Google has filed a lawsuit against a foreign cybercriminal group responsible for a widespread SMS phishing campaign, commonly known as "smishing," targeting users across the globe. The operation, which Google has dubbed the "Smishing Triad," is believed to be largely based in China and operates using a phishing-as-a-service platform called "Lighthouse." According to Google, the group has compromised over a million victims in more than 120 countries. The attackers exploit trust in well-known brands such as E-ZPass, the U.S. Postal Service, and even Google itself by sending deceptive text messages. These messages often mimic urgent alerts—such as fraud warnings, delivery updates, or unpaid government fees—and contain malicious links leading to counterfeit websites designed to steal sensitive personal and financial information. Google general counsel Halimah DeLaine Prado told CNBC that the "Lighthouse" platform enables the creation of numerous fake websites using pre-made templates. These sites are crafted to look legitimate, often incorporating Google’s branding on login screens to deceive users into entering their credentials. The lawsuit, filed under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act (CFAA), aims to dismantle the criminal network and shut down the "Lighthouse" infrastructure. Google is seeking to prevent further proliferation of the scam, deter similar criminal activity, and protect both users and legitimate brands from ongoing misuse. The company estimates that the group has stolen between 12.7 million and 115 million credit card records in the United States alone. Internal and third-party investigations revealed that approximately 2,500 individuals were actively involved in the syndicate, communicating through a public Telegram channel to recruit new members, exchange tactics, and maintain the platform. Google identified three specialized groups within the operation: a "data broker" team that supplied victim lists and contact details, a "spammer" group responsible for sending the fraudulent texts, and a "theft" group that coordinated attacks using stolen credentials, often sharing results on Telegram. This marks the first time a major tech company has pursued legal action specifically targeting SMS phishing scams. Google is also advocating for three bipartisan legislative initiatives aimed at combating cybercrime and protecting consumers. These include the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, the Foreign Robocall Elimination Act—which would create a federal task force to tackle illegal foreign robocalls—and the Scam Compound Accountability and Mobilization Act, which focuses on dismantling scam operations and supporting survivors of human trafficking linked to these centers. The lawsuit is part of Google’s broader effort to strengthen cybersecurity and raise awareness among users. Recently, the company introduced new safety tools, including the Key Verifier feature and AI-powered spam detection within Google Messages, to help users identify and avoid fraudulent messages.