Crypto scam alert: 5 must-know details on the Google Forms fraud flagged by Kaspersky

A new scam campaign targeting cryptocurrency users has surfaced, leveraging the legitimacy of Google Forms to deliver deceptive, crypto-focused phishing. Researchers warn that attackers are exploiting trusted infrastructure to trigger fake confirmation emails, disguising malicious activity as a routine crypto transaction alert. Victims are lured through urgent messages that imitate legitimate exchange notifications, directing them to fake sites where they are asked to contact “blockchain support” and pay a small cryptocurrency commission in order to receive a bogus transfer. The scheme works, in part, by bypassing traditional spam filters by presenting itself as coming from a familiar, credible source. This combination of a real Google-based entry point, a polished user interface, and convincing wording creates a convincing trap for even careful users. Below, we unpack the mechanism, the risks, and the steps users can take to defend themselves against this evolving threat.

How the scam unfolds: a step-by-step breakdown of the attack flow

The campaign begins with a seemingly harmless engagement: a fake Google Forms confirmation. Attackers set up a form that requires minimal user input, typically limiting the field to the user’s email address. The form is designed to trigger automated confirmation emails, which are crafted to appear as though they originate from Google or are directly linked to legitimate Google Forms activity. This initial step relies on the audience’s expectation that Google Forms confirmations are routine and benign, which lowers the guard and invites engagement with the message. The form itself is presented in a way that looks professional and trustworthy, leveraging Google’s well-known brand recognition to create a sense of legitimacy. By starting with what appears to be a standard, harmless action, criminals lay a subtle foundation of trust that makes subsequent steps more convincing.

Once the form submission passes, the recipient receives an email that mimics the structure and appearance of a crypto exchange notification. The phishing email is carefully engineered to resemble legitimate communications from a cryptocurrency exchange. It contains a narrative about a pending crypto payout and emphasizes a deadline or “offer expiry” to create a sense of urgency. This manufactured urgency is a classic tactic designed to compel immediate action, steering recipients toward the next step without taking time to verify the source. The message often references standard exchange terminology and uses familiar language to evoke credibility, further reducing skepticism and encouraging recipients to proceed.

If the recipient clicks the link embedded in the email, they are directed to a counterfeit site that imitates a real crypto transaction platform. On this scam site, victims are prompted to contact a supposed “blockchain support” service and to make a small commission payment in cryptocurrency in order to receive the fake transfer. The site is designed with realistic visuals, navigation patterns, and prompts that resemble legitimate platforms, increasing the likelihood that users will feel they are on a trusted page. The stated objective is to initiate a legitimate-looking transfer, but the entire transaction is fabricated, with the attackers ultimately seeking to gather funds from the victim and exit with the stolen cryptocurrency.

Crucially, if the user proceeds with the advertised steps, the attack can result in a direct loss of funds. Crypto transfers are typically irreversible, so even a seemingly small payment can lead to a significant financial hit. The scam is structured to maximize the chance of a successful theft by exploiting user desire for a quick payout and the fear of missing out on a time-limited opportunity. The more the victim externalizes control—transferring funds to a third party or to a supposed support desk—the greater the probability of a successful breach of trust. The attacker’s narrative is crafted to be believable by aligning with the day-to-day experiences of crypto traders who routinely encounter transaction prompts and support interactions.

Throughout this flow, the campaign relies on human psychology as much as technical deception. It uses the user’s familiarity with Google Forms and crypto exchange interfaces to create a cognitive shortcut that bypasses the usual caution that accompanies unfamiliar or suspicious messages. The sequence is purposeful: begin with a familiar form, move to a familiar-looking alert, and culminate in a credible-sounding assistance channel that asks for a small payment.

