The Fraud
Is a Feature.

They removed the front door. For years anyone — a victim, an IT admin, a random good samaritan — could paste a phishing URL into a simple form and feed Google's blocklist that protects billions of Chrome / Android / Gmail users. Google quietly 404'd it. There is now no clean public way for an ordinary person to report a phishing site to the single most widely-deployed safety blocklist on earth. That's not a UX oversight; that's closing a free public-safety channel.

The asymmetry now openly favors scammers. A criminal can register a throwaway domain, throw it behind a CDN, and have a working credential-harvester live in minutes. The defender's side of that equation — "tell Google so it warns everyone" — used to take 30 seconds and now takes... nothing, because the door's gone. When you make attacking frictionless and defending impossible, you've effectively picked a side, whether you meant to or not.

Reporting didn't disappear — it got funneled into the Web Risk Submission API, a Google Cloud billable service. So the free civic act of "here's a scam, please block it" is now a developer / enterprise feature you provision and pay for. Turning crowdsourced threat intel — which users hand them for free and which makes Google's own products safer — into a monetized API is about as cynical as it gets.

And their detection is bad enough that they needed those reports. Independent testing in early 2026 found Safe Browsing missed roughly 84% of confirmed phishing sites. So at the exact moment their automated detection is demonstrably failing, they cut off the human reports that could backfill the gap. They made a weak system weaker and harder to help.

The contrast makes it worse. Cloudflare, Netcraft, APWG, registrars — all still run open, free, no-login abuse forms because they understand reporting is a community immune system. Google, the company with the most reach and the most to gain from a clean web, is the one that walked away from it.

The bottom line: every hour a phishing page stays unlisted, more people get robbed. Google had the cheapest, highest-leverage tool to shrink that window — millions of free human reports — and they deleted it and put a price tag on the replacement. You don't have to believe they're rooting for scammers to see that the practical result is the same: less friction for the attacker, more friction for everyone trying to stop them. For a company whose entire brand is "organizing the world's information safely," abandoning the safety reporting channel is a genuinely bad look — and the people who pay for it are exactly the non-technical users Google claims to protect.

They run the phone network but won't police it. Google hands out Google Voice numbers for free, instantly, by the thousand — and those numbers have become a dominant scam vector, roughly 60% of all scams reported to the Identity Theft Resource Center in a year. But when a victim says "this Google number is robbing people, take it down," Google's answer is essentially: not our job — file with the FTC and have the cops subpoena us. They own the infrastructure, they provision the weapon, and they outsource the cleanup to overwhelmed government agencies and the victims themselves.

Local PD is not going to open a case over one scam text, can't act on a VoIP number, and has no fast channel to Google. Pushing every victim to law enforcement isn't a solution — it's a dead end dressed up as due process. It guarantees the number stays live, because the realistic outcome of "report it to the FTC" is a statistic in a database, not a disconnected line. Meanwhile the scammer is already running the same script from the next free number.

It's the Safe Browsing move again — offload abuse, keep the asset. Google removes or never builds the easy reporting path, then redirects you to a third party (FTC, police, "law enforcement can contact us"). The common thread is Google refusing to take responsibility for abuse on its own platform while keeping all the upside of running it. They'll instantly create a number; they won't lift a finger to kill one without a badge attached.

The asymmetry is the whole scam-enabling part. Spinning up a fraudulent Google Voice number: seconds, free, no friction. Getting one taken down: file federal paperwork, involve police, hope a subpoena eventually lands on Google's desk. When the attacker's path is a button and the defender's path is a court process, the platform has functionally optimized itself for the abuser. You don't have to claim intent — the design choice protects scammers and exhausts victims, full stop.

And they have everything needed to fix it. Google has the account, the originating IP, the device fingerprint, the velocity signals — they can spot a number blasting scam texts trivially. A simple "report this number" form feeding that signal would let them nuke abusive numbers in minutes. They built that exact kind of self-serve abuse tooling for advertisers and YouTube creators. The capability isn't the problem; the willingness is. For a company that operates a phone service used to defraud people at industrial scale, "we don't take reports, call the cops" isn't a policy — it's an abdication.

Bottom line: Google has quietly made itself one of the easiest large platforms to commit fraud through and one of the hardest to report fraud to. That's not neutrality. When you make abuse effortless and reporting impossible, you're not staying out of it — you're subsidizing it.

Google spent two decades getting the entire internet to trust gmail.com — and then quietly stripped out every safeguard that made that trust safe. That's not negligence. That's a bait-and-switch run at planetary scale.

