Users Warned Over Google Calendar Invites

Scammers are using bogus Google Calendar invites to distribute malicious links. Google has urged users to check a setting in their Calendar account.

The campaign, spotted by security company Checkpoint, takes advantage of the way the Google Calendar lets users invite friends, family or other contacts to an event. An acceptance will add the event to the invitee's own Google Calendar and automatically update it with any changes of time, date or other details. Usually it's possible to invite somebody just by knowing their email address.

The scam involves sending an email that's been manipulated to appear to come from a known user via the invite function. It includes either a link or an attached files in the .ics format. While not widely known, that's a legitimate format for files that contain details of an event and can be opened by calendar software.

Data Harvesting Is End Goal

In both cases the users are then presented with another link. In some cases, this looks like a legitimate link related to the calendar event. In many cases, though, it's disguised either as a support button or a bogus reCAPTCHA check, the "test" that proves a user is human rather than an automated bot.

Unlike some malicious campaigns where the end goal is to get malware on to the user's computer, this is a financial scam. The link takes the user to what appears to be a page with information about cryptocurrencies such as Bitcoin and sends them down a rabbit hole that eventually asks them for personal details or even financial payment information. (Source: checkpoint.com)

Why the Scam is Successful

The success of this phishing method lies in its exploitation of trust and familiarity:

• Legitimate Infrastructure: By using Google’s well-known Calendar system, scammers lend an air of authenticity to their scheme.
   
• Automation Advantage: Google Calendar automatically integrates accepted invites into users' schedules, making the scam harder to detect.
   
• Social Engineering: The use of trusted formats like .ics files and common web elements (such as CAPTCHA) lowers suspicion.

Additionally, the attack requires minimal technical effort from the scammers, relying instead on psychological manipulation to convince users to voluntarily provide their information.

Google Suggest Settings Change

Clearly only a tiny proportion of potential victims will make it this far, but it's a numbers game. The calendar attack would make it easier to move a higher proportion of people from the initial stage of receiving an email to the next level of the scam.

Google issued a media statement reading: "We recommend users enable the 'known senders' setting in Google Calendar. This setting helps defend against this type of phishing by alerting the user when they receive an invitation from someone not in their contact list and/or they have not interacted with from their email address in the past." (Source: theregister.com)

How to Protect Yourself

To adjust your "Known Senders" setting, do the following in Google Calendar:

1. Open Google Calendar in your web browser.
    
2. Go to Settings (click the gear icon).
    
3. Navigate to Event Settings.
    
4. Enable the option to Only show invitations from known senders.

This setting ensures that only invitations from trusted contacts—those in your email or contact list—will appear on your calendar. Invitations from unknown sources will be flagged or filtered out, reducing the risk of falling for a scam.

General Tips for Staying Safe

1. Verify Event Details: Check the sender’s email address and event description carefully. Be wary of vague or overly urgent messages.
    
2. Avoid Clicking Links: Do not click on links or open attachments in unsolicited calendar invites or emails.
    
3. Enable Two-Factor Authentication (2FA): Use 2FA for your Google account to add an extra layer of protection.
    
4. Update Your Security Settings: Regularly review your account settings for options that enhance security and privacy.
    
5. Stay Educated: Familiarize yourself with common phishing techniques and scams to recognize red flags.

Broader Implications

This scam highlights the broader challenge of balancing convenience and security in modern digital tools. While only a small percentage of users may fall for such scams, phishing campaigns often rely on scale. With millions of Google Calendar users worldwide, even a fraction of victims can yield significant rewards for attackers. Moreover, the attack demonstrates the evolving tactics of cybercriminals, who increasingly exploit trusted platforms and tools in their schemes.

What's Your Opinion?

Do you use Google Calendar? Do you think you could spot a bogus event invite? Are such scams a problem given they need so many steps to eventually get hold of personal data?