Scammers are sending emails with links to Google Forms, posing as major brands, charities and government agencies to steal sensitive data. Here’s how it works.
Since November 2020, the Which? Scam Watch inbox has seen a steady increase in reports of these phishing emails containing links to Google Forms.
One variant asks recipients to provide personal information by claiming to be BT offering a bill refund:

Others are more bizarre, such as Warren Buffet supposedly giving away his millions, or random ‘investment opportunities’:

What are Google Forms and how do I stay safe?
Google Forms is a legitimate and widely used product that enables users to create and send online surveys. However, scammers are always looking to misuse genuine products for their own gain.Â
As far as we know, these emails are focused on stealing information. We asked Google if it is aware of any spam Google Forms emails containing malware – malicious software that infects computers – but it declined to comment.Â
You can stay safe by scanning your computer with antivirus software regularly to detect and remove malware infections.
You can also take the Google Security Checkup, paying particular attention to any applications or devices you no longer use, as well as any unrecognised devices.Â
Google says its systems automatically detect and block the use of form fields asking for sensitive or private information. It also explicitly warns users to not submit passwords in the form.Â
Don’t ignore warnings and alerts that appear in Forms and other Google products, as these are there to protect you.Â
Report the abuse
Information from users keeps Google’s protections updated so it is helpful to report abuse.
Using any Google products – including Docs, Sheets or Slides – for phishing is in violation of Google’s abuse policy. Here’s how you can report a violation to Google:
📄 If the sender has a Gmail address, report the Gmail abuse to Google at https://support.google.com/mail/contact/abuse
📄 If you have a Gmail account and receive a phishing email click ‘More’ (three dots or ellipsis) and select ‘Report phishing’
📄 If you’ve already clicked on the Google Form (best avoided) there will be a ‘Report Abuse’ button at the bottom (highlighted below)

As always, if you think you may have given sensitive information to scammers, let your bank know immediately.
Have you received a suspicious email containing a Google Form? Let us know.