6 min read By Excello Mail Team

Google's June 2026 Fraud Advisory: AI Scams Grew 1,210% and Email Authentication Is Still the Foundation

Google's official June 2026 fraud advisory documents 1,210% growth in AI-powered scams and $580 billion in global fraud losses. Email is still the primary delivery channel. Here is what DMARC enforcement does and does not protect against in this environment.

Google published its June 2026 fraud and scams advisory this month, drawing on data from the NASDAQ Global Financial Crime Report and its own threat intelligence teams. The headline numbers are significant: global fraud losses reached nearly $580 billion in 2025, roughly one in five adults fell victim to a scam, and AI-powered fraud grew by 1,210% compared to the prior measurement period. The advisory is not an abstract warning. It is a current-state report from the company that processes more email than any other organization on the planet.

For anyone responsible for email security, the advisory has a clear implication: the fraud infrastructure targeting your recipients has never been more capable, and the baseline controls that stop the most preventable class of attack, domain spoofing, are still not universally deployed.

What Google’s Advisory Documents

The advisory identifies three dominant attack patterns in the current threat landscape.

The first is impersonation at scale. Criminals claim to be government agencies, financial institutions, technology support teams, and enterprise vendors. The contact arrives by email, text, phone call, or video chat. The communication is convincing because AI generation has made grammatically correct, contextually appropriate impersonation cheap to produce at any volume.

The second is deepfake-driven fraud. The advisory notes that deepfakes now constitute 11% of global fraudulent activity. Voice cloning allows attackers to replicate the voice of a known colleague or executive with a short audio sample. Video deepfakes allow real-time impersonation in calls. The technology has moved from sophisticated nation-state tools to commodity capability available through commercial fraud kits.

The third is hybrid delivery chains. Attackers are combining email as the initial contact vector with phone calls, text messages, and video sessions to build the kind of multi-step engagement that overcomes a recipient’s natural skepticism. Adversary-in-the-middle phishing kits intercept authentication sessions in real time, capturing session cookies alongside credentials and bypassing multi-factor authentication entirely.

Why Email Remains the Entry Point

Each of these attack patterns has a common origin: most of them begin with, or are supported by, an email.

The initial impersonation contact is typically delivered by email because email is the communication channel with the lowest barrier to mass delivery. It does not require the attacker to have the recipient’s phone number. It does not require a compromised account to look legitimate. In the absence of proper domain authentication, anyone can send an email claiming to come from any domain.

That is the problem DMARC was built to solve.

What DMARC Enforcement Stops

DMARC, together with SPF and DKIM, creates a verifiable link between the domain in the From header of an email and the infrastructure that sent it. When a receiving mail server checks a message from your-bank.com, it verifies that the sending server is authorized by your-bank.com’s SPF record and that the message carries a DKIM signature from your-bank.com’s key. DMARC ties those checks to a published policy that tells the receiving server what to do when they fail: nothing (p=none), quarantine the message (p=quarantine), or reject it outright (p=reject).

At p=reject, an attacker who tries to send email claiming to be from your-bank.com without access to your actual mail infrastructure will have that message blocked before it reaches any inbox. The spoofed email from your-bank.com impersonating your fraud department, the fake invoice from your-vendor.com asking for a wire transfer, the phishing alert from [email protected] directing employees to reset their passwords – all of these depend on the attacker’s ability to use your domain without authorization. DMARC enforcement at p=reject removes that capability.

This is the protection that 1,210% growth in AI-powered fraud makes more important, not less. AI lets attackers craft spoofed email that is indistinguishable from legitimate communication in tone, format, and context. The signal that remains detectable is the domain authentication signal. A message that fails SPF and DKIM alignment is detectable even when its content looks perfect.

The Gap Google’s Advisory Highlights

The advisory notes that attackers are not limiting themselves to obvious spoofing. Many impersonation campaigns now use lookalike domains, newly registered domains, or legitimate infrastructure they have compromised or rented. These attacks may pass DMARC checks against the lookalike domain because the lookalike domain itself is properly configured. The attacker is not spoofing your-bank.com. They are registering your-bank-security.com and applying SPF, DKIM, and a DMARC policy to it.

This is the ceiling of what domain authentication can stop. It eliminates unauthorized use of your domain. It does not prevent attackers from registering visually similar domains and authenticating those.

The advisory recommends that recipients verify sender domains carefully before acting on any request involving credentials, payments, or sensitive information. That advice makes more sense when recipients are trained to recognize the difference between paypal.com and paypal-account-verify.com. BIMI, the Brand Indicators for Message Identification standard, supports this by displaying a verified brand logo in the inbox at major mail clients when a domain has both a DMARC enforcement policy and a verified mark certificate. A recipient who has seen your logo consistently displayed in their inbox will notice its absence when a lookalike domain tries to impersonate you.

What the Adoption Data Still Shows

Despite broad awareness of these requirements, the enforcement gap remains wide. Research published in the first half of 2026 consistently shows that more than 70% of domains with DMARC records remain at p=none, the monitoring-only policy that collects data but blocks nothing. A domain at p=none offers no protection against spoofing. Any attacker can send from it freely.

The EasyDMARC 2026 DMARC Adoption Report found 52.1% of the top 1.8 million domains have a DMARC record, a meaningful gain over prior years. But the majority of those records are still at the monitoring stage. The gap between having a DMARC record and having DMARC enforcement is the gap between knowing you have a problem and actually closing the door.

In the environment Google’s advisory describes, closing that door is not optional.

Three Things to Check This Week

If your organization sends email, these are the three checks most worth completing before the week ends.

Verify your DMARC policy level. A DNS lookup for _dmarc.yourdomain.com will show your current policy. If it returns p=none or no record at all, your domain can be spoofed by anyone with a mail server. Moving to p=quarantine is a conservative intermediate step that preserves deliverability while filtering spoofed messages to spam folders. Moving to p=reject is the enforcement state that blocks them entirely.

Review your DMARC aggregate reports for the past 30 days. Aggregate reports show every IP address and mail service that has sent email claiming to come from your domain, along with their SPF and DKIM pass rates. Any source you do not recognize is either a forgotten service you authorized or an external party spoofing your domain. Both need investigation.

Confirm all authorized sending sources are covered. Marketing platforms, transactional email services, CRM systems, support platforms, and any other third-party service that sends on your behalf must be covered by your SPF record and signing with DKIM using your domain. Sources that are not covered will fail authentication once you enforce. Finding them before you enforce is the work that makes enforcement safe to complete.


Excello Mail gives you a live view of your DMARC aggregate reports, your sending source inventory, and your authentication policy across every domain you manage. As AI-powered fraud continues to grow, knowing exactly who is sending email from your domain is not a nice-to-have. Sign up for free to Excello Mail and close the door that Google’s advisory says attackers are still walking through.