In a chilling new twist on digital fraud, Kaspersky researchers have uncovered a wave of phishing scams exploiting Google Forms—a widely trusted and free survey tool—to target unsuspecting cryptocurrency users. The attacks are designed to appear as official notifications from crypto exchanges, tricking users into paying fraudulent “commissions” in order to receive fictitious digital transfers.
What makes this scam particularly dangerous is its ability to evade email spam filters by leveraging the legitimacy of Google’s own infrastructure. According to Kaspersky’s findings, scammers initiate the attack by entering a victim’s email address into a Google Form they’ve created. This triggers an automated confirmation email from Google, which appears authentic and credible—complete with Google Forms branding, headers, and links.
However, this “confirmation” email is a cleverly disguised bait. It mimics notifications from a crypto platform, informing the user of an incoming transfer. Victims are lured into clicking a link under the impression that they must claim the funds before a fake expiration deadline. Clicking this link redirects users to a spoofed cryptocurrency website, where they are instructed to contact fake “blockchain support” and pay a commission fee in cryptocurrency to complete the transaction.
The Deceptive Simplicity Behind the Scam
While the technique is simple, its effectiveness lies in psychological engineering. The scammers rely on urgency and perceived opportunity to override skepticism. What’s more, the confirmation emails are often whitelisted by email filters because they are genuinely generated by Google’s servers—an aspect that adds another layer of believability.
“The campaign reveals a sophisticated exploitation of a trusted platform to deceive cryptocurrency users,” said Andrey Kovtun, Email Threats Protection Group Manager at Kaspersky. “By mimicking real crypto exchange alerts, attackers weaponize platform credibility and email legitimacy to bypass user defenses and extract sensitive wallet information.”
He added that there is a pressing need for heightened vigilance, especially as cybercriminals continue to refine social engineering tactics in the Web3 landscape.
How the Scam Works: A Step-by-Step Breakdown
- Harvesting Emails:
Attackers acquire or guess the victim’s email address and input it into a Google Form they’ve created. - Google Confirmation Email:
Google Forms automatically sends a confirmation email to the address, appearing as a legitimate platform notification. - Phishing Bait:
The email notifies the user of a crypto transfer and urges immediate action by clicking a link. - Fake Crypto Website:
The link leads to a malicious website that resembles a legitimate exchange platform. - Fake Support Instructions:
Users are told to contact “blockchain support” and pay a fee—typically in cryptocurrency—to receive the promised funds. - Wallet Drain:
Once payment is made, there is no transfer, and the attackers disappear with the stolen crypto assets.
Why This Matters: Exploiting Trust in Everyday Tools
This new method underlines a troubling trend—attackers using everyday productivity platforms to bypass security systems and prey on consumer trust. It’s a stark reminder that even the most benign tools, such as Google Forms, can become attack vectors in the wrong hands.
Unlike traditional phishing emails from suspicious domains, these scams arrive through legitimate Google infrastructure, which many users trust implicitly. This clever exploitation of brand trust and notification familiarity makes the scam particularly insidious.
Expert Tips to Stay Safe
Kaspersky urges users to adopt the following best practices to protect their digital wallets and personal data:
- Never click on links in unsolicited emails, especially those promising money or crypto transfers.
- Examine sender details and link URLs carefully, even if the email appears to be from a trusted platform.
- Install reputable cybersecurity software that can detect and block phishing sites, regardless of how authentic they look.
- Be skeptical of time-limited or urgent requests, especially those involving payment or wallet access.
Kaspersky emphasizes that education and awareness are the first line of defense in an increasingly deceptive threat landscape.