Finally, the scam is reinforced by a credible illusion of legitimacy: because the initial email appears to originate from a Google domain, it often passes through common filters and reaches the recipient’s inbox unchallenged. The combination of a trusted branding cue, plausible content, and a compact, single-input form makes the overall attack seem routine and non-threatening. The attackers exploit this sense of familiarity to lower the recipient’s defenses, which increases the chances that the recipient will engage with the fraudulent site and, eventually, hand over cryptocurrency.

This sequence is designed to be repeatable and scalable. With millions of potential targets in the cryptocurrency space, attackers can deploy multiple variations of the same approach, tweaking the wording, the form content, and the scam page to align with evolving trends in crypto trading and payments. The scalability of this method is what makes it particularly pernicious: once a working template is established, it can be translated into multiple languages, diversified across regions, and adapted to mimic different exchanges or wallets, widening the net and increasing potential victims while remaining relatively easy to operationalize.

In summary, the attack chain begins with a fake Google Form confirmation, moves through a faux crypto-exchange notification, leads to a counterfeit transactional site, and finishes with a request for a small crypto payment to unlock a supposed transfer. The design is purpose-built to blend into everyday crypto activity, manipulating urgency, trust, and perceived legitimacy to drive users toward a fraudulent outcome. The strategic use of Google Form infrastructure, coupled with convincingly crafted emails and a realistic scam site, makes this campaign a clear threat to cryptocurrency holders and to anyone who interacts with crypto-related messages that arrive via email.

The abuse of Google Forms and trusted infrastructure: the behind-the-scenes mechanism

This attack hinges on the perceived legitimacy conferred by Google Forms and the broader Google ecosystem. Attackers exploit the common user assumption that Google Forms is a safe, standard tool for information collection and feedback. By presenting a fake confirmation that appears to originate from a Google domain, they exploit trust signals that many people associate with legitimate Google processes. The email, although not officially sent by Google, leverages the familiar framing, typography, and layout that users associate with official communications from Google Services. The result is a compelling impression of authenticity, which lowers skepticism and raises the likelihood of engagement with the malicious content.

A key element of the campaign is that the form typically contains only a single input: the user’s email address. This minimal data requirement reduces friction for the victim and streamlines the data collection process for the attacker. The simplicity of the form also minimizes the chance of user suspicion, because a straightforward email capture seems harmless and routine. The form’s design draws on a widely recognizable user interface, making it appear ordinary rather than suspicious. This is essential for lowering resistance and encouraging recipients to submit their information, which then triggers the sequence that unfolds through the follow-up email communications.

The automated confirmation emails that follow are crafted to look like legitimate confirmations from Google or related services. The use of legitimate-looking sender domains and email formatting contributes to a sense of authenticity. The spoofed appearance of the email is intended to mimic standard, non-threatening notification workflows that people encounter in their daily use of digital services. This tactic leverages the assumption that messages from a Google-affiliated form are safe, which is precisely the lie that the attackers want the victims to believe.

Furthermore, because the email is framed as a standard Google Form notification, it can slip past casual checks that users might perform. Many people review the content of the message and assume that the sender is trustworthy due to the familiar branding cues. This trust is exploited to move recipients toward the next stage of the attack: a click on a link that leads to a counterfeit cryptocurrency platform. The deception is reinforced by the consistent use of familiar design elements, including color schemes, typography, and general layout, which collectively create a seamless illusion of legitimacy.

From a defensive perspective, the abuse of Google Forms indicates a broader vulnerability: the line between legitimate platform usage and malicious exploitation can be blurred when attackers leverage widely used tools. To mitigate this, security teams advise heightened scrutiny of messages that use well-known brands in the absence of independent verification. They also recommend reinforcing user awareness about the possibility of legitimate-looking forms that request minimal information but initiate a chain of harmful interactions.

The campaign’s success is partly attributed to the fact that the authentic technical infrastructure used by Google Forms is robust and commonly trusted. A message that appears to originate from a Google domain benefits from this trust, which reduces the probability that the recipient will question the message’s legitimacy. Attackers’ ability to craft convincing emails with a Google-based identity underscores the importance of maintaining skepticism toward any unsolicited notification that requests action, even when it seems to come from a reputable source. This reality emphasizes the need for continuous user education about phishing tactics and for the deployment of security controls that can identify anomalies beyond superficial branding cues.

