• en

    • Google AppSheet Phishing Scam: How Criminals Send Fake Threats From Real Google Emails

    Scam Trends
    #Phishing & Identity Theft
    Copied
    Header

    Author: Adam Collins

    May 11, 2026

    You open your inbox and see an urgent "trademark violation notice." You check the sender address and see it is from noreply@appsheet.com — a real Google domain. Everything looks legitimate. That is exactly the point.

    This Google AppSheet phishing scam tricks your email security into marking the message as safe, concealing a highly sophisticated attack that bypasses the standard defences most inboxes rely on.

    In a Nutshell

    • Scammers are exploiting Google's AppSheet platform to send fake legal threats from the real address noreply@appsheet.com
    • The emails pass all standard spam filters because they originate from genuine, authenticated Google servers
    • Clicking the link inside takes you to a fake login page designed to steal your Facebook credentials and two-factor authentication (2FA) codes
    • Never click links in unexpected legal-threat emails — go directly to the platform to check your account status

    Since March 2025, cybercriminals have exploited Google's own infrastructure to send malicious emails directly from trusted Google servers. The scale is alarming: on a single day in April 2025, nearly 11% of all phishing emails sent globally came through AppSheet. One specific Vietnam-linked campaign, codenamed "AccountDumpling," used this method to compromise over 30,000 Facebook Business accounts across the United States, Italy, and Canada.

    What is Google AppSheet and Why Are Scammers Using it?

    Google AppSheet is the company's free no-code platform that allows anyone to build custom apps and set up automated email notifications. Scammers abuse this notification system to send emails directly from noreply@appsheet.com and appsheet.bounces.google.com — legitimate Google addresses.

    Because the emails come from Google's own servers, they bypass the three main authentication protocols that email security systems rely on: SPF, DKIM, and DMARC. All three checks come back clean, because technically, the email is from Google.

    Security researcher Shaked Chen describes this as a "phishing relay" — attackers use a trusted platform's infrastructure as the visible sender to mask their true identity. It is a growing technique that turns the trust you place in big-brand infrastructure against you. For more on how phishing techniques work, read our guide on How to Recognise a Phishing Email.

    What Does a Google AppSheet Phishing Email Look Like?

    A typical AppSheet phishing email is dressed up as an urgent legal threat, using subject lines such as:

    • "Copyright Infringement Notice – Action Required"
    • "Trademark Violation – Account Deletion Pending"
    • "Meta Enforcement: Your Account Has Been Flagged"

    The body of the email impersonates either a law firm or a Meta enforcement team, using high-pressure language to force you to act immediately. A prominent button urges you to "View Evidence," "Download Evidence," or "Verify Your Account."

    While the sender address displays a genuine Google domain, the button link redirects to a phishing page hosted on third-party platforms such as Vercel, Netlify, or domains ending in .su. Some versions even include a fake verification tick inside the email body — a visual cue cynically designed to short-circuit your scepticism.

    ScamAdviser Tip: Hover over any link before clicking. If the destination URL does not match the organisation supposedly contacting you, treat it as a scam.

    Why Does This Scam Get Past Spam Filters?

    This is where the AppSheet scam is genuinely dangerous: it works because it uses real Google infrastructure.

    Standard spam filters check whether an email was sent from servers authorised to send on behalf of the claimed domain. Because AppSheet is an official Google product, every email it sends passes SPF, DKIM, and DMARC authentication perfectly. From a purely technical standpoint, the message is a genuine Google email — even though the content is entirely fraudulent.

    Traditional security filters were not built to ask logical questions, such as: why is a Meta trademark enforcement notice arriving from a Google app-building tool? Context-aware, AI-powered security tools can detect that mismatch, but most organisations and individuals have not yet deployed them.

    This is a key reason why Business Email Compromise (BEC) and platform-relay phishing have become so effective — and so difficult to stop at the inbox level.

    What Happens If You Click the Link?

    Clicking the link takes you directly to a fake login screen built to steal your Facebook, Google, or email account credentials.

    The operators behind the AccountDumpling campaign used a real-time man-in-the-middle proxy — a setup that captures your 2FA code at the exact moment you enter it, rendering two-factor authentication useless in this context. Some attack variants went even further, deploying html2canvas — a script that silently screenshots your browser session while you interact with the fake page.

