WHOA @google let me know they saw my tweet last year & built a tool to defend against that exact call spoofing + AI voice clone attack!

As of today, fake call detection on Android alerts when someone is impersonating your contact. Here's what it looks like:

Ok, so how does fake call detection work?!

1. Attacker impersonates your contact by spoofing their number + voice cloning to steal your money, data, access, etc.

2. Your device knows your real contact’s 'digital handshake' confirmation signal, so when it’s missing, it notices.

3. If it’s missing, your device pings your contact's actual device to double-check their device is placing the call. If their real device says, "I'm not making a call right now," you'll get a warning on your screen about the spoof attack in action.

Fake call detection is on by default and works automatically on Android 12+ devices (so even older phones) Note: Love that this digital check uses end-to-end encrypted Rich Communication Services (RCS) technology, and is completely private. You can also turn this feature off if you prefer.

These types of phone scams are not hypothetical, they're hitting real everyday folks.

FTC cites $2.95 BILLION in losses due to these types of scams in 2024 and people rely on caller ID to verify someone is who they say they are! This will help people avoid sending their money to scammers and I'm so stoked to see it launch today.

Also honored to see the hard work I got to share with the Google team last year continue into 2026 and beyond with the fake call detection launch today! Programmatically catching and shutting down the latest phone call scams (including AI voice clones) is so close to my everyday work and it's such a thrill to work with orgs who prioritize solving this problem and protecting people from scams.

Also, the demo of fake call detection that Google made for me was an early version. In the launch today, the contact’s photo is also removed as another visual signal that it's likely an impersonator calling.

Really cool to see that update in action as we found that impactful in our research together!

I used deepfakes & injection attacks to hack an identity verification tool used for remote workforce, helpdesk, & onboarding…until they updated the tool to catch me every time.

Thank you Incode for having me hack you 110+ times across 13 distinct attack types to find the latest vulnerabilities and fix them together 🤖🤘

We tested mobile & browser flows: hardware and software video injection, deepfakes, replay attacks, emulators, rooted devices, manipulated identity docs and more.

Mobile held up across every attack we threw at it. Web flows were the only way in.

When we got in with web hardware and software video injection, we gave those vulnerabilities to Incode, they updated thresholds and algorithms within days. When we tested again, we were completely blocked! So cool to see.

This is seriously one of the coolest parts of my job, getting to hack for good. Many identity verification tools have never been tested against real attacker techniques at this depth. This is what it looks like when they are, and when they take the results seriously.

Get our full Pentest Report from Incode by reaching out to see what they can do here: www.incode.com/pentest-socialproof

Have you received a party invite that turned out to be fake (a scam!) in the last 6 months?!
I just broke down how this scam works for the @nytimes so dive into the 2 distinct paths this scam follows, how to catch it, and how to reduce its impact if you do click here:

https://www.nytimes.com/2026/04/23/style/invitation-phishing-scam.html