Heedthis Alert: Intricate Google Forms Scam Underway
Phishing Scams: The New Trick Up Scammers' Sleeve
In this digital age, fraudsters are growing craftier as they employ recognizable, trustworthy domains to ensnare their victims in phishing schemes. Recently, these con artists have exploited settings for both Google and PayPal to lull their targets into a false sense of security, making these attacks more challenging to notice.
Another deceitful approach scammers are using to appear legitimate while avoiding detection is via Google Forms requesting sensitive data.
Unleashing Google Forms to Steal Your Data
Phishing via Google Forms is nothing new. As recent intel from ESET Security reveals, Google Forms are effortless to create and implement, enjoy widespread trust from users, and are encrypted with TLS. This combination of factors makes them an alluring, low-risk, high-reward vector for scammers.
The objectives of Google Forms scams may vary, ranging from stealing login credentials or banking details to redirecting users to fraudulent sites installing malware on their devices.
A noteworthy iteration of this scheme targeted higher education institutions in the US, compromising students, faculty, and staff at 15 universities. In February 2025, a post on Google's blog unveiled a campaign during which attackers sent links to Google Forms mimicking legitimate university communications, including school names, color schemes, and logos or mascots in headers. These forms were calculated to dupe recipients into providing university account credentials and, in certain instances, financial institution logins under the pretense of maintaining an existing account or distributing aid.
Scammers would typically dispatch forms around key dates on the academic calendar, such as financial aid deadlines, when recipients have a plethora of administrative tasks to complete and are less likely to discern potential red flags.
While Google managed to remove all the malicious forms identified, Stanford University's Information Security Office issued an alert on April 23, 2025, warning of a similar phishing scheme meant to steal passwords and Duo passcodes for university network accounts.
These attacks would initiate with Stanford-branded Google Forms hosted on real google.com domains with legitimate SSL certificates. The forms would appear to derive from real Google email addresses and may include identities associated with friends or acquaintances (such as "[Name] shared a document"). These forms not only look authentic, but they are able to bypass email malware detection.
Countering Phishing Attacks with Google Forms
Be vigilant when using Google Forms. Never open forms sent unsolicited, and steer clear of submitting sensitive information like login credentials, bank account numbers, etc. via Google Forms. Google exhibits this warning on the form itself. Heed it! No legitimate institution will ask for this type of data through Google Forms, and if doubtful, contact the organization directly to verify the request.
Not every Google Forms phishing campaign will be as polished as those targeting higher education. Make sure to scrutinize forms for misspellings, punctuation errors, and unusual salutations. One example detected by ESET begins with "Hello, Dear!"
If you believe you have already submitted sensitive information via Google Forms, change your login credentials, freeze your credit cards, and keep a close eye on your accounts and credit report to detect any fraudulent activity. Monitor your computer for signs of malware (regardless of whether you're using a Mac or PC) and eliminate it swiftly if discovered.
- The objectives of Google Forms scams can range from stealing login credentials or banking details to tricking users into providing sensitive information, including money – never submit such information via Google Forms.
- Be cautious of unsolicited Google Forms, as recently, scammers have been using them to ask for sensitive data such as bank account numbers or login credentials – even forms that appear legitimate and come from known contacts should be treated with suspicion.
