Beware of This Sophisticated Google Forms Scam
Fraudsters are increasingly using recognizable and trusted domains to launch phishing schemes that trick people into handing over their personal and financial information. In recent months, attackers have used Google and PayPal settings to lull victims into a false sense of security, making these attacks difficult to detect.
Another way scammers try to appear legitimate while evading detection is by using Google Forms that ask for sensitive data.
How Scammers Use Google Forms to Steal Your Identity
Phishing via Google Forms is nothing new. As noted in a recent ESET Security report , Google Forms are free, easy to create and implement, and are trusted by users, making them a low-risk, high-reward source for scammers. They are also TLS encrypted and use dynamic URLs, making them less likely to be flagged as malicious.
Google Forms scams can have multiple goals, from stealing your login credentials or bank details to redirecting you to a fraudulent site that installs malware on your device.
A recent (and relatively sophisticated) version of this scam targeted higher education, including students, faculty and staff at 15 institutions in the United States. A Google blog post from February 2025 describes a campaign in which attackers sent links to Google Forms that mimicked legitimate university communications, with school names, color schemes, and logos or mascots displayed in the headers. The forms were designed to trick recipients into providing university account credentials and, in some cases, financial institution logins, under the guise of maintaining an existing account or distributing aid.
The scammers sent out the forms during important dates in the academic calendar, such as financial aid deadlines, when recipients have to handle a lot of administrative tasks and are less likely to notice potential red flags.
While Google notes that all of the malicious forms it identified were eventually removed, Stanford University’s Office of Information Security issued an alert on April 23 about a similar phishing scheme aimed at stealing passwords and Duo passwords for university network accounts.
The attack begins with Stanford-branded Google Forms hosted on real google.com domains with valid SSL certificates. The forms appear to come from real Google email addresses and may include familiar names in notifications (e.g. “[Name] shared document”). Not only do these forms appear legitimate, but they are also capable of bypassing email malware detection.
How to Avoid Phishing Attacks Using Google Forms
Always be critical when using Google Forms. Don’t open unsolicited forms, and never submit sensitive information—login credentials, bank account numbers, etc.—via Google Forms. (Google displays this warning on the form itself. Please pay attention to it.) No legitimate institution will request this type of data through Google Forms anyway, and if you are unsure, contact the organization directly to confirm the request.
Not all Google Forms phishing campaigns will be as well designed as campaigns targeting higher education, so you should also be on the lookout for misspellings, punctuation errors, and strange greetings. One of the examples found by ESET begins with the words “Hello, dear!”
If you think you have already submitted sensitive information through Google Forms, change your login credentials, block your credit cards, and monitor your accounts and credit report to identify any fraudulent activity. You should also keep an eye out for any signs of malware on your computer and remove it as quickly as possible (whether you’re using a Mac or PC ).