In short, the attackers’ strategy hinges on exploiting the inherent trust in Google Forms and the associated Google ecosystem. By using a familiar preference for digital tools, they create a plausible pathway from a normal-looking form submission to a dangerous phishing sequence. The result is a campaign that feels legitimate, obfuscates malicious intent behind a veneer of trust, and thereby increases the attacker’s chances of extracting funds from unsuspecting cryptocurrency users.

The red flags: identifying suspicious patterns in this Google Forms-based scam

Several telltale signs emerge when examining this campaign, and recognizing them can help potential victims avoid falling prey to the deception. First, the initial contact often revolves around a fake Google Forms confirmation. Even though Google Forms is a legitimate tool, the claim of a “confirmation” for a crypto transaction may be unusual or unexpected for many users. Caution is warranted if a notification arrives that seems to originate from a Google Forms process but is not part of an ongoing, authenticated transaction with a recognized exchange or wallet. The context around the form’s usage is crucial; if a recipient did not recently interact with a crypto transaction or with a Google Form tied to a crypto event, that should raise suspicion.

Second, the phishing email itself is crafted to mimic crypto exchange notifications. Look for deliberate urgency cues such as statements about a pending payout and an expiration time. These urgency signals are a classic feature of phishing attempts, designed to push recipients into action before they have a chance to verify. While legitimate exchanges may send notifications about transactions, a sudden alert that pushes a time-sensitive link without prior activity should be treated with caution. The presence of the word “expires” or similar time-bound language is a red flag that warrants additional verification steps before any action is taken.

Third, the link within the email points to a site that imitates a crypto transaction platform. The page’s appearance, navigation flow, and tone should be scrutinized for inconsistencies. The page may offer a way to contact “blockchain support” and request a small cryptocurrency payment as a condition to receive a transfer. Such a request is inherently suspicious, since legitimate transfers do not require payments to external support services to release funds. The use of a fake support channel is a central feature of the scam’s social-engineering approach, designed to create a sense of legitimacy after the user has already interacted with the fake form and the fake email.

Fourth, the email’s technical source can be deceptive. Because the message is designed to appear as though it comes from a Google domain, it can pass through routine spam filters with fewer friction points. The combination of a familiar sender domain and an attractive design makes it more likely that the recipient will open the message and engage with the link. This blending of authenticity cues—brand familiarity, polished visuals, and a supposed transaction narrative—can be enough to bypass casual checks and encourage misdirected actions.

Fifth, the content emphasizes a “free crypto” promise paired with a payment requirement. The strategic framing of “free” or “bonus” crypto is often used to lure recipients into paying a nominal amount up front, which in crypto terms can translate into immediate, irreversible loss. The tactic hinges on the perception of an opportunity that must be seized quickly, because delay could mean missing out on a supposed payout. The combination of a free-claim illusion and a subsequent payment instruction creates a powerful incentive to move forward without proper verification.

Finally, some red flags pertain to the content’s authenticity itself. If the form content or the linked page lacks standard security markers, presents inconsistencies in branding, or omits verifiable contact information for a legitimate organization, these should prompt a halt. While the attacker’s objective is to mimic legitimate channels, gaps in consistency—such as unusual form questions, atypical design elements, or discrepancies between the source of the email and the landing page—can indicate a fraudulent operation.

In practical terms, these red flags translate into a straightforward set of checks for users. Do not trust messages that arrive from sources you did not expect or that claim to be from a familiar platform in an unanticipated context. Verify the form’s origin by visiting the official website or app directly rather than clicking through email links. Inspect the domain and the sending address closely, looking for subtle inconsistencies that reveal spoofing. If a message promises a “free” crypto payout but requires payment to claim it, treat it as highly suspicious. When in doubt, consult official sources, enable multi-factor authentication on crypto accounts, and use security tools that can block fraudulent sites and detect phishing patterns.