    Once attackers have access to your account, they move quickly:

    • Run fraudulent advertisements using your linked credit or debit cards
    • Sell your compromised account on dark web marketplaces
    • Use your profile to run further scams against your contacts and followers

    In a particularly cynical final step, some attackers later approach their own victims to sell them "account recovery services" — monetising the damage they caused twice over.

    For advice on what to do if your account has already been compromised, see our article on I've Been Scammed, What Now?

    How to Tell If an AppSheet Email is a Scam

    Look for logical mismatches between who the email claims to be from and what it is actually asking you to do. A Google app-building tool has no legitimate reason to enforce Facebook trademark policy.

    Red Flag What to Do
    Urgent legal threat arriving from a Google product address Stop. Google products do not enforce trademark or copyright law on Meta's behalf.
    Button link leads to a URL shortener, .su domain, or unrelated third-party site Hover over the link to inspect the full destination URL before clicking.
    Subject line and email body content do not match Read carefully — scammers often recycle templates carelessly.
    You are asked to log in to Facebook or Google via a link in an email Open a new browser tab and go directly to the platform instead.
    Fake verification tick or trust badge inside the email These are images, not real indicators of security. Ignore them.

    What Should You Do If You Received One of These Emails?

    Do not click any links, even if the sender address looks completely genuine.

    • If you have not clicked: Report the message as phishing within your email client to help improve filtering for everyone. You can also report it to the FTC at ReportFraud.ftc.gov or your national consumer protection authority.
    • If you clicked but did not enter any details: You may be safe, but run a malware scan on your device as a precaution.
    • If you entered your login credentials: Act immediately — change your passwords, revoke any unrecognised third-party app access in your account security settings, and enable two-factor authentication if you have not already.
    • If you are worried about a genuine trademark claim or account restriction, open a fresh browser window and log in to the platform directly, without using any link from the email.

    You can also check whether the website or platform behind a scam email is legitimate using ScamAdviser's free website checker.

    The Bottom Line

    The Google AppSheet phishing scam represents a broader shift in how cybercriminals operate. They no longer need to fake a trusted sender address — they can simply use real infrastructure instead. The trust you place in a genuine Google email is precisely what these attackers weaponise against you.

    Questioning an unexpected legal-threat email, even one from a recognisable address, is not paranoia. It is the only reliable defence available when authentication systems have been rendered useless.

    If it creates urgency, demands a click, and threatens your account — treat it as a scam until proven otherwise.

    Frequently Asked Questions
    What is the Google AppSheet phishing scam?

    It is an attack where scammers exploit Google's AppSheet platform to send fake legal threats from a genuine Google email address, bypassing standard spam filters.

    Why is noreply@appsheet.com sending me threatening emails?

    Cybercriminals are abusing AppSheet's automated notification system to deliver phishing links that pass all standard email authentication checks.

    Can spam filters block these phishing emails?

    Most traditional filters cannot block them, because the emails genuinely originate from authenticated Google servers. Context-aware or AI-powered security tools are better equipped to detect the mismatch.

    How do I protect my Facebook Business account from this type of attack?

    Always navigate directly to Facebook to check for any account alerts. Never follow links inside unsolicited legal-threat emails, even if the sender address appears to be from Google.

    What should I do if I already entered my password on the fake page?

    Change your password immediately, check your account's active sessions and connected apps, and enable two-factor authentication. Contact the relevant platform's support team if you suspect unauthorised access.

    Adam Collins is a cybersecurity researcher at ScamAdviser who operates under a pseudonym for privacy and security. With over four years on the digital frontlines, he specialises in translating complex threats into actionable advice. His mission: exposing red flags so you can navigate the web with confidence.

    See Full Bio

    Report a Scam!

    Have you fallen for a hoax, bought a fake product? Report the site and warn others!

    Report a Scam!

    Scam Categories

    Help & Info

    Scam AlertsLearn ScamsReliable SitesAdvicesStudiesGlobal Scams
    See all

    Top Safety Picks

    Your Go-To Tools for Online Safety
    Disclaimer: Some of the links here are affiliate links. If you click them and make a purchase, we may earn a commission at no extra cost to you.

