With input from Axios, CNBC, NPR, CBS News, and Reuters.
Google is going on offense against a sprawling smishing ring it says is churning out fake toll and package-delivery texts by the millions. In a civil suit filed in the Southern District of New York, the company targets an alleged China-based operation dubbed “Lighthouse,” a phishing-as-a-service shop that rents out scam kits like software subscriptions. Pay a fee, pick a template, launch a wave of texts, and funnel victims to counterfeit websites that look uncannily like the US Postal Service, E-ZPass, city agencies, Apple—even Google itself.
This isn’t just one crew blasting spam from a back room. Google’s complaint sketches a full stack: developers building the kit, data brokers feeding target lists, spammers blasting messages via banks of SIMs, and a “theft group” moving stolen money and reselling card details. At its most aggressive, Lighthouse allegedly spun up roughly 200,000 fake sites in just 20 days, hit more than a million potential victims in at least 120 countries, and — across campaigns — may have exposed anywhere from 12.7 million to 115 million US credit cards. The FBI says Americans lost more than $16 billion to scams last year; Google argues operations like this are a big reason why.
The mechanics are depressingly slick. A text says you owe a toll or a package can’t be delivered. Tap the link and a pixel-perfect spoof asks for card details. You don’t even have to hit “submit” for crooks to win, because keystrokes are siphoned in real time. If your bank uses two-factor authentication, the kit triggers a legitimate code to your phone, then baits you into entering it on a fake screen so the thieves can add your card to a digital wallet and spend instantly. Google says it found more than a hundred Lighthouse templates hijacking its own branding on sign-in and payment pages, and it estimates the syndicate has amassed upward of a million victims.
Legally, Google is throwing the kitchen sink: trademark claims for the impersonations, computer fraud counts for the intrusions, and even RICO, the racketeering law more often associated with mafia takedowns than text scams. The defendants are listed as John Does — handles traced to Telegram where Lighthouse sells access “weekly, monthly, seasonal, annual, or permanent” — because the people behind the platform are overseas and largely anonymous. The point isn’t a perp walk so much as prying apart the infrastructure: win a judgment, then pressure hosting firms, payment processors, ad networks and other platforms to yank domains, kill accounts and cut off cash.
There’s a policy push here, too. Alongside the suit, Google is backing three anti-scam bills in Congress — the GUARD Act, the Foreign Robocall Elimination Act and the SCAM Act — to give law enforcement more tools and funding to go after cross-border fraud hubs. The company also says it’s been suspending accounts that used fake identities to buy online ads steering people to sham retail sites, and it’s rolling out new protections in Google Messages, including AI-powered spam detection and key-verification features.
If you’re wondering what to do right now, the boring advice still works: don’t click links from “urgent” texts, navigate to the official site yourself, and never share a one-time code on a page you didn’t seek out. But the bigger lesson sits with the lawsuit: scam crews now operate like startups, at global scale. Fighting them will take more than blocking numbers — it will take court orders that pull their business model apart, one link in the chain at a time.
The latest news in your social feeds
Subscribe to our social media platforms to stay tuned