Kaspersky researchers have flagged a new scam campaign that targets cryptocurrency users by abusing the legitimacy of Google Forms. The attackers leverage trusted infrastructure to trigger convincing notifications, steering victims toward fraudulent sites and payments. The scam hinges on a fake Google Forms confirmation, emails that resemble crypto exchange alerts, and a bogus “blockchain support” workflow designed to extract a small crypto payment. This evolving threat demonstrates how criminals exploit familiar platforms to deceive even cautious users, underscoring the importance of heightened vigilance for anyone involved in digital assets.
The scam starts with a fake Google Forms confirmation
The first step in this campaign revolves around a seemingly ordinary, free tool that many people use for surveys and data collection: Google Forms. Attackers cunningly deploy a fake Google Form as the initial trigger for the phishing sequence. The form itself is intentionally simple, often containing only a single field: the user’s email address. Its apparent purpose is to solicit an address for what looks like a legitimate transaction confirmation from a recognized platform.
What makes this tactic particularly effective is the perceived legitimacy of Google Forms. Because the tool is widely trusted and commonly used by businesses, students, and professionals, victims may overlook subtle warning signs that the form is not part of any legitimate exchange process. The attackers do not hide behind obfuscated interfaces; instead, they rely on the familiar look and feel of a Google-hosted form to lower user suspicion. In many cases, the form is distributed through phishing emails or other deceptive channels that reference crypto transactions in a way that invites urgency and action.
From a technical perspective, the form’s value lies in the automation it triggers. The moment a user submits their email address, automated confirmation workflows can generate follow-up emails that appear to originate from Google. The recipient, expecting a routine confirmation, may let their guard down and proceed to the next stage of the scam. This approach blends social engineering with an orchestration of legitimate-seeming infrastructure, creating a convincing prelude to predatory activity.
A deeper look at the user experience reveals several telltale dynamics. The form’s content is intentionally sparse; there is little to no context beyond the request for an email address. The message that accompanies the form submission leverages the credibility of a Google-generated confirmation, which disarms typical caution that would arise from an unfamiliar or opaque request. The attackers’ objective is simply to obtain a target email, which then serves as the entry point for the subsequent phishing communications. The risk is amplified by the fact that many users rely on automated filtering and familiar branding to judge safety, a bias the scam exploits.
In addition to the core mechanics, this stage can be reinforced by other signals in the surrounding communication ecosystem. For example, attackers may pair the fake form with phishing emails that reference a crypto payout and use real-time urgency to coax action before verification. The combination of a Google-form frame with a money-related narrative amplifies the likelihood that the recipient will engage further without performing due diligence. Overall, the fake Google Forms confirmation is the gateway that makes the following steps seem plausible, because the user’s mind has already encountered a credible, trusted platform being used in the context of a financial transaction.
Protection and awareness strategies for this stage emphasize skepticism toward any unsolicited form that requests personal information or confirmation of a financial event. Users should treat unfamiliar Google Forms with caution, verifying the source through independent channels before providing any data. Security-conscious individuals may enable stricter email filtering and phishing detection settings, and organizations can educate teams to recognize that even trusted tools can be misused in a phishing chain. The overarching lesson is clear: a trusted interface does not guarantee a legitimate intent, and skepticism is a valuable first line of defense when dealing with cryptocurrency-related messages.
Emails mimic crypto exchange notifications
Following the initial contact via the fake Google Form, the attackers pivot to the main phishing vector: emails crafted to resemble legitimate cryptocurrency exchange notifications. The phishing messages are meticulously designed to imitate the look and feel of official alerts from real exchanges. The objective is to persuade recipients that a transaction is pending and that time is of the essence to claim a payout or complete a transfer.
The emails exploit a manufactured sense of urgency, often stating that a payout is pending and that the recipient must act before a stated deadline or offer expires. This urgency is a well-known psychological trigger in phishing campaigns, pushing recipients toward quick action and reducing the likelihood that they will pause to verify the message’s authenticity. The language is carefully chosen to replicate the cadence and terminology users expect from legitimate exchange communications, including references to account activity, pending transactions, and claims of security or compliance checks.
Design elements contribute to the deception as well. The messages may feature logos, color schemes, and layouts that mimic popular exchanges, alongside professional-looking formatting. Subtle inconsistencies—such as minor typographical errors, misaligned images, or slight deviations in branding—can be present, but they are often overlooked by hurried readers who focus on the overall appearance rather than the details. The impersonation is not just about visual fidelity; it also aims to leverage the recipient’s familiarity with standard crypto-presence cues, such as transaction-centric language and direct calls to action.
From a security perspective, the risk escalates when recipients attempt to verify the notification by clicking through to a purported platform. The phishing emails are crafted to lead users to a counterfeit site that already resembles an exchange page, further lowering barriers to deception. The combination of plausible branding, time pressure, and the promise of a pending payout creates a powerful lure for crypto users who want to avoid missing a potential earnings window.
