems to have been increasingly present in a lot of broader cybersecurity conversations. So maybe you can sort of describe, you know, again, I think this is not coming out to 2026, but as we sit here at the end of 2025, what has been sort of the ways that this conversation around scams, fraud, how it's evolved and sort of what we've been witnessing maybe the last several years around this problem?

A (4:06)

Yeah, I mean, well, first of all, I think this is a problem that actually does heavily impact enterprise. I think when we talked about Singapore and you showed some of the charts, you showed like phishing is a big problem. Of course phishing is like one of the key tactics to perform financial fraud amongst others. Right. So like enterprises should just be as concerned about this as individuals and you know, your regular consumers. Because at the end of the day, whether it's defrauding a person or defrauding a business or stealing sensitive data which leads to monetary loss, you know, the tactics are very similar in terms of like how we got here. I think scams have been around since the Internet, not really the Internet, but like you would probably, everybody remembers Nigerian prince stuff in the early 2000s. It's just they've gotten more sophisticated and I think the difference has been, you know, if you look At a desktop, form factor or laptop in the back in the day, you know, you were probably being scammed a couple hours a day because that's the only time you had your computer open. And then you went about your life. Now, you know, you're connected 24, 7, your phone is in your pocket. And for those that don't carry the phone in their pocket, like my wife has her watch connected all the time anyway. So even if when the phone's not on her, her watch is there, she'll still have access to her email, her texts, her calls and everything else. So like, you know, the window of opportunity has gotten that much larger. And now it's not like emails and phone calls on your fixed landline. Right. There's every communication mechanism you can think of. So it's still traditional. Emails and calls. Calls are actually number one, especially cell calls. You know, texts are like equally there. Then third party messaging apps have come about. Right. Like how many people get scammed on social media and so forth or even advertising. Right. So like just the, the different contact methods I think has really evolved from, you know, when you think about this, from just the old Nigerian print scam.

B (5:52)

Yeah. So a part of it is like, you know, the technology adoption, the form factor that we're using today, and actors looking for ways to exploit that. And you know, in the same way that we see social engineering of enterprise users, there's ways, various ways they can exploit the consumer. In this context, what are some of the common categories of scams? Like I know you, you sometimes hear this problem described in the context of romance scams. There's probably others out there, but what are some of like the more common sort of, not necessarily techniques, but kind of motivations, TTPs, generally it always starts

A (6:31)

