Platform Abuse: Why Scammers Love Google Forms and Drive
A link starting with google.com isn't always safe. Here is how scammers abuse trusted platforms like Google and Microsoft to hide their phishing attacks.
One of the most common pieces of advice in cybersecurity is "Check the domain." But what happens when the domain is `google.com` or `microsoft.com`?
A growing trend identified in our recent scan data is Platform Abuse. This is where scammers use free, legitimate services like Google Forms, Google Drive, Microsoft Forms, and Dropbox to host their phishing attacks.
Because these links come from "trusted" sources, they often bypass email security filters and lower the guard of the recipient.
Why Scammers Use Google Forms
Scammers use Google Forms (`forms.gle`) for several reasons:
1. Trust by Association: Users see a "Google" URL and assume the content is safe. 2. No Cost: It is free and easy to create dozens of forms in minutes. 3. Bypassing Filters: Many automated security tools allow links to `google.com` by default. 4. Mobile Friendly: Google Forms look perfect on mobile devices, where many people do their quick "scan and click" browsing.
Common Platform Abuse Scenarios
1. The Fake Job Application
You receive a message about a "High Pay, Remote" job. To apply, you are asked to fill out a Google Form. The form asks for:
- Your full name and address
- Your Social Security Number (SSN)
- A photo of your ID
- Your bank details for "payroll setup"
The Reality: A legitimate company will almost never use a free Google Form for their HR onboarding or to collect sensitive tax and banking documents.
2. The Internal "Security Alert"
You get an email claiming to be from your IT department or a service like Microsoft. It says your account is locked and you must "Verify Your Credentials" via a link. The link takes you to a Google Form designed to look like a login page.
The Reality: Google Forms are meant for surveys and data collection, not for account authentication. Any form asking for your password is a scam.
3. The Shared "Document" Phishing
You receive a notification that someone has shared a file with you on Google Drive or OneDrive. The file is usually a PDF or a Word document. When you open it, there is a button that says "Click here to view the full document."
The Reality: The button leads to a fake login page on an external site. The scammers used the trusted notification from Google/Microsoft to get you to open the "door" to their phishing site.
How to Spot Platform Abuse
Check the "Context" vs. the "Platform"
If a multi-billion dollar company like Amazon or Netflix is contacting you, they will host their forms and login pages on their own official domains (e.g., `amazon.com`). They will not send you to a free `forms.gle` survey.
Look for the "Report Abuse" link
Every Google Form has a small "Report Abuse" link at the bottom. If you are suspicious, you can use this to notify Google that the form is being used for phishing.
Never provide passwords or IDs
This is the golden rule. No matter how official the form looks, never enter your password, 2FA codes, or photos of your passport into a public survey tool.
Summary
A "trusted" URL is not the same as "trusted" content. Scammers are experts at hiding behind the reputation of big tech companies. If you see a Google Form asking for anything high-risk, stop and verify the request through an official channel first.
Stop Guessing. Know if it's a scam instantly.
Join thousands of users who trust IsThisSpam to automatically analyze suspicious emails, links, and messages before they do any harm.
Stop Guessing. Know if it's a scam instantly.
Join thousands of users who trust IsThisSpam to automatically analyze suspicious emails, links, and messages before they do any harm.