Phishing campaigns have become significantly more sophisticated and convincing in recent years. Sender addresses are now nearly identical to the real deal, emails are flawlessly written, and users are called by their names. But what do you do when a suspicious email comes from a clearly legitimate email address?

Lately, phishers have been exploiting the Google AppSheet platform to set up email blasts that originate from an official Google-linked address. Following a successful attack, they walk away with their victims’ accounts and sensitive data.

In this post, we break down how this new data theft scheme works, and how to protect yourself from these sneaky phishing attacks.

Google is offering you a job. Or Coca-Cola. Or maybe Volvo. Or are they?

AppSheet is a Google service for building apps without any coding skills. It’s frequently used by small businesses to automate routine workflows. Unfortunately, it’s precisely this simplicity that makes AppSheet so attractive to cybercriminals. All it takes to pull off a phishing scam these days are a few dollars and an app quickly thrown together using pre-made commands and blocks.

The playbook for AppSheet phishing attacks is pretty run-of-the-mill. The victim receives an email on behalf of a major company — and these messages often begin by addressing the recipient by name. It appears the attackers are parsing leaked data to match names with specific email addresses.

Next, the attackers play on the recipient’s emotions — employing either stick or carrot. They might panic the victim with urgent warnings that demand immediate action — think “Your account will be disabled soon” or “Suspicious activity detected”. Alternatively, they lure them in with irresistible bait, like the promise of a verified badge or an interview invitation from a tech giant. These fake HR emails are engineered to give victims an immediate rush. They make it look like the recipient’s application was already fast-tracked and highly rated, teasing a job offer that could drop as early as tomorrow.

For most people, these messages don’t raise a single red flag. The email bypasses the spam folder completely, and the From field displays the exact name of the company they expect to see. Unfortunately, none of it means the email is authentic: attackers can put whatever they want in the display name. And let’s be honest: very few people actually stop to scrutinize the sender’s email address.

In AppSheet-based phishing campaigns, the sender is always the same: noreply{@}appsheet.com. But here’s the real kicker: that address is 100% legitimate. Because it’s tied directly to Google’s own infrastructure, there’s a good chance that standard anti-spam filters greenlight these emails without blinking.

Naturally, to secure that coveted interview or fix their account, the victim clicks the link — and then voluntarily hands over their entire digital identity on a copycat website: full name, address, phone number, etc. From there, the attackers can sell the harvested data on the dark web, or weaponize it for secondary, targeted attacks. To top it all off, the victim is redirected to a phishing login page, which allows the attackers to steal their accounts.

Here’s a step-by-step breakdown of how a victim goes from receiving a fake Google Careers portal email to having their account completely compromised:

Similar phishing campaigns are launched on behalf of other major tech brands — and the users who hand over their Apple account data risk losing not just their account but also control of all their Apple devices. The attackers might pressure the victim into signing out of their personal Apple ID, and in to a “corporate account” for verification — which is in reality an Apple account they own. The moment the victim does so, the criminals take complete remote control of the used device, often using Lost Mode to lock the victim out and hold their phone to ransom.

To make matters worse, attackers don’t always drop a malicious link in the initial email. Instead, they play the long game — hooking the target into a conversation by asking them to reply and confirm their interest. This pretexting creates an illusion of chatting with a real recruiter. And this playbook isn’t reserved exclusively for Silicon Valley, either. Attackers frequently impersonate globally recognized household names, like Volvo or Coca-Cola. Of course, it’s highly unlikely that attackers want someone’s Coca-Cola account — if the user even has one to begin with. Most likely, the goal is to steal sensitive data or convince the user to log in to a phishing form using their Google/Apple/Facebook, etc. credentials.

Do you want to become Meta-verified?

Of course, “dream jobs” aren’t the only bait used. We’ve seen campaigns where “Facebook Support” reaches out to tell a user they’ve been deemed eligible for the prestigious Meta Verified badge — a blue checkmark normally reserved for top-tier celebrities and global brands. To secure the coveted blue checkmark, the victim is directed to a phishing page where they’re asked to complete an identity form — before handing over the ultimate prize: their Facebook username and password. And it’s all in the name of security, naturally!

These spoofed sites are created in a wide variety of languages, and tailored to users in different countries. Below is the Dutch version.

In other campaigns, attackers abuse Google’s AppSheet to weaponize sheer panic, trying to unsettle the user with claims that they’ve violated Meta’s intellectual property policy — and threatening to permanently close their Facebook account. To appeal, the victim must click a link to… a phishing site, provide their personal information, and, of course, enter their Facebook username and password.

How to spot phishing and protect your accounts

Sadly, phishing attacks are becoming increasingly sophisticated, with attackers routinely hijacking the reputation of legitimate services and domains. Here’s how to keep from falling into their traps, and safeguard your data:

• Remember: not all phishing emails end up in the spam folder. Standard spam filters in email clients often fail to detect advanced attacks — and the AppSheet case is a prime example. To avoid accidentally taking the bait, use Kaspersky Premium on all your devices. It intercepts phishing emails and instantly blocks links to spoof websites — even if the attacker is hiding behind a completely legitimate domain. Additionally, the Android version can detect malicious and phishing links in messages from any app.
• Check the email for odd typos. To keep their messages from setting off alarms, attackers frequently resort to sneakily inserting extra spaces or swapping out characters. Take this example from one of the emails we found: Fac eb o ok  S u ppo r t instead of Facebook Support.
• Before taking any action on a website, carefully check its domain name against the official address. Bad actors frequently create addresses that only appear to be the real thing until you look close enough. Install Kaspersky Premium to always be sure you don’t land on a spoofed site.
• Look at the sender’s address first, not just the display name. If an email claims to be from Google Careers, Apple HR, or Facebook Support, but the sender address points to AppSheet or another unrelated service, don’t even bother reading this message. That domain mismatch is a dead giveaway that you’re looking at a trap. Cross-reference email addresses with the ones listed on the companies’ official websites.
• Check for email signatures. For instance, all emails sent via AppSheet include a disclosure note at the very bottom. You are much more likely to receive a legitimate AppSheet notification from a small company or business, but definitely not from a tech giant. Major corporations typically use their own domains for their emails.
• Use a password manager. Even if you land on a spoofed site and try to enter your password, a reliable password manager will notify you about the domain mismatch and refuse to autofill your username and password.
• Don’t forget about two-factor authentication. If it’s enabled, just having your username and password won’t help the attackers access your account — they’ll also need a one-time code. However, they might still try to trick you into giving that up too, so be doubly careful whenever you enter two-factor authentication codes anywhere.
• Use passkeys instead of passwords whenever possible. This technology provides excellent protection against phishing: even if you visit a malicious site and try to sign in, the passkey won’t work on the spoofed domain. You can store and sync passkeys across different devices in Kaspersky Password Manager. Read our post on the subject to learn more about how passkeys work.

Phishing attacks are growing increasingly sophisticated. Here’s what else you should know about phishing:

• What happens to data stolen using phishing?
• Browser-in-the-browser attacks: from theory to reality
• Phishing and spam: the wildest campaigns of 2025
• Phishing in Telegram Mini Apps: what’s Habib’s papakha got to do with it?
• How phishers and scammers use AI