Google’s June 2026 Pixel Drop introduces a feature that checks whether an incoming call actually originates from a contact’s real device, flagging potential impersonation attempts before the recipient ever answers. The mechanism, called fake call detection, sends a silent encrypted signal between phones to confirm the caller’s identity at the hardware level. With U.S. consumers losing $12.5 billion to fraud in 2024 and impersonation scams alone accounting for $2.95 billion of that total, the update targets one of the most persistent attack vectors in telecommunications: spoofed caller ID.
How the encrypted handshake blocks spoofed calls
Phone by Google now performs what the company describes as a “digital handshake” whenever a saved contact calls. The caller’s device sends a real-time, silent confirmation signal to the recipient’s phone. If the signal does not arrive or fails to match, the recipient sees an on-screen warning before picking up, giving them the chance to end the call immediately. The entire exchange runs over end-to-end encrypted RCS, meaning the verification data stays private between the two devices and cannot be intercepted or replicated by a third party spoofing the number.
This approach differs from post-pickup screening tools, including Apple’s call-screening features, which analyze voice patterns or caller behavior after the audio connection has already started. Google’s method intervenes a step earlier: it confirms the physical device behind the number before any conversation begins. For scammers who rely on caller ID spoofing to impersonate banks, government agencies, or family members, the handshake creates a barrier they cannot clear without controlling the actual contact’s phone.
The feature ships as part of the June 2026 Android update and requires Android 12 or later along with RCS capability. That means older devices without RCS support and phones running pre-Android 12 software will not receive the update. Google has not published data on how many active Android devices meet both requirements, so the initial reach of the rollout is difficult to estimate precisely.
What remains uncertain about real-world performance
Several questions sit unanswered in the available documentation. Google has not released any independent audit of the handshake’s failure rate or its false-positive frequency. A false positive, where a legitimate call from a real contact triggers a spoofing warning, could erode user trust in the system quickly. Similarly, the company has not addressed how the feature handles calls from contacts who use non-RCS devices, older Android versions, or iPhones, all of which cannot participate in the encrypted handshake.
No public data yet tracks complaint volume or fraud losses specifically tied to verified RCS calls versus unverified calls. According to the FTC’s latest fraud statistics, imposter scams were the second-highest reported loss category at $2.95 billion in 2024, but those figures predate the handshake feature and do not break down losses by the communication protocol used. Whether the verification step produces a measurable decline in impersonation losses within the next year will depend on adoption rates, carrier cooperation, and whether scammers shift tactics toward channels the handshake cannot reach, such as traditional voice calls over non-RCS networks.
Europol’s analysis of caller ID spoofing frames the core problem clearly: phone numbers alone cannot prove identity, and spoofing remains a primary tool for social-engineering fraud across borders. The paper offers policy analysis but does not include quantitative measurements of spoofing success rates on RCS networks specifically. That gap matters because Google’s solution is built entirely on the assumption that RCS encryption can serve as a reliable identity layer, a premise that has not been stress-tested at scale by an independent body.
Separating device-level evidence from broader fraud trends
The strongest evidence supporting Google’s approach is technical rather than statistical. The encrypted handshake is a direct, device-level check that either confirms or denies the caller’s hardware identity. That binary signal is harder to fake than caller ID metadata, which carriers and regulators have struggled to secure for years despite frameworks like STIR/SHAKEN in the United States. While STIR/SHAKEN helps authenticate phone numbers as they traverse carrier networks, it does not guarantee that the person behind the number is who they claim to be, nor does it prevent a criminal from using a legitimately assigned number on a compromised device.
By contrast, fake call detection treats the device itself as a kind of cryptographic token. When a trusted contact calls, their phone and the recipient’s phone exchange a short-lived proof that both endpoints are genuine and in possession of the same secure messaging channel. A scammer who merely spoofs the number cannot generate that proof, because they do not control the victim’s contact’s physical phone or its cryptographic keys. In theory, this should sharply reduce impersonation attempts that depend on faking a familiar caller ID to gain instant trust.
However, technical soundness does not automatically translate into population-level impact. If only a fraction of users on each side of a call have compatible Android versions and RCS enabled, many high-risk calls will still fall back to unverified status. Fraudsters may also adapt by steering targets toward channels outside the handshake’s reach, such as social media, email, or messaging apps that lack similar device-level verification. Measuring success will therefore require more than counting how many warnings appear on Pixel screens; it will require tracking whether overall impersonation losses decline or merely migrate.
The FTC has separately highlighted its own enforcement actions against impersonation scams, signaling that regulatory pressure on this category of fraud is intensifying alongside private-sector solutions. But enforcement data and Google’s product announcement serve different purposes. The FTC tracks losses after fraud occurs, documenting how much money consumers actually lose and through which broad scam categories. Google’s feature attempts to prevent the fraud from starting by interrupting a single, critical contact point: the first phone call where the scammer pretends to be someone the victim already trusts. Neither dataset, on its own, can prove the other’s effectiveness.
Practical limits users should understand
Readers who own Pixel phones or other Android devices running Android 12 or later should check that RCS is enabled in their messaging settings. The fake call detection feature activates through Phone by Google and does not require a separate app download, but it cannot function without the underlying RCS channel. For anyone receiving calls from contacts who use iPhones or older Android devices, the handshake simply will not fire, and those calls will arrive without the verification badge. That limitation is worth understanding before assuming every incoming call from a known contact has been checked.
Users should also treat the absence of a warning as one signal among many, not a definitive guarantee of safety. A verified call confirms that the device belongs to the saved contact, but it does not prove that the person using the device is acting in good faith or has not been coerced. Likewise, a warning on a call from a genuine contact could reflect temporary connectivity issues or misconfiguration rather than an active attack. Google will need to communicate these nuances clearly to avoid overconfidence on verified calls or panic on flagged ones.
From a policy and ecosystem perspective, fake call detection illustrates how device manufacturers are trying to compensate for weaknesses elsewhere in the telephony stack. Carriers and regulators have spent years tightening controls around caller ID and cross-border routing, yet spoofed calls continue to reach consumers at scale. By shifting some of the verification burden to the endpoints and leveraging encrypted messaging protocols, Google is effectively building a parallel trust layer that sidesteps some carrier constraints. Whether that model can be extended beyond Android-to-Android calls, or harmonized with existing regulatory frameworks, remains an open question.
Google’s bet is that stopping impersonation at the device level will meaningfully shrink the window in which scammers can exploit blind trust in caller ID. The encrypted handshake cannot solve every dimension of phone fraud, and its benefits will be uneven until more devices and platforms adopt compatible verification schemes. Even so, it marks a tangible step toward treating phone calls with the same kind of cryptographic rigor that already protects modern messaging and web traffic. If consumers, carriers, and regulators align around that direction, the familiar act of answering a call from a known number may finally become less of a leap of faith.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
