Scam alert: phishing emails exploiting Google Forms

Scammers are sending emails with links to Google Forms, posing as major brands, charities and government agencies to steal sensitive data. Here’s how it works.

Since November 2020, the Which? Scam Watch inbox has seen a steady increase in reports of these phishing emails containing links to Google Forms.

One variant asks recipients to provide personal information by claiming to be BT offering a bill refund:

Others are more bizarre, such as Warren Buffet supposedly giving away his millions, or random ‘investment opportunities’:

What are Google Forms and how do I stay safe?

Google Forms is a legitimate and widely used product that enables users to create and send online surveys. However, scammers are always looking to misuse genuine products for their own gain.

As far as we know, these emails are focused on stealing information. We asked Google if it is aware of any spam Google Forms emails containing malware – malicious software that infects computers – but it declined to comment.

You can stay safe by scanning your computer with antivirus software regularly to detect and remove malware infections.

You can also take the Google Security Checkup, paying particular attention to any applications or devices you no longer use, as well as any unrecognised devices.

Google says its systems automatically detect and block the use of form fields asking for sensitive or private information. It also explicitly warns users to not submit passwords in the form.

Don’t ignore warnings and alerts that appear in Forms and other Google products, as these are there to protect you.

Report the abuse

Information from users keeps Google’s protections updated so it is helpful to report abuse.

Using any Google products – including Docs, Sheets or Slides – for phishing is in violation of Google’s abuse policy. Here’s how you can report a violation to Google:

📄 If the sender has a Gmail address, report the Gmail abuse to Google at https://support.google.com/mail/contact/abuse

📄 If you have a Gmail account and receive a phishing email click ‘More’ (three dots or ellipsis) and select ‘Report phishing’

📄 If you’ve already clicked on the Google Form (best avoided) there will be a ‘Report Abuse’ button at the bottom (highlighted below)

As always, if you think you may have given sensitive information to scammers, let your bank know immediately.

Have you received a suspicious email containing a Google Form? Let us know.

RB says:

4 March 2021

I received an email like this allegedly from a Harvard Research Lab asking about a service I had recently bought with a software provider. It looked legit and promised a $25 Amazon voucher for filling in the form. I was so busy, I assumed it was connected to the software provider and I clicked automatically. The only sensitive info it asked me for was my email address, which I gave. They already had it anyway somehow. Should I be worried? Could they have infected my laptop or be watching my online activity?

Kenny says:

8 March 2021

For goodness sake DO NOT confirm your email address to any suspicious emailer.

Richard Cain says:

So, I receive an email from Which? telling me about scam emails. My email service provider flags the email “This email has failed its domain’s authentication requirements. It may be spoofed or improperly forwarded. Learn more.” Links to: “Why you may see this warning.
ProtonMail alerts users of certain suspicious incoming emails to protect users from spam and phishing attacks. This message warns you that the sender’s email address failed one of the validation checks attempting to verify the sender, the DMARC check.

A failed domain authentication could be an indication that the From field has been forged, a kind of abuse known as email spoofing. Spammers and hackers use spoofing to trick recipients into believing an email is legitimate.

However, domain authentication failure does not always indicate abuse. Sometimes a legitimate email can fail authentication due to improper email forwarding, DNS misconfiguration, or temporary network failures.”

All I can say is “Hmmmm!”

Max says:

Day after day spam emails arrive but to block each individual email could take a long time. Why can’t we have a tick box, just as we have a delete box, to block these emails? I see suspicious emails and delete them only for them to turn up day after day. Housekeeping should be easy not time consuming.

John Ward says:

Max – Each e-mail system seems to have its own processes in the secondary functions, the primary functions being more or less standardised. Nearly all incoming spam goes first into my junk e-mail box where any or all of it can be blocked and/or deleted with a couple of clicks. You might be able to find a way of doing that in the settings. There is an option to review junk e-mails before deleting them so that any that are not junk can be moved to the inbox or straight to a folder.

Joy Clancy says:

5 March 2021

I received two phone calls on my mobile claiming to be from HMRC saying I was going to charge with tax avoidance and if I didn’t press ‘1’ on my key pad a warrant would be issued for my arrest! Since I knew that this couldn’t possibly be true and that if HMRC were ever to phone me they wouldn’t use a mobile phone, I didn’t press ‘1’. I reported it to Action Fraud who were very helpful and one of their recommendations was to inform WHICH! Apparently over-70s are being targeted with a range of scams. The voice tone of one of the calls was horribly theatening and I can understand that people would feel frightened and react.
Well done WHICH for alerting us to the scams.

Susan says:

17 April 2021

I had a similar phone call a few days ago claiming to be from HMRC and that I was involved in some tax fraud, I was instructed to press 1 to rectify or I would be arrested very soon. I’ve not been arrested yet!!

Liz Brown says:

4 May 2021

My 87 yr old mum’s had several calls claiming she owes tax money. Luckily she worked for the tax office for yrs so she wasn’t taken in, just annoyed, slaming the phone down. She said the caller had an ‘indian’
Eastern accent. She has a landline and doesn’t use technollogy so I don’t know how they targeted her. Maybe her age is significant.

Penny says:

6 March 2021

Hello. I received an email to one of my gmail accounts but referring to my aol account. It had ‘Vodafone’ in the address line so I opened, stupidly.
It is offering money-making scheme and nothing to do with Vodafone at all.
The links between my gmail and aol spooked me and particularly as I have a well-known anti-virus system.
Please do not open anything even if from someone you feel may be safe, in case it is not and this is with checking the address and stupidly just seeing the familiar word and assuming safe with very good ‘protection’. it is not working.
All stay well. Penny

Judith Evans says:

10 March 2021

I have had a Messagefrom Microsoft this week saying my security is ,,,, click on it. I have nothing to do with Microsoft and was alerted immediately.
My sister had a Microsoft email last week saying they will update her software. She clicked on it and all her money was taken! Her bank are trying to recover it. Money went to Latvia, Estonia and UK. Be warned.