We trusted it because it used to be accountable. There was a time when email carried its origin. You could see where a message actually came from. Senders were traceable. That traceability is the entire reason spam filters, IT departments, and ordinary people learned to let Gmail through the front door. Google earned that green light fair and square — and then yanked the wiring out from behind the wall while we kept waving its mail in.

They deliberately blinded the defender. Gmail refuses to show the originating IP of the sender. Not "can't" — won't. They have it. They log it. They keep it for themselves and hand the victim nothing. So when a criminal emails your company from a Gmail address, the one piece of evidence that would let you geolocate them, block them, attribute them, or report them is surgically removed before it reaches you. They didn't fail to provide accountability. They engineered its absence.

Then they threw the doors open to anyone. Free accounts. Instant. No real identity check. No verification that survives contact with a determined fraudster. A scammer can mint a fresh, fully-trusted @gmail.com in the time it takes to pour a coffee — and every one of those accounts inherits Gmail's spotless sending reputation the moment it's born. Anonymous creation + invisible origin + inherited trust = a turnkey fraud machine, and Google ships it for free.

This is the part that makes it evil: it happened after we committed. We didn't open up to gmail.com knowing it was a sewer. We opened up to the Gmail that was trustworthy, traceable, accountable — and then Google changed the deal. They let the trust calcify into infrastructure, let the whole world build on the assumption that Gmail was safe, and only then dismantled the protections underneath it. They converted a service we relied on into a security threat retroactively, after the lock-in, after the trust was load-bearing. You can't opt out of trusting Gmail anymore — too much of the world runs on it — and Google knows that, and stripped the safeguards anyway.

Strip away the PR and the math is obscene. Frictionless to attack, free to attack, anonymous to attack, trusted by default when you attack — and on the defender's side: no IP, no report button, no takedown, no recourse but "call the FTC." Every single design choice points the same direction. When every lever you pull lowers the cost of fraud and raises the cost of stopping it, that's not a privacy philosophy. That's a side. And Google picked the scammers'.

They had the most trusted name in email and the deepest abuse-fighting toolset on Earth. They chose to hide the evidence, open the gates, and walk away — and then let us discover, after we'd already bet our companies on it, that the thing we trusted had been quietly turned into a weapon. That's not a platform with a spam problem. That's a platform that decided the spammers were a feature, and the rest of us were collateral.

Search was supposed to be a promise: ask, and get the best answer as fast as possible. The entire value of a search engine is getting you to leave quickly — found it, done, gone. Google spent years perfecting exactly that, earned the world's trust, became a verb. And then they realized the awful truth of their own business model: a search engine that works instantly is a search engine that shows you fewer ads. Every second you don't spend scrolling is revenue they didn't capture. So they did the unforgivable thing — they made it worse on purpose.

The fast answer became the enemy of the business. When you find what you need in the first result, Google gets one shot to monetize you. When you can't — when you have to scroll past a screen of ads, then a "People also ask" box, then a sponsored block, then SEO sludge, then finally something useful three scrolls down — Google gets to throw ad after ad after ad in front of you the whole way down. Your frustration is their inventory. Every extra scroll, every "hmm that's not it, let me rephrase," every re-search is another fistful of ad impressions. The degraded result isn't a failure of the product. It is the product now.

This isn't a conspiracy theory — they wrote it down. When Google's own internal emails got dragged into the light during the antitrust proceedings, the rot was in their own words: the ads-and-growth side of the company pushing to juice query volume and engagement — i.e., make people search more — while the people who actually cared about search quality lost the fight. They didn't stumble into worse results. They deliberately tuned a system that was already good at finding answers to instead be good at not quite finding them — because a satisfied user is a user who closed the tab.

They weaponized their own monopoly to get away with it. This only works because you have nowhere else to go. A company in a competitive market that intentionally degraded its core product would bleed users overnight. Google could crap on the experience precisely because they'd already won — default on every browser, every phone, the verb for "look something up." When you own the only road, you can fill it with potholes and toll booths and people still have to drive it. Lock-in first, enshittification second. That's the sequence every time.

And a federal court has now put it in writing. In April 2025, U.S. District Judge Leonie Brinkema ruled in a 115-page decision (U.S. v. Google LLC, E.D. Va.) that Google illegally monopolized the ad-tech markets — the publisher ad server and the ad exchange — and unlawfully tied them together, finding Google "willfully engaged in a series of anticompetitive acts" that included eliminating desirable product features. Degrading the product to entrench the monopoly is no longer just a user's complaint — it is a court finding. Google's second major antitrust loss, after Search.