The financial risk and potential consequences for victims

The consequences of this scam extend beyond a single stolen payment. When victims are induced to transfer cryptocurrency to an attacker’s controlled address, they may experience permanent loss of funds. Crypto transactions are often irreversible, meaning that once the transfer is completed, there is little chance of recovery. The emotional impact of such losses can be significant, including stress, anxiety, and a sense of violation that extends into broader concerns about digital security and privacy.

In addition to direct financial loss, victims may incur secondary costs. They could face identity exposure if attackers harvest personal data from the form submission, which might be used for further social engineering or targeted attacks. The compromised accounts associated with the victim’s email or exchange could experience unauthorized access or attempts at credential theft, especially if the same credentials are reused across multiple services. The attack also contributes to a general erosion of trust in digital communications and online platforms, particularly in contexts that involve automation, forms, and notifications that users have grown accustomed to treating as trustworthy.

Another layer of risk involves the potential for attackers to tailor subsequent campaigns using the data collected in the form. Even if the initial form only asks for an email address, the stolen email address can become a foothold for future phishing attempts or other fraudulent schemes. The broader implication is that attackers are cultivating a pipeline of highly plausible targets by harvesting contact information through seemingly innocuous channels. This creates a dangerous cycle in which compromised data feeds into more sophisticated fraud attempts, increasing the potential harm to a wider audience of cryptocurrency users.

From a security perspective, the incident illustrates why robust defenses are necessary across multiple layers. End-users must remain vigilant for signs of deception, especially when familiar tools and brands are involved. Organizations that operate crypto platforms or services should emphasize user education and implement defensive controls that can detect unusual transaction prompts, unsolicited forms, and suspicious redirect behavior. The convergence of social engineering and technical spoofing exemplified by this campaign underscores the need for an integrated approach to cybersecurity that spans awareness training, technical controls, and incident response planning.

Ultimately, the goal of the attacker is to convert trust into financial gain, exploiting the standard workflows and notifications that users associate with legitimate crypto activity. The risk is not limited to any single region or platform; it reflects a broader phenomenon in which cybercriminals adapt to the most trusted tools and channels in order to maximize the likelihood of successful fraud. Understanding this risk, recognizing the red flags, and applying a consistent, evidence-based set of protective practices are essential steps for individuals and organizations aiming to reduce exposure to this and similar schemes in the evolving crypto landscape.

Expert guidance and practical defense recommendations from Kaspersky

Security researchers at Kaspersky have highlighted the campaign as a clear demonstration of how attackers cleverly manipulate a trusted platform to facilitate fraud. Andrey Kovtun, who leads the Email Threats Protection group at Kaspersky, underscores the sophistication of this approach and its potential to mislead even experienced users. The expert commentary emphasizes the tactical use of a familiar infrastructure and brand signals to create a credible phishing narrative. The overarching message is that trust in well-known platforms can be exploited to lower vigilance and increase the chances of successful fraud. This underscores the necessity for continuous user education and strengthened technical safeguards.

Kaspersky’s recommendations center on practical, actionable steps that users can implement to reduce risk and improve resilience against this type of attack. The guidance includes:

• Avoid clicking on unexpected links or engaging with unfamiliar forms that prompt data submission, especially when the form’s source is ambiguous or not directly connected to a known security event or transaction.

• Watch for suspicious details in content that resembles Google Forms or other trusted interfaces. Even familiar-looking forms may be crafted to capture sensitive information or redirect victims to fraudulent sites.

• Use reliable security tools and browser defenses to block access to fraudulent or counterfeit sites. Implementing up-to-date security software, phishing filters, and domain reputation checks can help prevent access to deceptive landing pages.

