Users of Google’s Calendar app are being warned about scams that take advantage of the popularity of the free service and its ability to schedule meetings easily. Spammers/phishers are continuing to use, in ever growing numbers, unsolicited Google Calendar notifications to trick user into clicking phishing links.
Here’s how it works: Scammers send a Google user a calendar invite complete with meeting topic and location information. Inside the details of the appointment lies a malicious link that looks like it’s pointing you back to meet.google.com for more details. Once clicked, it’s back to the usual tactics of trying to infect the user’s endpoint with malware and so on.
Users have long been warned about their interaction with email and the web. Now it’s important to add Calendar invites to the list. This latest method demonstrates how attackers are continually updating their tactics, requiring organizations to remain equally persistently educated to enable users to make smarter security decisions.
The most important thing is to be attentive.
- Do not open messages from unknown senders.
- Never accept invitations from people you don’t know.
- Do not tap or click links in messages you weren’t expecting.
Note, if you do start to get spam invites, consider taking additional steps.
First, report the event as spam by double clicking the event you’d like to report, then at the top, click More Actions > Report as Spam.
Next, change your default settings for Calendar.
By default, Google Calendar will add events to your calendar whenever you receive an invite, even if you never clicked ‘accept’. As long as someone can blast invites your way, it’s easy for them to sneak garbage onto your Google Calendar.
Worse, even if you diligently decline events you don’t recognize, Calendar will still display events you’ve declined, meaning those phishy links will stick around, too.
You can read more about possible calendar default setting changes to consider to sidestep unwanted invites in this article.
You can read more about how Google Calendar, Google Forms and other Google services are being used by spammers et al in this article.
You can also check out Google’s page on Calendar feedback.