Make sure that you don’t fall for this official-looking Google Forms phishing scam

Over the past few days, we’ve noticed an uptick in the number of fake emails in our inbox, but specifically from individuals attempting to impersonate Google. While this is nothing new, and people have been creating phishing scams for years now, one favorite method hackers have taken to like water is to abuse Google’s official services in an attempt to appear legitimate.

Phishing is when attackers send malicious emails designed to trick people into falling for a scam. The intent is often to get users to reveal financial information, system credentials or other sensitive data.

Phishing is an example of social engineering: a collection of techniques that scam artists use to manipulate human psychology. Social engineering techniques include forgery, misdirection and lying—all of which can play a part in phishing attacks. On a basic level, phishing emails use social engineering to encourage users to act without thinking things through.

Proof Point

Last year, we saw this happen with Google Calendar and Google Drive, but check out this Google Forms phishing attempt. The spammer in question will take advantage of an officially automated email feature called a response receipt. When someone creates an email form and others fill it out and submit their responses, they will receive a copy of that form in their inbox as a means of keeping track of things. This will only occur if the form creator toggles on “Response Receipts” in the form’s settings. These receipt emails are officially sent from Google’s servers using the address “forms-receipts-noreply@google.com”

Here’s where it gets hairy. That email address looks official because, well, it is. So what’s the harm? A spammer sent you a form using Google’s automation process, so what? Well, the trickery occurs in the body of the form! Take a look at two of the examples below that we received this week. In both, the spammer is pretending that the user has previously filled out something official with Google when in fact they have not and is now simply receiving an email asking them to fill out their email address and to click a link to verify.

Since anyone checking the “From” field of the email will see that it’s officially from Google, they may end up filling it out and clicking the link, not knowing that the contents of that form are not from Google. The links in the form, which we’ve blurred out to protect our readers, could lead to anywhere, really. They could ask for further personal information or lead any number of other fraudulent attempts. The crazy part is that because Google has created these form receipts as an automatic part of Forms if that option is toggled on, these small-time scammers have Google unintentionally doing their dirty work!

So, how can you protect yourself from falling victim to these types of scams? First, know that just because you’re getting an email receipt, this doesn’t mean that you asked for one! Anyone could input your email address into anything and you’d get a signup email or a receipt showing that this has occurred. In the case of Forms, please keep in mind that if something is a RECEIPT, it shouldn’t be ASKING you for anything. Not your email address, not further action through the clicking of a link – nothing. Whether or not it’s malicious, a receipt is literally just a record of past actions, not a request for new action.

Next, you’ll see a “Report Abuse” button at the bottom of the form receipt email. Clicking this will take you to an official Google submission for reporting malicious activity. Since the form receipt was sent by Google, you can click this without fear (just don’t click anything in the form body!)

Just select the “Spam, malware or “phishing” (fake login) option as shown above and click the blue “SUBMIT ABUSE REPORT” button. Delete the email or mark it as spam and then carry on with your day. Whether or not you encounter this often, you should remain on high alert and only click things you truly trust. Where it gets difficult is when you see emails sent from official sources that contain unofficial content like this. Stay safe out there, friends!