• If an email promises a free crypto payout but requests a payment or fee to release the funds, treat it as a high-risk phishing attempt. Such patterns are common indicators of fraud and should trigger caution and verification.

• Always verify the source through independent channels. Do not rely solely on the email or form content to confirm legitimacy. When in doubt, contact the exchange or platform through official channels, rather than following links embedded in unsolicited messages.

• Maintain a habit of skepticism when dealing with urgent prompts that pressure action. Delays that allow verification steps can significantly reduce the chances of falling for a scam.

• Enable and enforce strong security practices on crypto accounts, including multi-factor authentication (MFA), hardware wallets where appropriate, and routine monitoring of transaction activity for any unusual or unauthorized withdrawals or transfers.

• Encourage the use of cautionary routines that treat any unexpected crypto-related request with caution, especially if it involves sending funds, paying a fee, or sharing access details.

Kaspersky’s assessment reinforces the idea that the campaign leverages a “trusted platform” to facilitate deception, which means the onus is on users and organizations to recognize and mitigate this risk through disciplined practices, robust technical controls, and proactive threat intelligence. The advice aims to reduce the chance that someone will engage with the fraudulent flow by slowing down the decision-making process, increasing verification, and leveraging tools that can block or flag suspicious activity before funds are dispersed.

In addition to individual user precautions, organizations can adopt several defensive measures to curb the impact of this trend. Implementing domain-level email authentication, including SPF, DKIM, and DMARC, can help ensure that messages claiming to be from a trusted domain actually originate from authorized sources. While attackers may attempt to spoof domain names, strong authentication practices can raise the bar for what is considered trustworthy. Security teams should monitor for anomalies in email patterns, unusual form submissions, and unexpected redirects to counterfeit sites, and should deploy automatic alerts or blocks when suspicious activity is detected. User education remains a cornerstone of defense: ongoing awareness campaigns that explain how phishing campaigns operate, what red flags look like, and how to verify sources can significantly reduce susceptibility.

The broader implication of this campaign is that trusted platforms—whether Google Forms, email services, or exchange interfaces—can be repurposed for social engineering. Defenders must treat these channels as potential attack surfaces and implement end-to-end protective measures that combine user education, technical controls, and incident response readiness. By integrating these strategies, individuals and organizations can improve their resilience against similar scams that exploit trust, urgency, and familiar design cues to extract value from unsuspecting victims.

Practical steps for users: how to defend against Google Forms-based crypto scams

To minimize risk and strengthen personal security in the face of campaigns like this, users should integrate a layered defense strategy into their routine when dealing with crypto-related messages and forms. The following practical steps, grounded in the guidance from Kaspersky and consistent with best practices for phishing defense, offer a concrete roadmap for protection:

• Stop and verify before acting: If you receive an email or form notification about a crypto transaction, resist the impulse to click through immediately. Take a moment to assess whether the message aligns with your recent activity and whether the source is recognizable and trustworthy.

• Inspect sender details carefully: Look closely at the sender address, the domain, and any visible metadata. Be cautious of subtle misspellings, unusual subdomains, or domains that closely resemble legitimate brands but are technically distinct.

• Hover and inspect links without clicking: Hover over any link in the message to preview the destination URL. If the landing page seems unfamiliar or is hosted on a dubious domain, avoid clicking. Even when the link appears legitimate, the destination should be verified through independent means.

• Verify through official channels: If a message purports to be related to an exchange or wallet, independently check the official app or website for any notifications or status updates. Do not rely on information contained within a link or form presented in an unsolicited email.

• Be cautious with forms requesting minimal data: While simple forms can be legitimate, treat any form that asks for sensitive data or payment-related steps with heightened scrutiny. A form that requests only an email address may still be legitimate in some contexts, but it can be a prelude to a follow-up attack, so err on the side of caution.

• Employ multi-factor authentication (MFA) for crypto accounts: MFA adds an essential layer of protection, reducing the risk that stolen credentials or compromised sessions can be abused to authorize transfers.