    1. ScamAdviser App - iOS : Your personal scam detector, on the go! Check website safety, report scams, and get instant alerts. Available on iOS
    2. ScamAdviser App - Android : Your personal scam detector, on the go! Check website safety, report scams, and get instant alerts. Available on Android.
    3. NordVPN : NordVPN delivers powerful, seamless protection for your online life - whether you're at home, on public Wi-Fi, or traveling abroad. Recognized as one of the fastest VPN services available, it combines lightning-fast speeds with advanced encryption to keep
    4. Incogni : Incogni automatically removes your personal data from data brokers that trade in personal information online, helping reduce scam and identity theft risks without the hassle of manual opt-outs. Reclaim your privacy now!
    5. Private Internet Access (PIA) : PIA gives you a no-logs VPN built on the latest encryption standards and WireGuard protocol — meaning your browsing activity stays yours alone. Fast, private, and transparent. Take back your privacy today!
    6. Surfshark VPN : One subscription, unlimited devices. Surfshark is the fastest VPN out there — covering your phone, laptop, tablet and more with a stable, secure connection for browsing, streaming and working. Get Surfshark now!
    7. Proton VPN : Independently audited and built with a strict no-logs policy, Proton VPN is trusted by over 3 million users worldwide. It’s been named Best VPN by Wired, PCMag, and Vice—offering strong encryption for anyone who takes their privacy seriously. Give Proton

    Popular Stories

    7 Best VPN Services for Security, Speed, and Privacy

    In a nutshell: A good VPN protects your privacy with strong encryption, a strict no-logs policy, and fast protocols like WireGuard. The best VPNs also offer wide server coverage, leak protection, and easy-to-use apps for all devices. For 2025, the top providers are NordVPN, ExpressVPN, Surfshark, Proton VPN, Private Internet Access, CyberGhost, and Mullvad—each excelling in speed, security, or value. In an age where every click is tracked, a Virtual Private Network (VPN) is no longer just a luxury—it's an essential tool for digital privacy and security. A VPN works by creating a secure, encrypted tunnel between your device and the internet, masking your real IP address and protecting your sensitive data from prying eyes. But with hundreds of providers out there, how do you sort the secure from the suspect? This guide breaks down the non-negotiable features of a quality VPN and highlights the 7 top-rated services for 2025. What to Look for in a Good VPN: The 4 Non-Negotiable Pillars 1. Ironclad Security Features Strong Encryption: AES-256, the gold standard. Secure Protocols: OpenVPN, WireGuard, NordLynx, Lightway. Avoid PPTP. Kill Switch: Ensures no accidental IP leaks. Leak Protection: Covers DNS, IPv6, and WebRTC. 2. Verified Privacy Practices No-Logs Policy: No activity or metadata tracking. Independent Audits: Verification by third parties. Safe Jurisdiction: Prefer countries outside the 5/9/14 Eyes alliances. 3. High-Speed Performance Fast Protocols: WireGuard and equivalents. Large Server Network: Less crowding, more reliable speeds. 4. Essential Usability Features Multi-Device Apps: Windows, Mac, iOS, Android, routers. Simultaneous Connections: One account, many devices. Unblocking Power: Netflix, Hulu, BBC

    Read more

    Data Breach Victim? Your Emergency Action Plan Starts Now

    How to Protect Yourself and Your Family After a Data Breach When Your Data Falls Into the Wrong Hands Just received that terrifying notification? Or perhaps you've noticed suspicious activity in your accounts? Take a deep breath. A data breach, the unauthorized access or exposure of sensitive, protected, or confidential data, is a deeply unsettling event. It can plunge you into a world of worry, bringing risks from financial losses and identity theft to significant emotional distress and reputational damage. The numbers don't lie: according to a 2024 report, the number of data breach victim notices has grown by a staggering 211% year-over-year. This isn't just a distant threat; it's a stark reality many individuals face. This year alone, we've seen major organizations like Adidas and Qantas grapple with high-profile data breaches, affecting countless customers. This underscores a critical truth: nobody is untouchable. Subsequently, strategic action is the only way to minimize the risk and protect your future. This guide is your emergency action plan, designed to walk you through every crucial step—from confirming the breach to fortifying your digital life for the long term. Part 1: Confirming the Breach and Understanding the Damage The very first step is to answer the question definitively: Was my data compromised, and if so, how badly? Start with the basics: Check Official NotificationsReputable companies are legally obligated to inform you if your data was part of a breach. Look for official emails, letters, or public announcements. Check Verified Breach DatabasesPlatforms like HaveIBeenPwned help you see if

    Read more