with something that's too good to be true or a sense of urgency. And like you said there, romance is an example of that. There's generally like eight categories. I can never remember all, all of them. But like job scams, IT support scams, romance scams. But what's interesting is when I put that into Gemini and said based on these original eight categories, how many of those now have like subcategories? And subcategories ended up coming up between like 250 and 300 actual permutations of these scams evolving. And that's the tricky part about it is, you know, in the past you'd be like, hey, you'll know these Nigerian prince scams, they have very consistent templates, right? It's like always there's some money you look for some weird words, it's always a prince or a princess, you know. But now these scams are very different and evolving and very much more like finely tuned to certain things. So like for example, you know, you and I live on the east coast. Easy pass. I always try to remember that, make sure I top off my easy pass. But those toll scams are like so prevalent and you see them all the time. And so like, and depending on like the, I think the difference is like depending on the person that is being the victim. You know, in that case a lot of these are like the funnel system. You try to blast this out and you get a certain percentage of people coming back. But then there's also targeted or like longer term. So the one thing that we've seen a lot of evolution on is it's not like the quick transactional scams of like, you know, like we just had easy pass. So there was Flubot in the like 2020 and beyond. But now you have these like pig butchering scams which it starts with like very simple hello, how are you? Can you give me a thousand dollars? Obviously I'm exaggerating that but like you know, it takes many like steps. And what was most interesting is I attended the Global Anti Scam alliance meeting in Northern Virginia two weeks ago and they talked about, I think the longest type of scam that was run was like seven years. So you know, we're all thinking about these like very fast transactional ones. But it's actually quite a bit now shifting. The other big thing that I would say is that you know, of course there's like sextortion, there's like targeting of the elderly. So that's what I was saying about the permutations. It's not really just like back to these eight original categories. There's just so many deviations. But the one thing I'll say is it all starts with the same thing, right? You can, you can unpack this into like from, from our perspective on Android to three buckets. There's the contact method, right? We just said like calls and texts are number one. Third party messaging apps, are there email. So there's like the top four contact methods, right? Then there's the actually how they, they attack vector. So like for example in different, different markets, you know malware based financial fraud is very popular. So they, they contact you pretending to be your bank and say hey there's something wrong with your account. Install this app to quickly fix the issue. Just like the IT support scams on your desktop, right? You install a piece of malware, that malware simply just can collect your login details and then they can log in as you and basically deplete your account. Right. The other one that you see targeting elderly primarily but very popular on desktops, could be done on mobile as well as screen sharing. So like I can, you know, I'm a support person, I asked you share your screen, I could just see what you're doing. And then the third thing of course is just like traditional social engineering where they don't really make you install anything, they just trick you and you disclose this information not willingly but just to them. Right. And so from the Android side like for each of those different attack vectors we've actually been building ongoing list of mitigations. So like for the malware we have Google Protect, which is the thing we talked about quite a bit in Singapore. It's the world's largest anti malware solution across three plus billion devices. Scans, you know, every piece of every app you have on your device every day, everything you download and install. For screen sharing we've done a good job of blocking out these sensitive input fields. So like when you do share your screen, nobody can see you logging into your bank, nobody can see the one time passcode. And then for you know, the just the broader social engineering bucket we've done a lot on like real time on device AI powered warnings. That's a mouthful and really going heavy in identity verification. So like you know, if you've seen rcs, the rich communication service is becoming very popular for text messaging, you know that has an aspect so like you're communicating with the business. A lot of businesses are moving to rcs. It's called RCS for business. You get this like verification. They have been vetted as a legitimate entity. Gifts are shaken for calls, you know, so like there's you know even Gmail has a verification. So like my Coinbase account has like a cryptographic verification that is coming from Coinbase for example.

B (10:57)

Maybe talk a little bit about, you mentioned there's a lot of different permutations of these types of scams and fraud. Are there certain things that seem to be more prevalent regionally? I know again in more like the enterprise security threat space you see certain types of malware, certain schemes that are more common in the Eastern European markets which may differ from what we see in Portuguese speaking underground dark web markets, stuff like that. So do you see also kind of with the scam space where there are regional geographic differences in the types of scams that are approached?

A (11:33)

Certainly I think like for example malware based. So not the scam, like the scam type but more of the attack vector. So the scam types are like all around, right? It's always like could be job, could be you know, something with the, with the government or the bank calling you, IT support, whatever. You know, it could be just like a too good to be investment or some new sale going on. So like the, the actual scam type, the script that's being used, I think those don't really change too much regionally. I think it's the vector that really is different. And so in a lot of these markets you have this, have had digital transformation. So like Southeast Asia, Latin America where like they really are moving kind of straight to money on the phone, right and doing transactions. And so a lot of those providers are using like single one time passcodes for verification or authentication. And so it becomes very easy like with malware, you know, approach A lot of these users already used to like installing from outside sources where those apps could be more risky. So their appetite like risk appetite is slightly different. And so you know, convincing them sending a link over WhatsApp third party messaging app or you know, sending them a link just in text to download from a browser, like they'll do that and they install something and that's you know I think in, in like Western Europe, North America for example, I think you see a lot more of the, it's a, it's a scam but like it's really more of you like being socially engineered in some way, right? You fall for the scam and you just pay for it. You, you know, you, you pay for your easy pass toll, right. Or some kind of discrepancy on a bill and you just pay. But you're not installing any malware. The other thing I think that's been interesting rise of is and this is actually something the global anti scam alliance talked about as well. This concept of fake merchants is coming up now. So it's not like you know, you kind of get tricked into, you want to go buy something, you, you, it's too good to be true. Almost like it's such a good deal, you go buy it but you give your money, you get nothing back in return. And that's a tough one because they're not necessarily impersonating anybody. So it's harder to take those down because how do you prove that they are in fact a legitimate vendor?

