Since its launch in 2008, Google Forms has established itself as one of the most used tools for the creation of online surveys and forms. Free, accessible and with the support of one of the world’s great technology, the platform has gained a huge market share and it is estimated that it dominates about 50% of the sector globally. However, that same success has made it a preferential objective for cybercriminals, who have found in it an ideal vehicle for their fraud campaigns and theft of information.

Cybersecurity experts warn that the characteristics that Google Forms make such an attractive solution for users – their gratuity, ease of use and legitimate appearance – are also exploited by the attackers to generate fraudulent content that evades many conventional protection measures. According to ESET, cybercriminals use false forms that mimic banks, universities or social networks, with the aim of capturing credentials, bank data or even distributing malicious software.

“These attacks are a clear example of how cybercriminals take advantage of trust tools to strengthen the appearance of legitimacy of their campaigns,” warns Josep Albors, director of Research and Awareness of ESET Spain. “The popularity of a service does not guarantee its safety. It is essential to combine prevention with multicapa security solutions.”

New tactics: classic phishing to undercover visging

The repertoire of malicious techniques has evolved beyond the traditional phishing. One of the modalities that most concern is the call Call Back Phishingin which the form simulates a notification of a suspicious charge, urging the user to call a fraudulent customer service. Behind, an operator manipulates the victim to extract sensitive data or make undue transfers.

A reliable platform, used for malicious purposes

Also, ESET has detected a growing abuse of the “questionnaires” of Google Forms, through which email addresses of victims in apparently harmless tests are included. When publishing the grades, personalized messages are triggered with links that redirect false pages or download malicious files.

Real cases and key recommendations

Campaigns such as the well -known “Bazarcall” have used this type of forms to supplant the identity of popular brands such as Netflix or Paypal, notifying false charges to cause impulsive reactions. Attacks aimed at educational institutions have also been identified, especially in the United States, with the aim of stealing university credentials and financial data.

Faced with this panorama, ESET insists on the need to extreme caution and follow good cybersecurity practices: use unique and complex passwords, activate multifactor authentication, distrust urgent messages that arrive by mail and, given the slightest suspicion, check the affected accounts, change passwords and contact the banking entities.

Google, meanwhile, includes visible warnings in its forms – as the notice of not introducing passwords – but experts agree that the ultimate responsibility falls to user education.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.