Google is adding new protection to its default texting app designed to drain the threat potential of SMS and RCS scams. The freshest additions are a cryptographic identity check known as Key Verifier, and a change that eliminates the use of tap-through links within messages reported for spam already — all designed to make it harder for scammers to impersonate trusted contacts or lead users to malicious sites.
The shift comes at a time when fraud over text is surging with fake package alerts and other schemes.
Text messages have overtaken the phone call as the preferred approach that scammers use to initiate contact, according to a new report from the Federal Trade Commission (a similar story holds for phone calls reporting you’ve won a prize). And losses associated with smishing run into hundreds of millions of dollars each year. Independent telecom analysts have estimated that more than a hundred billion spam texts circulate in the U.S. every year, another reminder of why default protections are important.
What Key Verifier Does, and Why It Matters
Key Verifier is Google’s solution to a decades-old weakness in encrypted messaging: verifying that the person you’re talking to is actually who they say they are, even if a phone number or account has been taken over.
It will also flow from the new end-to-end encryption that Google Messages has; users will be able to compare unique “device keys” out of band, similar in spirit to “safety numbers” in Signal or security codes in WhatsApp.
In concrete terms, it assists in thwarting man-in-the-middle attacks and number takeover attempts like SIM swap or port out frauds, which enable attackers to technically snoop into or spoof a conversation. “Under the hood, every device has a key pair. Chat will verify each key pair and then permanently trust it.”
How the QR Code Check Works for Verifying Keys
To verify a contact, open up the conversation in Google Messages and tap on the contact name at the top of your screen, then hit Verify keys. Each party reveals a QR code corresponding to the key on their device. Both people scan the other’s code and Messages will confirm this with a visible indicator in the thread.
If they get a new phone or switch SIMs, that trust may be erased, since their device key has changed. You will have to scan again to regain verification. It’s a small amount of friction, but it’s an intentional speed bump against impersonation that hits at exactly the moments when attackers are most likely to be in control.
Spam Links Now Unpublished In Junk Threads
With Google Messages, services that mark messages as spam now get some help in preventing links from being clicked. Tap one and you’ll end up with a warning rather than a browser. For this, you’d have to first move the conversation out of spam and into your inbox as some sort of quasi-intent thing, and that adds a buffer preventing countless accidental clicks on hella-malicious phishing pages.
This update adds to Google’s on-device spam detection and Safe Browsing signals that are already available, which inform about such URLs. The update doesn’t eliminate all risk — no auto-filter can — but it significantly shrinks the window where a careless tap sends you toward credential theft or malware.
How This Fits Into The RCS Security Picture
In Google Messages, RCS enables end-to-end encryption for one-on-one chats and, more generally, group conversations when all participants use compatible clients. Encryption alone is great at keeping outsiders from reading content, but it’s not good at proving identity. Key Verifier bridges that void by verifying to the device you are actually encrypting to.
It’s also a forward-thinking move as RCS adoption continues to roll out for Android devices and other platforms have committed to adopting the standard. Bigger networks are bigger targets; a cryptographic trust check built into the default texting app helps take secure messaging mainstream.
Why Friction Can Be a Feature for Safer Messaging
Not every conversation needs to be manual, and that’s fine. Security professionals commonly say that targeted protection must be easy but not invisible. High-stakes threads — financial accounts, intimate contacts, workplace conversations — are best served by the one-time scan that makes impersonation significantly more expensive. The F.B.I.’s Internet Crime Complaint Center has labeled SIM swap as a growing threat; Key Verifier directly neutralizes that move.
Real-World Impact and What You Should Do Now
Consumer watchdogs say a significant portion of people receive the dubious texts, including “package delivery,” “bank alert,” and “wrong number” scams among the most pervasive. Both the FTC and consumer advocacy groups, for example, advise not clicking on links, confirming who senders are through official means of communication, and relying on built-in spam tools — habits that these new safeguards in Messages now support.
If you depend on Google Messages, enable spam protection if it’s not already turned on, confirm the keys for people with whom you generally share sensitive messages, and use unverified changes — such as a contact instantly messaging from a “new number” — as warnings. These features don’t really require a new habit so much as a moment of pause, backed by cryptography, to confirm that yes, this conversation is genuinely private and genuine.
The bottom line: By combining device-level identity checks with safer procedures for handling spam links, Google Messages effectively drops the most abused paths for text-based fraud. It won’t bring an end to every scam, but it does make the easy ones harder — and that’s where security precautions offer the most bang for your buck.