B (13:46)

So it would be like someone on some like e commerce site who has pictures of some item they're selling it but then they never deliver that item.

A (13:53)

Yeah, exactly. Luke's widgets and you know you've done a great job with SEO and you have a really flashy website, you've attracted a lot of attention. People were like, wow, these widgets are super cool. I need a widget, I buy the widget, it never comes.

B (14:09)

You've already started to touch on it a little bit. But given that we're talking about, you know, quite a breadth of different types of activity, how do you, you know what's been sort of the approach to addressing this?

A (14:19)

Right.

B (14:20)

Encountering this because again it was interesting to hear a little bit about some of the things that across Android we've been involved in doing to counter this problem. But it is since it's so multi pronged, where do you start? How do you think about approaching this? Are there certain of these vectors that are sort of easier to tackle more lower hanging fruit and others that are like more difficult to chip away at?

A (14:40)

Yeah, that's a really good question. I think on a principal basis it's kind of like defining the threats. Right. So we talked about the contact methods and the attack vectors and then we just started thinking about what the mitigations that we have in place. I think one of the principles that we've kind of applied is we always start with warnings to the user and the more real time the warning can be, the, the, the better. So example in Google messages in phone by Google Google messages default on all Android apps. Phone by Google's default on many of the I'm sorry Android phones and phone by Google's default phone app. On many of the Android phones we've added this kind of, it's called scam detection and it's literally a large language model that's been tuned towards these scams to identifying these scams and it's now built in. So when you get a call or text in real time you'll see like an alert. Like when you're on the call you actually will hear auditory and haptic feedback to kind of make you pause. Because I think the most important thing with scammers is again for the tradition like the stuff where they transactional, they really try to rush you. It's kind of like really aggressive inside sales organization for an enterprise. You're like come on, this deal is going to go away, you got to close it now. Scammers are in some ways they run this massive sales infrastructure, right Organizations and for that like having that to kind of break them out of the spell because scammers are really good psychology experts. So they really get you to the point where you start trusting so much that you just follow instructions. You know, I mean, we've all been there, right? Like, when you're at that point where like, somebody's like, do this, do that, do this, do that, and you're just like, just. You're not even questioning anymore because you built that trust. And, you know, if somebody's giving you some, like, for me, it's like, I'm not the most handy person in the world. So, know, somebody tells me, like, first you unplug this and then you do that. I'm like, I'm not even questioning more until I get electrocuted, right?

B (16:22)

So. Well, and especially you mentioned, like, the screen share in the context where a scammer would be using that technique where they are somehow reaching out to some sort of, like, you know, help desk technician or someone else walking you through. I could see how in a lot of contexts that would just feel like a natural thing where the conversation has not progressed at this point. And you're like, okay, yes, I'll hand over access and visibility to my phone to this other person who's helping me out.

A (16:48)

