Google on Wednesday announced that it has filed a lawsuit against an international cybercriminal network responsible for orchestrating large-scale SMS phishing attacks, or “smishing.” In an official blog post, the company revealed that the malicious group operated a phishing-as-a-service (PhaaS) platform named “Lighthouse”, which enabled criminals to launch widespread phishing campaigns targeting users worldwide.
The tech giant said the attackers exploited trusted brands such as E-Z Pass to deceive individuals and steal sensitive financial information. According to Google, victims received fraudulent text messages containing links that led to fake websites impersonating legitimate platforms, prompting them to disclose confidential details including email credentials and banking data. These attackers reportedly misused brand trademarks and logos to enhance the credibility of their fraudulent sites.
Google’s investigation uncovered over 107 website templates mimicking its own branding, particularly sign-in pages, which were designed to trick users into believing they were interacting with authentic Google services. The company estimates that this operation has already inflicted “immense financial harm,” with over one million victims identified across more than 120 countries. In the United States alone, it is believed that attackers may have stolen between 12.7 million and 115 million credit-card numbers.
Explaining the mechanism of the attack, Google’s general counsel, Halimah DeLaine Prado, told CNBC: “The ‘Lighthouse’ enterprise or software creates a bunch of templates in which you create fake websites to pull users’ information.”
To combat the threat, Google said it is taking legal action under multiple laws—including the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act—in an effort to dismantle the attackers’ “core infrastructure.”
In addition to the lawsuit, Google announced that it is deploying AI-powered features to detect and flag scam-related messages, such as fake toll-fee or package-delivery alerts, in Google Messages. The company is also working to block malicious links, expand account-recovery options through Recovery Contacts, and strengthen public education initiatives around fraud awareness.
“We hope these efforts will help more people be safe online,” Google said, adding that it continues to collaborate with policymakers and support bipartisan cybersecurity legislation in the U.S. Congress to strengthen global digital safety.
