If you own a mobile phone, you’ve probably received dubious texts about missed deliveries or overdue tolls urging you to tap a link. Many of those messages are smishing campaigns—phishing carried out over SMS—that direct victims to fake websites set up to steal payment or login credentials, often using copied brand logos to appear legitimate.
On Wednesday, Google filed suit in the U.S. District Court for the Southern District of New York against an alleged China-based criminal network it calls ‘Lighthouse.’ The complaint accuses Lighthouse of running a Phishing-as-a-Service operation that builds and sells kits of fraudulent website templates and provides technical support to scammers. According to the filing, nearly 200 templates impersonated U.S. organizations, including New York City’s official site, the U.S. Postal Service and the West Virginia DMV.
Google’s general counsel, Halimah DeLaine Prado, said more than 100 of those templates included Google branding on pages that asked for sign-ins or payments, creating a false air of authenticity. Screenshots attached to the complaint also show the misuse of major payment, credit card and social media logos. Google alleges the Lighthouse network targeted victims in over 120 countries and funneled millions of dollars a year to scammers.
The complaint states that between July 2023 and October 2024 Lighthouse created or used 32,094 distinct phishing websites that mimicked the U.S. Postal Service. Google estimates those sites could put between 12.7 million and 115 million U.S. credit cards at risk, though the company declined to offer a precise dollar valuation of damages, calling the harm difficult to quantify.
Google does not identify the defendants by real names. The suit lists them as Does 1–25 and identifies individuals only by handles used on the encrypted messaging app Telegram. Many alleged operatives appear to be based in China and beyond the reach of U.S. courts. Prado said the primary legal aim is deterrence: she seeks a declaratory judgment that Lighthouse’s activities are unlawful so Google can press platforms and service providers to help dismantle parts of the scam infrastructure. Even if specific individuals can’t be located, the company hopes to disrupt the broader networks enabling the schemes.
The lawsuit also serves to raise public awareness about scams. Prado said pursuit of such cases is routine in Google’s legal work, and she looks for matters that can both protect users and draw public attention to widespread threats.
On the same day, Google publicly backed three bipartisan bills pending in Congress intended to strengthen enforcement against fraud: the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, which would enable grant funding for local investigations into fraud targeting retirees; the Foreign Robocall Elimination Act, which would create a task force to block foreign robocalls; and the Scam Compound Accountability and Mobilization (SCAM) Act, which would develop a national strategy to counter locations where people are trafficked and forced to run scam operations.
The case arrives amid other legal pressures on Google. In September a federal judge ordered the company to share search data with some rivals after finding an illegal monopoly in search; another court recently ruled parts of Google’s digital advertising practices violate antitrust laws; and Google has agreed to a proposed settlement with Epic Games over a separate Play Store antitrust dispute.
Disclosure: Google is a financial supporter of NPR.