The thing is like, okay, so back to the warning. So we provide a warning, and that's where the scammer actually is really good at incorporating that into their script. So back to the screen sharing example. When you share your screen on any computer or phone, it says, hey, be careful what you're sharing. They'll see everything. And what the scammers can be like, hey, don't worry, that's fully normal. Everybody goes through that. And so there's this, like, acceptance of the warnings also. I think we see so many warnings in our daily lives now because of, like, cookie consents and all these other warnings. I mean, I try my hardest, especially when I travel to Europe, I'm like reading every single disclaimer and like, you know, which cookies I want to not approve for what use. But, like, how many people are desensitized to that now? Just ignore the warning. So, like, the warning is the first step, trying to really disrupt. The second is, can we do something more serious? And I'll give you some examples of this. Okay, so for example, in Google messages, we have scam detection. So let's say you were trying to scam me. We did this really cool live demo, by the way, two weeks ago. I was very excited that it actually showed all these features. But, like, you're trying to scam me. Scam detection kicks In I might not heed that warning. I'm like, oh well Luke sounds trustworthy. He sent me a link, I should click that link. We actually blocked that link from being clicked. Like we make you go like we add a lot of friction on purpose because now we have a high confidence that this is a scam to prevent you from going further. Similar with like installation of an app, right? Like even though you've there's a warning, it's like, are you sure you want to install this app? This could be risky. Then Google Play Protect kicks in and we'll scan it and block the install if we detect it's malicious, right? So, you know, I think those are like the extra steps that we try to put in place. Similar with, we launched a new feature for banks where if you're on a call with an unknown caller, they make you do a screen sharing session and your bank shows up and it's like, hey, this is likely a scam, we're going to hang up for you. My favorite thing that I always show people and I know you're a pixel user like me and like the, the most impactful thing is out of sight, out of mind. And so that's where like we have really cool features like call screen for your phone where like automatically screens the call, listens to what they're saying and if it assigns it as a scam, you don't even see the call. Right? Like for unknown callers. My biggest mistake was in turning that on for my wife one time because you could do manual and you could just thankfully bleeps out the curse words. So you know, but you could see this live transcription but for messages, the same thing. Like I always tell people, go look at your spam and block folder and you will be shocked how many messages you never saw. And that's like every message that is not actionable by you means that's one less potential opportunity for a scammer to scam you.

B (19:10)

When you mentioned the usage of AI and I think this is, you know, a perfect use case for its application security where given the somewhat rote, formulaic nature of the scripts that are being used, the mechanisms, et cetera, being able to train models specifically on this problem and be able to tackle this problem at scale seems very, very promising. It sounds like there's already been a lot of success with this.

A (19:32)

Absolutely. I mean I think we've done a fantastic job by one actually relying on the power of the device. I think there's still this like the average user consumer, they're still Learning about applications of AI and I think AI for personalization, there's still some growing pains of understanding what's being used and this and that. So there's like healthy skepticism, although it's improving. And I think everybody's trying to really push for privacy preserving approaches there. Having on device models makes that like not a problem. And so like these features are on device privacy preserving, like you said, they're like trained for this purpose and they do a really good job of detecting and it's something we can keep updating and for these basic scripts and one good analogy, like so I've been going to Singapore for this event, the you know, Singapore National Library for a couple years now. And a couple years ago there was really good talk and this kind of leads to, you know, I always joke about good AI, like the only way you can fight bad AI was with good AI. And there was like a director of cybersecurity from Estonia, I want to say, and he's like, hey, we are like the Navajo code talkers. We are a very small country. Our language is very hard to master. Every single Estonian can easily pick up a, you know, scam message because they'll know like it's just not like the language is difficult. And he's like then came AI and now you can't discern anything. Right. And so I think that's where, you know, right now we're not seeing it at like what it could be in the future. I think with AI, with deep fakes and cloning and all these things. I mean I certainly try at least as just practical jokes or scaring people. I've definitely. It's fairly easy to clone somebody's voice. And you're on YouTube, I'm on YouTube. It's not very hard to deepfake us.

B (21:09)

Some of our red teamers have been able to successfully use that in engagements, you know, voice cloning, building models specifically for that.

A (21:17)

Oh yeah, yeah. And there's so many open source ones too. That's the thing. Like sure. Like I think a lot of the commercial AI systems out there, like they do a good job of watermarking and preventing malicious abuse and try to do like liveliness detection to see that it's like really you reading a custom script. But we're not seeing that yet. I think that's where. But you, you're starting to see some of those. I think it's not at the same scale because the current approaches still work, you know, and those are being somewhat automated. There's been a, there was an Interesting video. I don't want to say cool, make it sound like it's impressive, but like you can see a lot of these scams now are so turnkey that it's almost like a touch based system. You run, you, you get credits on a. It's like an IVR for scammers where basically you see this interface on your phone and it's like press one to initiate the scam and then it, you know, initiates the scam. It's like, and they went through like, then I press 2 to keep going further and it's like it's become so turnkey. I think that like the economies of this are like scaling and scaling because like as we try to scale our defenses, obviously you see scammers leveraging the power of AI to scale their approach to do more with less.