• Monitor transactions actively: Regularly review wallet activity, exchange accounts, and any linked payment methods for signs of unauthorized transactions. Early detection can enable faster response and potential recovery.

• Use reputable security tools and browser protections: Ensure that you have up-to-date antivirus software, phishing filters, and browser security features enabled. Consider enabling site reputation checks and anti-phishing alerts within your browser or security suite.

• Block suspicious sites and domains: If you encounter a counterfeit crypto platform or scam site, report it and add it to your security tools’ block lists. An active defense against such sites reduces exposure for you and others.

• Share awareness and report incidents: If you encounter or fall victim to this campaign, report it through appropriate channels and share information with your network to prevent others from being targeted. Collective awareness helps reduce the campaign’s effectiveness and contribute to a safer online community.

Users should internalize that legitimate-sounding notifications do not guarantee safety. The combination of fake Google Forms, credible-looking emails, and convincing scam sites forms a potent threat vector. By applying these practical measures consistently, individuals can significantly reduce their vulnerability to this style of phishing and protect their crypto assets from fraudulent schemes.

Wider context: the evolving threat landscape for crypto-related phishing

This Google Forms-based scam fits into a broader pattern of cybercriminals increasingly weaponizing trusted online tools to facilitate fraud. The crypto space has long been a target due to the irreversible nature of many crypto transfers and the highly valuable assets involved. Attackers adapt quickly, crafting campaigns that feel familiar to users who interact with digital payments, wallets, and exchange platforms on a daily basis. The use of a widely used form tool, such as Google Forms, represents an escalation in the attackers’ ability to leverage legitimate infrastructure for malicious ends, reinforcing the need for constant vigilance and adaptive defense strategies.

The threat landscape emphasizes the importance of layered security that combines user education, strict technical controls, and proactive threat intelligence. As attackers refine their social engineering techniques, defenders must stay ahead by understanding the psychological levers used in these campaigns—the sense of urgency, the promise of a payout, and the perceived legitimacy of familiar brands. The convergence of these tactics with genuine technical channels increases both the reach and the impact of phishing campaigns, posing ongoing challenges for individuals and organizations in the crypto ecosystem.

Security researchers consistently remind users that no single measure provides complete protection. A robust approach requires continuous awareness, verification, and the adoption of best practices across devices and networks. This includes staying informed about new scam patterns, applying updates promptly, and integrating security tools that can detect and block suspicious activity in real time. The goal is not only to respond to incidents but to prevent them, by reinforcing healthy habits, promoting critical scrutiny of unsolicited messages, and maintaining strong identity protection across all crypto-related activities.

Conclusion

The campaign identified by Kaspersky represents a sophisticated use of trusted infrastructure to facilitate crypto phishing. By combining a fake Google Forms confirmation, a convincingly styled, time-sensitive email that mimics crypto exchange notifications, and a counterfeit landing page that pushes a small cryptocurrency payment to unlock a supposed transfer, attackers exploit cognitive biases and brand trust to harvest funds. The stealthy bypass of spam filters through the appearance of a Google-domain sender underscores the risk posed by seemingly legitimate platforms being repurposed for fraud. The attackers’ reliance on urgency, familiar design cues, and a “blockchain support” narrative highlights a tailored approach to social engineering that can deceive even cautious users.

To defend against this evolving threat, individuals should avoid clicking unexpected links or engaging with unfamiliar forms, especially when the content relates to crypto transactions or payouts. Users should verify sources through official channels, scrutinize sender details and link destinations, and rely on robust security tools to block fraudulent sites. Andrey Kovtun, who leads the Email Threats Protection group at Kaspersky, notes the campaign’s cunning exploitation of a trusted platform, reinforcing the need for sustained vigilance and proactive security practices. By combining user awareness with technical safeguards, the crypto community can reduce susceptibility to such scams and protect assets from these increasingly sophisticated fraud schemes.