Tech Matters: Scammers go old school with new phishing tactic
Scammers have turned to using humans to complete their phishing scams in a variation of the tactic known as callback phishing. It starts with Google Forms and ends with a request for the target to call a number that’s answered by a real person — not a particularly nice one because their job is to convince you to hand over your personal information.
The tactic’s appeal to cybercriminals lies in its simple way to bypass email security gateways. Email providers, including Google with its Gmail, have developed increasingly reliable ways to block incoming scam emails. But nobody blocks Google itself so a Google Form is not stopped by security filters.
Here’s how the scam works as described by email protection provider Abnormal Security’s Mike Britton in a statement: “For the social-engineering trigger, the phisher just sends one doc: A phony invoice receipt, made in Google Forms, with info like date of invoice, amounts owed, or subscription information.” The attacker turns on receipt response to send the form to a targeted email address. A phone number is prominently featured on the form to encourage the recipient to call the number, which may be a natural response when you receive an unexpected invoice.
Dialing the number connects the caller to a real person — no AI chatbot here — who asks for personal data including name, address and credit card number. In some cases, callers are sent a link where they unknowingly download malware to their devices.
“It’s about as close to zero-risk as I can get because the initial attack is not breaking into anybody’s environment,” Britton said. “It’s fairly benign, and it costs me next to nothing.”
Similar scams have been identified that include fake job offers instead of invoices. Regardless of the content, the components are the same: a Google Form designed to look like something you should respond to, a number to call and a person who asks you for your information. Google has said it’s working on a security fix to detect these Form scams, but in the meantime you should keep your guard up.
Avoiding callback phishing schemes is similar to any other phishing scams and starts with questioning anything you receive that’s unexpected or otherwise out of the ordinary. The safest thing to do is simply delete the email. If you’re not sure about the company, head to your browser and search for the company name and look at the information that comes up in search results such as address and phone number. Do these match what you see in the form you received? Even if they do that could just indicate a more through scammer. Do not visit the site because it may be a malicious one that could infect your computer. The chances that the invoice is legitimate are very low.
It’s heartening to know that scammers have been thwarted by email providers, but as they look for nontechnological tactics, it’s up to you to make sure your data remains secure.
The issue with Google Forms is small and it is a great product when you want to put together a survey or a quiz. You can access Forms from https://forms.google.com or from Drive by clicking “New” and then selecting “Google Form.” Before you click, open the fly-out menu to see your options: blank form, blank quiz or from a template.
When you start a form, you can choose from a broad range of question types. Multiple choice is the default and you can click the small arrow next to it to open a panel with all of your options. Having used both Google Forms and Microsoft Forms, Google’s product offers more options than Microsoft without making the process more complicated. Once you’ve finished your questions, use the Responses tab to set up a spreadsheet that will automatically capture responses as they come in and send you alerts if you want them.
Quizzes work in a similar way but add an analysis piece that can be helpful to instructors. Google will generate a report that shows you frequently missed questions, graphs marked with correct answers, average, median and range of scores. Just remember to let your recipients know that you’re sending a Google Form to let them know it’s legitimate.
Leslie Meredith has been writing about technology for more than a decade. As a mom of four, value, usefulness and online safety take priority. Have a question? Email Leslie at asklesliemeredith@gmail.com.