Skip to content
·
phishinggooglespamsecurity

How Scammers Use Google Forms to Defraud Victims

Fraudsters have found a clever way to abuse Google Forms' response notification feature to bypass spam filters and deliver phishing emails from official Google addresses.

As we all know, fraudsters are always looking for new ways to scam victims out of their hard earned money. Recently my honeypot inbox got flooded with e-mails claiming my account would be blocked.

The Attack

The e-mails were coming from the official mail Google uses to send a copy of form responses to users ([email protected]).

The scammers were exploiting the "Send me a copy of my response" feature in Google Forms. By filling in a form with phishing content and requesting a copy, Google would dutifully send the malicious content from their own legitimate email addresses — completely bypassing spam filters.

The Redirect Chain

The links claiming to point to "my personal account" made use of Google's open redirect functionality. Then there are multiple redirects and sometimes:

  1. A fake Google captcha — just a clickable PNG image with a link to the next redirect
  2. A fake antivirus check — a waiting page designed to mislead AV scanners or victims

Where It Leads

Most sites are hosted on servers in Russia, or hidden behind the Cloudflare proxy service. In the end, the redirect chain opens a generic crypto scam, where they promise huge amounts of money if you first pay them a small "transaction fee" or something similar.

The Technique

In the end they were just trying to bypass spam filters by using the "send copy of response" feature in Google Forms.

By abusing this feature:

  • The email comes from a legitimate Google address
  • It passes SPF, DKIM, and DMARC checks
  • Most spam filters will not flag it
  • The victim sees a trusted sender

The Resolution

Google luckily acted really fast and took down the forms, and I suspect suspended accounts that were involved with this scam.

Conclusion

I feel like I should come to a conclusion, but the fact is that I have none. Stay safe out there and be a little bit more suspicious when you receive form responses in your inbox from forms you didn't fill in.

If you have any questions, if I got something wrong, or if I forgot something: feel free to contact me.