And the page itself tells the story. Ads styled to look like results so you misclick into revenue. A sponsored carousel above the actual answer. An "answer box" scraped from the very sites they're burying, designed to keep you on Google instead of sending you onward. The organic results — the thing you actually came for — shoved below the fold, sandwiched in SEO garbage that thrives because Google rewards engagement-bait over substance. Every pixel of that layout is optimized for one metric, and it isn't "did the user find it." It's "how many ads can we charge for before they give up or click one."

This is the same playbook as everything else they touch. They didn't get worse by accident or by neglect. They looked at a product that respected your time and decided your time was theirs to sell. They made the answer harder to find because your struggle is the business model. That's not a search engine anymore. It's a slot machine that occasionally dispenses information to keep you pulling the lever.

Everything else — the hidden IPs, the dead report forms, the rigged search page — is prologue. This is the part that exposes the whole con, because this is where Google doesn't just tolerate fraud. It bills you for it.

The business model has a rot at its center: Google is paid by the impression and the click — including the fake ones. When a bot loads an ad, that's a charged impression. When a bot clicks an ad, that's a charged click. The advertiser's card gets hit either way. And Google — the company selling the ad, counting the impression, grading whether it was valid, and pocketing the money — is the same company asked to police whether any of it was real. They are the referee, the scorekeeper, and the team that profits from the final score. No serious industry lets one party do all four. Ad-tech does, and Google built the biggest version of it on Earth.

This isn't a theory. A sitting U.S. Senator put Google's name on it. After a BuzzFeed News investigation exposed a fraud ring spanning 125+ Android apps and websites generating hundreds of millions in bogus ad revenue, Senator Mark Warner wrote to the FTC that Google "may have engaged in willful blindness, all while profiting from this fraudulent activity." Read that again — willful blindness while profiting. That's the Senate Intelligence Committee's vice chair describing the exact incentive structure: Google runs the Android store the fraudsters exploited and the ad networks that paid them. Warner has been hammering this since 2016, pressed the FTC again in 2018 over its "inadequate response," and as recently as March 2025 went back to the FTC, DOJ, and AG because the fraud is still rampant — and now bilking U.S. government ad budgets too.

The scale is not a rounding error — it's an industry built on phantoms. When the DOJ and FBI took down the Methbot and 3ve botnets in 2018, here's what they were charging advertisers for:

All of it invoiced to real advertisers as real eyeballs. And that was two botnets. Nearly a quarter of the entire digital-ad economy is paying for ghosts.

Now the nail in the coffin — why Google doesn't really want to stop it. Independent audits consistently find Google identifies and refunds only 40–60% of fraudulent clicks. Not because they can't find the rest — this is the company that can read your email, predict your next word, and fingerprint your device across the internet. They could detect sophisticated bot traffic. They choose a level of detection that catches the obvious garbage and waves the sophisticated stuff through, because every dollar of fraud they don't catch is a dollar they keep. Aggressive fraud filtering shrinks Google's revenue; lax filtering grows it. So the company's financial self-interest points in exactly one direction: detect just enough to keep advertisers from quitting, and not one click more. They are economically rewarded for failing to stop the theft, because they're a cut-taker on the theft. A bank that earned a percentage of every counterfeit bill it processed would not be in a hurry to buy a counterfeit detector either.

And the same machine that defrauds advertisers also poisons democracy. The bot infrastructure doesn't only fake ad impressions — it fakes attention itself. Fake impressions, fake clicks, fake engagement manufacture a fake reality: a fringe campaign looks like a movement, a manufactured talking point looks like consensus, a paid bot swarm looks like "everyone's saying it." That's the bandwagon effect, weaponized — engineered popularity that bends real voters who assume the numbers are real. This is precisely why Warner co-authored the Honest Ads Act: the unverified, bot-saturated ad pipeline that lets a scammer fake 12 billion impressions a day is the same pipeline that lets a political operator — foreign or domestic — buy a fake groundswell. When you build a system that can't (won't) tell a human from a bot, you haven't just enabled ad fraud. You've handed every manipulator a machine for manufacturing fake public opinion, and you've charged them a convenience fee to use it.

This is the throughline of everything in this dossier, finally laid bare. Hide the sender's IP, kill the abuse report, rig the results page, and count the bots as customers — every single one is the same move: Google takes a system people trusted, removes the accountability that protected them, and keeps the part that pays Google. The ad-fraud racket is just the most expensive and most honest version of it, because here the victim isn't only being deceived — they're being invoiced for the deception. A company that profits from fraud, audits its own fraud, refunds half of what it admits to, and lets the rest ride is not a victim of bots. It's a partner of them. And a senator said as much, on the record, years ago — and nothing changed, because nothing was ever supposed to.