How Not to Fall for the New Official-Looking Google Forms Phishing Scam

'Tosin Adeoti
3 min readJun 16, 2022

I received an email from forms-receipts-noreply@google.com saying 0.386750 BTC is available to me.

Usually, I just mark as spam anything that tells me I have free money, but I was curious that the sender used ‘google.com’. That’s an impersonation of Google.

Then it occurred to me that it’s a continuation of what happened last year with Google Calendar and Google Drive. It’s an abuse of Google’s official services in an attempt to appear legitimate.

How the Scam Works

The email comes from Google because the email is from Google. For those who took my free career planning session, you would remember that I created an email form for you to fill out and submit your responses. While you are about to submit, there is an option for you to receive a copy of that form for reference purposes. These receipt emails you will receive will come from Google’s servers using the address “forms-receipts-noreply@google.com”.

This is what the scammers manipulate. You will get an email pretending that you had previously filled out something official with Google when in fact you have not. You are now simply receiving an email asking you to fill out your email address and to click a link to verify. The email catches your attention because when you check the “From” field of the email, you see that it’s officially from Google. So you could end up filling it out and clicking the link, not knowing that the contents of that form are not from Google.

As soon as you fill out the form and click the link, part of the job of the scammer is done. The link could lead anywhere including asking you for the personal information you had not previously supplied or lead to any number of other fraudulent attempts as revealed in the Forbes article exposing Hushpuppi.

The strange part is that these small-time scammers have Google unknowingly doing their dirty work by creating these form receipts as an automatic feature of Forms.

How to Protect Yourself

  1. There are no free rides. Resist thinking the strangers you have never interacted with on the internet love you so much to want to send you freebies, including money. That kind of mindset is uniquely suited to scammers who would lure you into financial disasters.
  2. Recognize that just because you’ve received an email receipt doesn’t mean you requested one! Your email address could be entered into anything, and you’d receive a signup email or a receipt confirming it. When it comes to Forms, remember that if it’s a RECEIPT, it shouldn’t be asking you for anything. Nothing — not your email address, not additional action via a link — nothing. A receipt, whether malicious or not, is simply a record of previous actions, not a request for new ones.
  3. Always report. At the bottom of the form receipt email, you’ll notice a “Report Abuse” button. By clicking here, you’ll be taken to a Google form where you may report fraudulent behaviour. You can click this without concern because the form receipt was supplied by Google (just don’t click anything in the form body!). Simply click the blue “SUBMIT ABUSE REPORT” button after selecting the “Spam, malware, or “phishing” (fake login) option.
  4. Mark the email as spam and delete it in the spam folder. Enough people doing this will alert the spam filtering algorithm of the Email Service Providers.
  5. Be Vigilant. Whether you face this regularly or not, you should remain vigilant and only click on stuff you can absolutely trust. Scammers are becoming inventive so you can receive emails from official sources that contain unofficial stuff like this.

Friends, stay safe out there!

--

--