The Google Calendar Phishing Scam, and How to Avoid It.

While there are millions of phishing scams, every now and then a particular threat emerges that does more damage (and gets more publicity) than most. The recent Google Calendar phishing scam, which first gained attention last May, is the latest to gather national attention, and hurt more people and organizations than the average cyber threat.

What is the Google Calendar Phishing Scam?

A few months ago, cybersecurity firm Kaspersky Labs revealed how scammers were weaponizing the Google Calendar and other Google services. As Wired explained in a recent article: “Phishers have realized that they can take advantage of seemingly innocuous calendar settings to plant their own events laced with phishing links on victims’ schedules.”

In the Google Calendar phishing scam, scammers send a wave of calendar event invites to Google Calendar users, where they are automatically loaded onto each calendar. That’s why so many of us use a Google Calendar: it’s easy for anyone to invite you to a meeting, from an office mate to a friend (or a scammer). Once the invite is sent, you get an automatic calendar notification which further legitimizes the phony calendar event. Spammers use the location and topic fields of those invites for enticing text, such as informing you of an award or cash payment, with a phishing link. If you click on the link you are taken to a form asking for your banking or credit card information, often to “verify your identity” before you can claim your fake reward. These same notifications may pop up on your device repeatedly, until they are clicked or deleted.

As Maria Vergelis, a security researcher at Kaspersky explains, “The ‘calendar scam’ is a very effective scheme, as currently people have more or less gotten used to receiving spam messages from e-mails or messengers and do not immediately trust them. But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it.”

Phishers can use the same calendar strategy to invite you to a fake meeting and send you a link “to RSVP.” As TechRadar warns, “These fake invitations could include a malicious link that could not only be used to steal login credentials (like a standard phishing attack), but also to provide other sensitive information, such as how to gain access to a building where the ‘meeting’ is due to take place.”

Google is aware of this problem and is “working diligently to resolve this issue” according its online help forum. At the moment, however, there’s no estimated timeline for when people can expect a fix. 

How to Protect Yourself from the Google Calendar Phishing Scam

Google Calendar users can protect themselves against unwanted invites that are part of the Google Calendar phishing scam through the Google Calendar app itself.

  1. In Google Calendar, click the “gear” icon on the top right and select Settings.
  2. Scroll down to Event Settings and select the option “No, only show invitations to which I’ve responded.”
  3. Also, under View Options, make sure that “Show declined events” is unchecked, so those events don’t continue to show up even after you’ve rejected them.

Unfortunately, these precautions aren’t perfect, because they limit some Google Calendar functionality, but it’s better to be safe than sorry.

What Comes Around

In 2016, Apple Calendars were affected by a ploy that was a harbinger of the Google Calendar phishing scam. During the holiday season some Apple Calendar users received a flood of spam invites to holiday sale events for major brands including Ray-Ban®. There were warnings at that time that cybercriminals could use similar methods to send phony invites with links to viruses, and for identity theft. It took a few years, but it seems those predictions were right, but with spammers using Google Calendars.

Protect Yourself with Single Path

Being smart about technology is the first step toward protecting yourself and your organization from schemes such as the Google Calendar phishing scam. For example, our earlier article Have I Been Hacked? 6 Ways to Tell If You’ve Been Hacked can help you detect if your computer has been hacked. Also, if you know how to perform a routine cyber security risk assessment, you can figure out your technology vulnerabilities, and take proactive action now. At Single Path, that’s what we do every day: give training to staff, offer numerous security solutions to stay out of cyber-trouble, and provide consulting services on how to recover when cyberattacks happen. Let us help you and your organization stay safe, and scam-free.

Ask us how to get started.

FBI Issues Public Service Announcement on Phishing Email Payroll Fraud Scams

Business organizations and schools are under cyber attack. Just this past week, it was reported that the FBI uncovered a phishing email scam aimed at stealing funds from New Jersey state employee online payroll accounts. The emails requested employee login credentials, which the criminals could then use to redirect an employees’ direct deposits. A similar ploy was recently directed at school employees in Atlanta, and the FBI Internet Crime Complaint Center (IC3) has issued a public warning about phishing email payroll fraud.

Learn how to spot a phishing email in our latest blog post.

Contact Single Path. With Single Path Security offerings you have access to a wide range of collaborative and customized protective services. Let us help you avoid being victimized. After all, falling prey to a phishing email scheme is a mistake, but doing nothing to prevent it from happening may be an even bigger one.

Ask us how to get started!