I noticed my monthly Google Maps Static API Static Maps has been increasing on a monthly basis, from 30K -> 55K -> 80K (Check at Billing -> Transactions). I switched all static map request code to MapBox and realize my Google Maps Static API Static Maps didn't decrease while my MapBox Static Images API call is only around 30K.
I suspect someone is stealing my API Key and try to check for some clue at Google Maps -> Metrics and select Maps Static API from the drop down. This dashboard only show the daily Requests by API and Requests by credential, but there is no report or logs which show where (which domain and url) and how the API is accessed.
Since I know the API is called using which credential, I go to the Credentials page to check if the credential is secured. It is secured with Application restrictions: HTTP referrers (websites) with Website restrictions on my domain name only (not even localhost). I
If you visit How do I securely use Google API Keys, you will see the first comment being restricting it to URL isn't secure since http referrer can be easily spoofed. Reading further on Google Maps Platform best practices: Securing API keys when using Static Maps and Street View APIs, I found out that the request url can be signed using a secret key for added security.
The next step up is to sign your request url and disable/limit request to unsigned url (Google Maps -> Quota, select Maps Static API and set requests limit of unsigned request to 0). Refer to Secure Google Maps Static API (Web) With Signed Url (Python).
For my case, I am temporary no longer using Google Maps Static API, so I just disable the Maps Static API.