B (22:18)

In some ways that's certainly, I think been something where I would say analogous on the enterprise security side. I think something we are starting to see more indications of. I don't think it's fully emerged yet, but certainly starting to see more of it which is just sort of AI moving out of, oh, here's an interesting novel thing that I can do, but now being adopted in a way that is starting to change the speed and scale of an adversary's operation. And then also I think there's the usability component to this as well, which I don't know what the barrier to entry on a lot of the traditional scams that you've observed is, but now it sounds like it's moving to a place where there's more tools out there that for people that are interested in setting up some of these activities and campaigns, maybe it is easier for an average person now to engage in this sort of activity.

A (23:06)

I love quoting or misquoting movies. And in Spider Man, Uncle Ben said to Peter, with great power comes great responsibility. And you know, I think anybody building commercially off the shelf AI systems is definitely taking that care, but everybody else is not. You know, the bad, the bad actors are not. And I'm just thinking to myself, like you can imagine using like some open source intelligence tools to quickly understand who are the top executives at this company and then be like, just create an agentic workflow. Take those executives and see how many of them have recorded videos on YouTube. Take those videos and crop a 10 clip, 10 second clip of audio and video, convert that into a clone and then you know, start creating like who, who works for them, like go to Crunchbase, whatever, like build that whole tree out and then you can Build your own kind of like solution there for, you know, for targeted scams in the enterprise space. Right. So I think it's uncharted territory. And I think that's where like I was saying before, there's definitely that spillover between consumer and enterprise because it'll be the same tactics. They're just gonna use different scripts, sort of speaking like of how they make that con. Like the contact methods will stay the same. Right. But it's going to be the what they say and who they use to try to like convince you of it. And you've seen that before. Like I forgot like in Southeast Asia like a year or two ago, there was like the first, you know, AI scam where like the like the CEO of the company like called and his assistant was like, I need you to wire this money right away. You know, and they did it, right? Like they didn't even guess, they didn't think about it. So like I think that's the direction we need to start thinking about. It's like, how can I verify that the person on the other end is really them? This is not AI generated. There's a lot of technologies that are being built, right? There's digital watermarking for AI generated content. We have like Synth id. I think many AI systems have built their own. That's important at some point that there's interoperability and then there is digital attestation or provenance like ctpa, which Google's heavily involved in, so is Adobe and others where like anything that is, whether it's audio, video, you know that it's coming and it hasn't been modified. It's, it's natural coming from a real camera source, you know what I mean? So like between those, the verification of like the call or text or email, you have these multi factors now if you can piece them together, you can create like a risk score of like, is this really somebody or not tying

B (25:18)

this all together and kind of looking ahead as to where this goes next. I mean you've already touched on a little bit of how AI is sort of shaping the landscape on both the offense and defense side. You know, it seems like there's been a lot of really good wins this year. Obviously this, this problem continues to grow and there's more awareness of the problem as well. But it seems like there's been a lot of good wins as to actually applying some of our technologies here and putting a significant dent in the ability for these scams to reach people. Right. Like going back to what you're talking about with just you know, blocking some of these calls and messages, increasing friction for the adversary. Where do you see sort of this continuing to evolve into, are we going to see new schemes, new mechanisms? There seems to also be like globally more of an interest in governments and this is kind of becoming more on their radar as it directly affects their citizens. And so there's more interest there I think. Yeah. How do you see this all sort of like evolving over 2026?

