Submitted by Global Scam Watch on

Scammers increasingly leverage the reputation of Google to orchestrate sophisticated cyberattacks, with a particularly dangerous phishing campaign currently targeting Google Meet users. This attack does not simply aim to steal a password; instead, it exploits a legitimate Windows feature to trick users into enrolling their computers in a malicious device management system.

How the Google Meet "Update" Scam Works

The attack typically begins when a user visits a compromised website or clicks a link in a fake meeting invitation. A highly convincing pop-up appears, often claiming that a "technical issue" with the microphone or camera requires an urgent update to the Google Meet software.

When the victim clicks the "Update" button, the site triggers a Windows "deep link" using the ms-device-enrollment URI scheme. This is a built-in Windows tool designed for IT administrators to manage company devices. By clicking through the subsequent Windows system prompts, the user unknowingly grants an attacker-controlled Mobile Device Management (MDM) server full administrative access to the PC. This allows the criminal to bypass browser security, install persistent malware, and monitor all activity without any visible icons or program entries.

This current threat shares significant similarities with the tactics described in a previous article on cloned Google Meet pages. While cloned pages typically focus on harvesting login credentials through visual deception, this update scam establishes deep, persistent control over the operating system itself. Both methods rely on the high level of trust users place in professional collaboration tools.

Red Flags to Watch For

Recognizing the subtle signs of a scam is essential for community safety and loss mitigation. Watch for these specific indicators:

  •   In-Browser Update Prompts: Google Meet is a web-based service. It updates automatically in the background. Any browser pop-up or website claiming you must manually download an update to join a call is a major red flag.
  •   System Enrollment Prompts: Be extremely wary if a website triggers a Windows system window asking to "Enroll" your device or "Connect to a workplace."
  •   Urgency and Technical Failures: Scammers use artificial pressure, claiming your "meeting is starting" or your "hardware is incompatible," to rush you into making a mistake.
  •   Mismatched URLs: Always check the address bar. Official meetings occur on meet.google.com. Links using domains like google-join.us or web-google.com are fraudulent.

Broader Scam Trends

While the Google Meet update scam remains a primary concern, it belongs to a broader trend of brand impersonation involving various Google services:

  •   Google Coin Scams: Fraudulent websites promote a fake cryptocurrency called Google Coin, often using AI chatbots to provide deceptive investment advice.
  •   Calendar Phishing: Malicious actors use automated meeting invitations to inject phishing links directly into user schedules, a tactic explored at .
  •   Collaborative Tool Abuse: Attackers exploit the trust inherent in shared platforms to distribute malware or harvest data, and file sharing login information 
  •   Industrialised Fraud: These individual tactics often originate from large-scale criminal enterprises, a concept discussed at .
  •   Ransomware Evolution: The shift toward gaining full device control reflects a broader trend in how attackers pivot to maintain persistent access