Google Sues Scammers Using Gemini AI to Power Phishing Attacks

The case that every Irish business should know about

Google has taken legal action against a Chinese cybercrime network that used the company’s own Gemini AI to build and run phishing scams at scale. The case, filed in June 2026, reveals just how organised and automated modern cybercrime has become.

The group, named Outsider Enterprise in Google’s legal filing, operated through Telegram. They offered what security experts call “phishing-as-a-service” — a complete package of scam tools for people who want to run fraudulent campaigns but lack the technical skills to build their own. According to Google, the group provided step-by-step instructions on how to use Gemini AI to create fake websites that looked identical to real services like Google, YouTube, and government websites. The operation offered nearly 300 scam templates.

That is not a handful of poorly made copycat pages. That is an industrial-scale fraud factory.

How the AI-powered scam factory worked

Here is the part that matters for anyone running a business in Ireland. Before AI got good, scammers needed technical knowledge to build fake websites — HTML, hosting, domain registration. That barrier kept the volume of attacks manageable.

Gemini changed that. Instead of learning to code, scammers could ask the AI to build a convincing clone of a bank login page or a government portal in seconds. The quality was good enough to fool most people.

Google, working with AT&T, Verizon, and T-Mobile, managed to block many of the scam text messages linked to this group. Google’s on-device scam detection, built into its Messages app, stops roughly 10 billion scam texts every month. But even that scale of protection cannot catch everything.

The group did not just use AI to build fake sites. They used it to write convincing scam messages, automate replies to victims, and scale their operation far beyond what a human-run fraud ring could manage alone.

What this means for Irish businesses

Your business is a target whether you realise it or not. AI-powered phishing means the scams landing in your inbox are more convincing than ever. The tell-tale signs — bad grammar, generic greetings, obviously fake URLs — are becoming less reliable as AI improves.

Where a scammer once had to write each fake email or build each fake page by hand, AI now does it for them. That means more attacks, better quality attacks, and attacks that adapt faster when old defences stop working.

For Irish businesses, the practical risk is simple. If an employee clicks a link in what looks like a genuine email from Revenue asking them to log in for a “security issue,” that credential is gone. If a supplier email gets faked with perfect grammar and convincing detail, the payment you authorise goes to the wrong account.

Practical steps to protect your business

The same AI that powers these attacks also powers better defences. Google’s scam detection is an example of AI fighting AI. But you cannot rely on tech companies alone.

  • Train your team to stop and verify. If an email asks for a password, payment, or login — even if it looks real — confirm through a separate channel. Call the person. Do not reply to the email.
  • Use multi-factor authentication everywhere. A stolen password is useless without the second factor. This is the single most effective defence against credential theft.
  • Treat anything urgent with suspicion. AI-generated scams are good at creating false urgency. If a message pressures you to act immediately, that is a red flag.
  • Have a response plan. If someone clicks a bad link, what happens next? Who do you call? The quicker you act, the less damage spreads.

Google is suing Outsider Enterprise, and that might slow this particular group down. But the playbook is now public. Other criminals will copy it. The only question is whether your business is ready.