Red flags in these emails include mismatches between the sender’s domain and the exchange’s official domain, unusual or unexpected payout contexts, and requests that users click a link to verify or claim funds. While some messages may appear highly professional, prudent readers should cross-check the sender address, inspect the full headers for authentication results, and navigate directly to the exchange’s official site rather than following links embedded in unsolicited messages. Users should also be wary of any message that redirects to a site that asks for sensitive information or payment before releasing funds. The core takeaway is that legitimate exchanges rarely require users to initiate a payout or confirm a pending transfer by clicking through from an email; any exception should prompt independent verification.
In this stage, the attackers rely on the victim’s expectation of legitimate exchange activity and their muscle memory of typical alert formats. The risk is that even seasoned users, who are accustomed to receiving transactional notifications, can be misled by a careful balance of familiar branding and urgent call-to-action language. The best defense is a disciplined verification process: do not trust embedded links, manually enter the exchange’s official URL into a browser, and confirm any payout or transfer with the official channels provided by the exchange. Maintaining skepticism toward unsolicited alerts and adopting a policy of direct verification rather than reaction will significantly reduce the likelihood of falling prey to this stage of the scam.
Clicking the link takes you to a scam site
If a recipient clicks the link in the phishing email, they are redirected to a counterfeit site designed to resemble a legitimate crypto transaction platform. The page is engineered to appear authentic, reproducing the visual language, layout, and navigation pathways users expect when interacting with a real exchange. The objective at this juncture is twofold: to cultivate a sense of familiarity and to compel the victim to provide sensitive information or to take action that benefits the attacker.
On this fake transaction site, victims are often directed to contact “blockchain support” and to make a small commission payment in cryptocurrency to receive a supposedly imminent, but fake, transfer. The instruction to transfer cryptocurrency to a designated address is a classic crypto scam tactic. Once the user executes this payment, the damage is typically incurred immediately, and the attackers disappear with the funds. The entire transfer becomes a fabrication, leaving the victim with a loss and no legitimate payout to recover.
The counterfeit site frequently seeks to harvest credentials—such as login information for the victim’s crypto wallet, email, or exchange account—or to persuade the user to confirm personal data that a legitimate platform would never request through such a channel. In some versions, the site may attempt to install malware or prompt the user to install a browser extension or a software package associated with the scam. The deception hinges on familiar function names and similar workflows, such as “verify,” “authenticate,” or “confirm transfer,” which can be convincing to someone who recognizes these terms from real exchanges.
To protect against this stage, users should refrain from engaging with any site that prompts an immediate payment to release funds or asks for payment in cryptocurrency to access a transfer. Independent verification is crucial: visit the exchange’s official site by typing the URL directly into the browser or use a trusted app to check the transaction status rather than following embedded links in emails. Users should also be cautious about any request to contact support via a chat or contact method provided on a landing page, especially if it involves sharing sensitive financial information or authorizing payments. If you did click through but did not enter credentials or payment, monitor your accounts closely for unusual activity and consider changing passwords and expanding security measures such as two-factor authentication across accounts.
This stage highlights the danger of relying on familiar design cues rather than performing thorough source validation. Even a well-constructed site can be an effective phishing lure if it convincingly replicates the formats and processes users expect from legitimate platforms. The core defense remains unwavering: do not input sensitive information or authorize payments on pages linked from unsolicited messages, and always verify through official, independent channels. The attackers’ success in this step depends on exploiting trust through a realistic imitation of a real crypto trading or transfer environment, and informed vigilance is essential to counter it.
The attack bypasses spam filters using trusted infrastructure
A notable and particularly troubling facet of this campaign is its ability to bypass common spam filters by leveraging trusted infrastructure. Because the email appears to originate from a legitimate Google domain, it is more likely to bypass standard screening mechanisms that would normally detect fraudulent messages. The attackers exploit the reality that many users and security systems equate appearance with legitimacy, especially when the content includes recognizable branding and interfaces associated with familiar services.
This approach presents a significant hurdle for both individual users and organizations. The mere fact that the message uses a Google-hosted form or a Google-like email appearance can lull recipients into a false sense of security. It capitalizes on the assumption that a Google domain implies trustworthiness and safety. The result is a higher chance that the email will land in inboxes without triggering warning signals, allowing the attacker to proceed with the subsequent steps of the scam.
The convergence of familiarity and technical deception is central to this tactic. By combining a widely trusted platform’s branding with a phishing narrative that mimics crypto activity, the attackers create a persuasive illusion of legitimacy. This undermines users’ usual skepticism toward suspicious emails and makes it harder for standard filtering tools to flag the message as fraudulent.
To mitigate the risk, awareness needs to extend beyond surface branding. Users should be trained to scrutinize the authenticity of communications that mention financial transactions, especially when they reference crypto payouts or transfers. Security tooling should be configured to flag messages that exhibit high-risk patterns, even if they originate from domains commonly considered trustworthy. Email clients and security teams can implement stricter authentication checks (such as DMARC, DKIM, and SPF validation) and alert users to the possibility that trusted domains can be misused in phishing campaigns.