A (26:17)

Yeah, I mean there's a lot to unpack there. Like just to take a pause because reflecting at the end of the year, I know this is going to come out in January but like you know we've done a fairly Good job. There's third party research, you know, YouGov did a study we sponsored but like they found like Android and Pixel users substantially got less scan messages. So that's a kind of a good proof point. You know we actually got like from a third party, a counterpoint research analyst firm said we had the most AI powered protections for scams, which is pretty awesome. And then there was a actual scam study done by a third party security firm that said that we had the most like scam and fraud and theft features. And I think you're right. Governments are doing a lot. And I actually see this great theme of public private partnership. It's a common theme. It was discussed in Singapore, it was discussed at this global anti Scam alliance event. I think it's important to recognize who the key stakeholders are in order to make this successful. The government's got to play the role. There's a lot of awareness. They have to drive, they got to bring industry together and treat them as a partner. So like they got to do their part. We as industry have to like protect users at the end of the day like it's a shared responsibility. The government wants to protect the citizens, we want to protect our customers or our users. You know like everybody should have some basic protections especially because this is truly damaging their livelihoods and so. But there's a third part there which is the developer and I think they have a role to play as well there because like on Android we do a good job of writing them signals and we've seen a lot of the fintech and banking apps use, like we have Display Integrity API as an example where now they can detect if like they should trust the underlying operating system and the device in its current state. So like that gives them kind of a zero trust risk based approach they can take to decide whether they allow the person trying to log into their banking app at that time in or not. And so like if we're all playing our part, I think you see a lot of success. And Singapore kind of keep talking about them like they were like a really good proof point of that for us last year. You know, they came to us and said hey, we're having like malware based financial fraud is an issue. How do we work together? We actually worked on a feature together as part of Google Protect. We call it enhanced fraud protection. It proved to be very successful. We use it as a case study. Thailand did it, then Brazil implemented it. Turned like we turned it on market by market, kind of growing and growing and happy to say now it's like 180 plus countries, almost 3 billion devices that have this feature on globally. And honestly the only places that it's not on right now is like Western Europe and us, Canada because like there you see this kind of like more friction with regulators on taking on some of this functionality where I think in these other markets they've been pretty fast to accept it. But I think like that partnership is really important and it's like a great success when things are aligned. Because at the end of the day the fundamental principles we want to protect our shared constituents. Yeah.

B (28:58)

And when you talk about, you know, threats to, to consumers, I mean that is something that we all face obviously security and protecting the enterprises in the corporate sector and government that we do, you know, a lot traditionally from the mandiant and GTIG side is important, but the consumer side is something we're all, we're all part of that. Right? The average users 1.

A (29:18)

And at the end of the day every enterprise customer is a consumer and that actually ironically is another vector. Right. Like if you can get access to them on their personal side. Actually Bob Lord, who was the CISO of the DNC and then he worked at cisa, he had this really simple checklist and he really believed like you will get consumers or enterprise users to really care about their cybersecurity hygiene when they can also do it for themselves personally. And I think that's the key word there is hygiene. You know, you have the government, us as like the handset OS provider, app developers, but the user, the consumer themselves has to play an active role too because at the end of the day Bruce Schneider always says in any security model the user is the weakest link. And they even if you put all these guardrails to help them and protect them and speed bumps and blocks and this, you know, they have to have a healthy sense of skepticism and keep their hygiene up, right? Just like they should be exercising and brushing their teeth and going to the doctor. Like, you want to make sure that you're kind of doing the same things. Enable things like passkeys, you know, and phishing resistant technologies. Make sure your device is always up to date. Like heed the warnings, you know, always when you see something that looks is too good to be true, you should really pause and think about that. Like, does that actually make sense? I think those basic principles will keep people safe because I think the one thing that's most important is the average person thinks they'll never be scammed. And you know, I always love proving people wrong on that. And like just using some of these demos and proof of concepts to show like, no, you would fall for it. Like everybody I would fall for. I mean, like, I'm being honest, right? Like, I think in the right circumstance with the right triggers, you know, like I said, scammers are psychology experts. So like, having that healthy sense of skepticism is very important. Zero trust back. It all goes back to zero trust. Like I always tell people, I don't trust anybody.

B (31:04)

Well, that's a fantastic place to end on. But Eugene, this has been fantastic. Again, this is something I was curious to dive into further with you because it has come up in a lot more conversations this year. So I'm excited to see what we'll see from Android next year around countering this space and sort of how things develop going forward.

A (31:24)

Thanks again for having me and hope you have an awesome holiday season.

B (31:27)

Take care.

A (31:39)

Sa.