.jpg)
One of the lesser-known apps in the Google Drive online suite is Google Forms. It's an easy, intuitive way to create a web form for other people to enter information into. You can use it for employee surveys, for organizing social gatherings, for giving people a way to contact you, and much more. But Google Forms can also be used for malicious purposes.
These forms can be created in minutes, with clean and clear formatting, official-looking images and video, and—most importantly of all—a genuine Google Docs URL that your web browser will see no problem with. Scammers can then use these authentic-looking forms to ask for payment details or login information.
It's a type of scam that continues to spread, with Google itself issuing a warning about the issue in February. Students and staff at Stanford University were among those targeted with a Google Forms link that asked for login details for the academic portal there, and the attack beat standard email malware protection.
How the Scam Works
These scams can take a variety of guises, but they'll typically start with a phishing email that will try to trick you into believing it's an official and genuine communication. It might be designed to look like it's from a colleague, an administrator, or someone from a reputable organization.
The apparent quality and trustworthiness of this original phishing email is part of the con. Our inboxes are regularly filled with requests to reset passwords, verify details, or otherwise take action. Like many scams, the email might suggest a sense or urgency, or indicate that your security has been compromised in some way.
Even worse, the instigating email might actually come from a legitimate email address, if someone in your social circle, family, or office has had their account hijacked. In this case you wouldn't be able to run the usual checks on the sender identity and email address, because everything would look genuine—though the wording and style would be off.
This email (or perhaps a direct message on social media) will be used to deliver a Google Forms link, which is the second half of the scam. This form will most often be set up to look genuine, and may be trying to spoof a recognized site like your place of work or your bank. The form might prompt you for sensitive information, offer up a link to malware, or feature a phone number or email address to lead you into further trouble.
As mentioned above, Google Forms are hosted on Google's servers, so there are no red flags in that respect. It's also easy for scammers to quickly close and reopen these forms on different random URLs, making it harder for them to be caught by security software. Since they're free to create, scammers aren't losing anything by making vast numbers of them.
How to Guard Against It
The same set of common sense measures are usually enough to keep yourself safe against most scams, including this one. Be wary of any unexpected communications, like unusual requests for friends or password reset processes you haven't yourself triggered. If you're unsure, check with the sender of the email (be it your bank or your boss) by calling them, rather than relying on what's said in the email.
In general, you shouldn't be entering any login information or payment details into a Google Forms document (it will start with docs.google.com in your browser's address bar). These forms may look reasonably well presented, but they'll lack any advanced formatting or layouts, and will feature Submit and Clear form buttons at the bottom.
Google Forms should also have either a “never submit passwords” or “content is neither created nor endorsed by Google” message at the bottom, depending on how the form has been set up. These are all signs you can look for, even if the link to the form appears to have come from a trusted source. And if you're being asked for important information, then get in touch with that source directly.
All forms created through Google Forms have a Report button at the bottom you can use if you think you've spotted a scam. If you've already submitted information before you've realized what's going on, the standard safeguarding measures apply: Change your passwords as soon as you can, and notify whoever is running the account that may have been compromised that you might need help.
Even just knowing that this kind of scam exists is a step toward being better protected. As always, keeping your mobile and desktop software up-to-date helps too. This won't necessarily flag a suspect form, for the reasons we've already mentioned, but it should mean that any malicious links you're directed to are recognized.