The takeaway is clear: reliance on the reputation of a familiar platform is insufficient protection. The combination of a real-sounding sender address, legitimate-looking form, and a plausible financial narrative can slip past conventional filters and deceive a broad audience. Organizations and individuals should adopt a multi-layered approach to phishing defense, incorporating technical controls, user education, and robust verification practices that extend beyond branding cues and surface-level indicators.
Stay vigilant
Andrey Kovtun, who heads the Email Threats Protection group at Kaspersky, emphasizes the cunning aspect of this campaign: “the campaign demonstrates a cunning exploitation of a trusted platform.” His assessment underscores the fundamental risk of trusting well-known tools when they are misused for fraud. The phishing sequence exploits confidence in Google Forms and the broader ecosystem of online services to create a convincing pretence of legitimacy around a fraudulent crypto transaction.
Kaspersky’s guidance centers on practical, action-oriented precautions that users can implement to reduce risk. First, avoid clicking unexpected or unsolicited links, especially when they arrive via email or other direct messages. Second, watch for suspicious details in unfamiliar Google Forms content or in messages that appear to originate from trusted brands but are inconsistent upon closer inspection. Third, rely on reliable security tools that can block access to fraudulent sites and prevent credential capture. Fourth, if an email promises free crypto but asks for payment first, treat it as a scam and avoid engaging. Finally, verify the source through independent channels and never trust links blindly — even if the sender appears legitimate.
Beyond these specific recommendations, it is valuable to consider broader best practices for protecting cryptocurrency holdings from phishing and social engineering. Implement robust account security that includes two-factor authentication, hardware wallet usage where appropriate, and device-level protections such as updated antivirus and anti-malware software. Maintain a habit of cross-checking any notification via official, independent methods rather than relying solely on the call to action within an email. Regularly review account activity across all wallets and exchanges, set up alerting for unusual transactions, and maintain a standard operating procedure for vetting suspicious messages. These steps collectively strengthen resilience against a range of phishing techniques, including those that exploit trusted platforms.
In addition to personal vigilance, organizations—especially those handling crypto-related services—should invest in employee education, phishing simulations, and technical controls that reduce exposure to such scams. Phishing awareness programs can teach users to recognize red flags, such as inconsistent language, unexpected prompts for payment, or requests to engage with external tools or forms. Security teams can implement domain-level filtering, stricter email authentication, and automated threat intelligence feeds to identify and block known phishing vectors. A holistic approach that combines user education with technical safeguards is essential to reduce the impact of campaigns that leverage Google Forms and other trusted services as part of a broader deception strategy.
Users should also cultivate a healthy skepticism about automated confirmations and payout notifications. Even when a notification appears to originate from a legitimate platform, it is prudent to verify the legitimacy of the event through official channels—such as logging into the exchange through a bookmark or entering the official URL directly into the browser. It is often safer to assume that any unsolicited message about money, especially in the crypto space, could be a scam and to pause before taking action that could cause financial harm. The lessons from this campaign are broadly applicable: trust must be earned through verifiable, independent corroboration rather than brand familiarity or surface-level appearance.
In summary, the campaign’s strength lies in its strategic use of trusted infrastructure and carefully crafted deception. By combining a fake Google Form with phishing emails that mimic crypto exchange notifications, and by directing victims to a counterfeit site that asks for payment, attackers exploit human psychology and the weaknesses of online workflows. The response demands a robust, layered defense that blends caution, technical protections, and ongoing education to preserve the integrity of crypto activities in an era of increasingly sophisticated social engineering.
Conclusion
The new scam campaign detected by Kaspersky underscores a sophisticated and multi-faceted approach to phishing that specifically targets cryptocurrency users by abusing trusted platforms. Beginning with a fake Google Forms confirmation, the sequence escalates to emails that imitate legitimate crypto exchange alerts, followed by visits to counterfeit sites where a small crypto payment is solicited under the pretense of releasing a fake transfer. The tactic’s effectiveness is amplified by the use of a trusted infrastructure, allowing the messages to bypass some spam filters and gain a foothold in the recipient’s attention.
Crucially, the attackers are leveraging psychological pressures—such as urgency and the promise of a payout—to drive action before users pause to verify the source. The consistent thread across stages is the deception of appearance and surface-level legitimacy. Andrey Kovtun of Kaspersky emphasizes that this campaign demonstrates a cunning exploitation of a trusted platform, highlighting the ongoing arms race between threat actors and defensive measures in the digital security landscape.
Protective measures center on a combination of user vigilance and technical safeguards. Avoid clicking unexpected links, especially in messages that claim to be crypto-related payouts. Scrutinize unfamiliar Google Forms content and rely on reliable security tools to block fraudulent sites. When an offer promises free crypto but requires a payment first, treat it as a scam and verify through independent channels rather than trusting embedded links. The best defense is a disciplined verification process that prioritizes direct checks via official sites and apps, rather than reflexive responses to urgent prompts.
As the threat landscape evolves, individuals and organizations should adopt comprehensive phishing awareness practices, implement strong authentication, and maintain careful oversight of online transactions. By combining personal caution with robust security controls and ongoing education, it is possible to reduce the risk posed by campaigns that exploit trusted services like Google Forms to facilitate cryptocurrency fraud.