Google warns phishing services now use RCS and iMessage to bypass SMS filters

Google Threat Intelligence Group says Chinese-language phishing-as-a-service platforms are increasingly using RCS and iMessage to deliver malicious links directly to users’ phones. The shift helps scammers avoid many traditional SMS filtering systems and makes phishing messages look more convincing.

The findings come from a new Google Threat Intelligence Group report that examined a dozen active phishing-as-a-service offerings in the Chinese-language underground. Google says these platforms have matured into full criminal services that help low-skilled attackers steal payment data, intercept one-time passwords, and abuse digital wallets.

The threat is no longer limited to fake login pages that collect passwords. These services now support real-time account takeover workflows, where attackers watch victims enter credentials and then capture one-time codes before they expire.

Why attackers are moving beyond SMS

Traditional smishing attacks often rely on plain SMS. Carriers and security providers can scan those messages for suspicious links, blocked domains, and common scam patterns.

Chinese-language phishing operators have adapted by leaning on richer messaging systems. Apple says iMessage protects messages and attachments with end-to-end encryption between sender and receiver. Google also says Google Messages can use end-to-end encryption for eligible RCS chats.

That encryption helps protect privacy, but it also limits what network-level filters can inspect. As a result, attackers can send polished phishing lures through channels that feel more trusted than a basic text message.

Key details at a glance

Topic	Details
Threat type	Phishing-as-a-service and smishing
Main delivery channels	RCS and iMessage
Primary goal	Payment data theft, OTP interception, and digital wallet abuse
Threat ecosystem	Chinese-language underground phishing services
Example platform	YY Lai Yu
Known scale	More than 400 templates across 119 countries for YY Lai Yu
Recommended defense	FIDO2/WebAuthn, risk-based checks, and device fingerprinting

How the real-time phishing flow works

The attack often starts with a message that looks like it came from a bank, delivery company, card provider, rewards program, or payment service. RCS and iMessage make those messages look more legitimate because they support richer formatting, images, typing indicators, and read receipts.

When a victim taps the link, the phishing page collects their login details. The stolen information then appears in a live attacker panel, according to GTIG researchers.

The attacker can then trigger a real login attempt on the legitimate service. When the victim receives an OTP, the fake page asks for that code. If the victim enters it quickly, the attacker can use it before it expires.

Why digital wallets make the scam more damaging

Google says these platforms focus heavily on digital wallet provisioning. That means attackers do not always stop after stealing card details. They try to add the victim’s card to an attacker-controlled device.

Once the card sits inside a digital wallet, criminals can attempt contactless payments, high-value purchases, or ATM withdrawals, depending on the card issuer and local controls.

This makes the attack more dangerous than older credential theft. A stolen password might give access to an account. A successfully tokenized card can become a payment tool that works from a device the victim does not own.

YY Lai Yu shows how localized these services have become

One platform highlighted by Google is YY Lai Yu, first advertised in August 2024. It supports phishing across 119 countries, but Google says its strongest focus has been Japan.

Since November 2025, YY Lai Yu has offered more than 400 templates. These templates impersonate Japanese and global brands, including Apple, Amazon, Nintendo, Rakuten Securities, PayPay, JCB Card, JR, Mercari, and other services used by Japanese consumers.

The platform also uses local themes to increase trust. Google says its lures include points, rewards, and cost-of-living themes such as Japan Winter Electricity Subsidy messages.

Google has already taken legal action against another PhaaS provider

The new research follows Google’s November lawsuit against Lighthouse, another phishing-as-a-service operation. Google said Lighthouse supported large smishing campaigns that abused trusted brands and helped criminals steal financial information.

In that case, Google said Lighthouse harmed more than 1 million victims across over 120 countries. The company also backed legislation aimed at disrupting foreign scam operations and improving consumer protection.

The new GTIG report shows the same broader problem: phishing services now act like criminal software businesses. They sell templates, domains, hosting, message delivery, panels, and payment data workflows to affiliates.

Why RCS and iMessage phishing is harder to stop

Security teams cannot treat these attacks exactly like older SMS spam. Encrypted messaging channels reduce visibility for server-side filtering, while richer message design makes scams look more convincing to users.

Apple’s iMessage security model protects message content from outside access during delivery. That privacy benefit also means defenders need stronger protection on the device, in browsers, and inside financial services.

Similarly, RCS chats in Google Messages can prevent outsiders from reading message content when end-to-end encryption is active. Attackers exploit that trust by moving phishing links into the same polished chat experience that users rely on every day.

How banks and users can reduce the risk

Google recommends stronger authentication that makes stolen OTPs harder to weaponize. The FIDO Alliance says passkeys are phishing resistant because there are no passwords to steal and no reusable sign-in data that can help attackers continue an attack.

Financial institutions should also add risk-based checks during wallet provisioning. Device fingerprinting, behavioral signals, and stronger verification can help detect when a stolen card or account is being added to a new device.

Users still need to slow down when messages ask for payment details, OTPs, card information, or wallet verification. A message that arrives through a modern chat protocol can still be a scam.

Recommended steps for consumers and organizations

• Do not enter OTP codes into pages opened from unexpected messages.
• Visit banks, delivery services, and card providers through their official apps or manually typed websites.
• Use passkeys where available, especially for banking, email, and payment accounts.
• Report suspicious RCS and iMessage messages through the device’s reporting tools.
• Enable transaction alerts for cards and digital wallets.
• Review newly added wallet devices and remove anything unfamiliar.
• For banks, add risk scoring and device checks to card provisioning workflows.

The bigger picture

Chinese-language phishing services now offer more than fake websites. They provide a full fraud stack for message delivery, social engineering, credential theft, OTP capture, wallet provisioning, and money movement.

That makes these campaigns harder to fight with awareness training alone. Users may spot some suspicious messages, but real protection also requires phishing-resistant authentication, stronger wallet controls, and faster domain and infrastructure takedowns.

The main lesson is simple: encrypted messaging is not the problem, but attackers are using trusted messaging experiences to make phishing harder to detect. Defenders need to move security closer to the user, the device, and the financial action being requested.

FAQ