Google Forms is a survey administration software used to collect information from users included in the Google Docs Office Suite and Classroom. Phishing attackers have disguised more than 25 companies with Google Forms, including different brands and government offices to steal user password and credentials.

So far, 265 different Google Forms have been uncovered. The forms are likely sent to victims with email using social engineering tactics. Researchers notice that cybercriminals use the domain to attract people into delivering their password and login credentials through a genuine-looking Google Form. The google domain gives victims the false sense the form is legitimate and avoids phishing detection tactics.

Creating a Google Form for phishing has several advantages:

  1. The hosting of the domain does not have to be solved by the attacker
  2. Being hosted under a Google domain avoids the detection of reputation based phishing detectors
  3. Phishing detectors based on domain antiquity will not work on this site

More than 70 percent of the sites have been targeted by AT&T. However, financial organizations like Citibank and Capital One, collaboration apps like Microsoft OneDrive and Outlook, and government agencies like Internal Revenue Service were also targeted.

How can you prevent being a victim of Google Form phishing attacks?

There are two indicators of a Google Form phishing page. First, the final button on an authentic Google Form page always says “Submit.” On the default completion, the final button says, “Your Answer.” Second, the default Google Form will ask for your password, which is not needed to fill out a survey. Both indicators are small and unnoticeable to people filling out a form.

The amount of phishing websites using HTTPS traffic raised from 12 percent in early 2019 to almost 60 percent today, with new phishing techniques on the rise. New phishing techniques force detection engines to adapt fast in order to keep up to industry standards.

Always observe who you are giving your login credentials to and confirm it is a legitimate form or website.