Scammers Will Try to Trick You Into Filling Out Google Forms. Don’t Fall for It

One of the lesser-known apps in the Google Drive online suite is Google Forms. It’s an easy, intuitive way to create a web form for other people to enter information into. You can use it for employee surveys, for organizing social gatherings, for giving people a way to contact you, and much more. But Google Forms can also be used for malicious purposes.

These forms can be created in minutes, with clean and clear formatting, official-looking images and video, and—most importantly of all—a genuine Google Docs URL that your web browser will see no problem with. Scammers can then use these authentic-looking forms to ask for payment details or login information.

It’s a type of scam that continues to spread, with Google itself issuing a warning about the issue in February. Students and staff at Stanford University were among those targeted with a Google Forms link that asked for login details for the academic portal there, and the attack beat standard email malware protection.

How the Scam Works

These scams can take a variety of guises, but they’ll typically start with a phishing email that will try to trick you into believing it’s an official and genuine communication. It might be designed to look like it’s from a colleague, an administrator, or someone from a reputable organization.

The apparent quality and trustworthiness of this original phishing email is part of the con. Our inboxes are regularly filled with requests to reset passwords, verify details, or otherwise take action. Like many scams, the email might suggest a sense or urgency, or indicate that your security has been compromised in some way.

Even worse, the instigating email might actually come from a legitimate email address, if someone in your social circle, family, or office has had their account hijacked. In this case you wouldn’t be able to run the usual checks on the sender identity and email address, because everything would look genuine—though the wording and style would be off.

This email (or perhaps a direct message on social media) will be used to deliver a Google Forms link, which is the second half of the scam. This form will most often be set up to look genuine, and may be trying to spoof a recognized site like your place of work or your bank. The form might prompt you for sensitive information, offer up a link to malware, or feature a phone number or email address to lead you into further trouble.