AI Scam Texts Are Now $88/Week. Here's What That Means
Google is suing a Chinese smishing operation that used AI to send 2.5M scam texts in two weeks. The scary part isn't the volume, it's the price.
An AI-powered phishing kit that pumps out scam text messages now rents for less than a month of most streaming subscriptions. That's the number I can't stop thinking about after reading TechCrunch's report that Google sued an alleged Chinese cybercrime operation called Outsider Enterprise.
The group sent 2.5 million text messages in two weeks and scammed hundreds of thousands of victims. But the figure that should worry every builder and small-team founder reading this isn't the volume. It's that the tooling reportedly rents for $88 a week.
π The economics just flipped against defenders
For years, running phishing at scale took real effort: building convincing fake sites, writing copy that didn't read like a bad translation, and rotating domains faster than they got blocked. According to Google's complaint, Outsider Enterprise sold all of that as a subscription product.
| What they allegedly sold | Detail from the complaint |
|---|---|
| Phishing-as-a-service kit | $88/week or $200/month |
| Pre-built fake-site templates | 290+ mimicking legitimate brands |
| Fake websites deployed | 9,000 live sites |
| Fraudulent domains | Around 1 million |
| AI used to generate the fake sites | Google's Gemini, per Google's filing |
The part I find most telling is the last row. Google is accusing a scam operation of using Google's own Gemini to build the fake pages, then hosting some of them on Google Drive and Google Cloud. The same generative tools we use to ship products faster also lower the cost of faking those products.
Key takeaway: AI didn't invent phishing. It removed the two things that used to limit it β the cost of writing convincing content and the skill of building fake sites at scale.
π Why the message volume is the real story
Volume is what turns a clever scam into an industrial one. Google said Android users flagged 55,000 spam texts in two weeks this past May, which it described as more than two spam complaints a minute.
Put the numbers next to each other and the asymmetry is obvious:
- 2.5 million texts sent in two weeks
- 36,000 payment cards reportedly stolen from institutions in 95 countries
- The FBI estimates roughly $1.9 billion in losses tied to this kind of stolen-card activity
A campaign like this doesn't need a high hit rate. If one in a thousand recipients taps the link and enters a card number, the operator still wins, because sending the next million messages costs almost nothing. That math is why smishing (SMS phishing) keeps growing, and it's the same math that lands fake "your parcel is held at customs, pay the fee" texts in Sri Lankan inboxes every week.
π οΈ How to actually tell a real link from a fake one
You don't need a security team to defend against this. You need a couple of habits that survive a convincing message. Here's the checklist I give friends and family:
- Never tap a link in an SMS to log in or pay. Open the app or type the official domain yourself. Real banks and couriers do not need you to use their link.
- Read the domain right to left. The real owner is the bit just before the first single slash.
dialog.lk.secure-login.cois owned bysecure-login.co, not Dialog. - Distrust urgency. "Account suspended," "parcel held," "claim before midnight." Pressure is the product. A real institution gives you time.
- Check the sender, not the logo. Logos and copy are now AI-generated and look perfect. The page can be flawless and still be a trap.
Bottom line: The fake site will look real. That's the whole point of the AI. So stop judging legitimacy by how polished a message looks, and judge it by how you arrived at the link.
If you're a developer, you can pull a suspicious link apart safely before clicking anything. Our free URL encoder/decoder will expand the percent-encoding that scam links use to hide the real destination, so you can read where a button actually points.
π‘ What this means if you ship products
This case is a warning for builders, not just consumers. If you run any service with a login, you are now a template. Outsider Enterprise allegedly shipped 290+ ready-made clones of legitimate brands, and adding one more is trivial. A few things I'd treat as non-negotiable:
| Defense | Why it matters now |
|---|---|
| Real multi-factor auth | A stolen password alone stops being enough |
| Out-of-band confirmation | Confirm payments by a second channel, not the same SMS thread |
| Domain monitoring | Lookalike domains of your brand are cheap to spin up |
| Clear "we never SMS links" policy | Train users so a fake stands out |
The other lesson is for anyone building on top of generative AI. The same Gemini, GPT, or open-source model that drafts your marketing page can draft a perfect clone of someone else's. "It looks professional" is no longer evidence of anything. Provenance is, and we're going to need better signals for it than a clean UI.
π What this means for you
Whether you're a student in Colombo, a freelancer billing clients abroad, or a two-person team shipping a side project, the takeaway is the same: the cost of attacking you just dropped, and the quality of the bait just went up.
You can't out-spot an AI-written scam by looking for typos anymore, because there won't be any. What you can do is change the rule you live by. Stop trusting links because they look right, and start trusting only the paths you control: the app you opened, the domain you typed, the second channel you confirmed on.
Google's lawsuit may shut down one operation. The $88-a-week business model it exposed isn't going anywhere. Build and browse like that's true, because it is.