Despite what that Google Calendar invite says, you probably didn’t win a bunch of money.
2 min read
This story originally appeared on PCMag
Are you drowning in calendar invites from people you don’t know? There might be an ominous reason: According to cybersecurity firm Kaspersky Labs, crafty scammers have weaponized Google Calendar by taking advantage of a setting you probably didn’t know about.
Google automatically allows anyone to send you invitations unless you dig into the app’s settings menu and turn off the feature. This permits your new office mates to add you to weekly meetings or lets a potential friend invite you to coffee, but it also grants bad actors the same power.
According to Kaspersky, spammers can send you phony invitations with links to websites congratulating you on a recently discovered windfall. The calendar’s topic and location fields typically include a short bit of enticing info about your suspiciously good luck to encourage you to keep clicking. If you move on, you’ll face a page prompting you to enter banking or credit card information and a flimsy explanation as to why they need your money before they can pay you in full.
These phishing attempts seem obvious, but they have an advantage over traditional email scams. Maria Vergelis, a security researcher at Kaspersky, suggests the attack’s novelty makes it dangerous.
“The ‘calendar scam’ is a very effective scheme, as currently people have more or less got used to receiving spam messages from e-mails or messengers and do not immediately trust them,” Vergelis said. “But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it.”
A similar scam hit Apple Calendars in late 2016.
Kaspersky recommends turning off the “automatically add invitations” option in Google Calendar’s Settings and deselecting the “show declined events” box in the nearby View Options menu. If you’re still unsure how to navigate potential scams, check out PCMag’s guide on how to detect and avoid phishing attempts.