Scammers are phishing in a new pond.
As identified by Kapersky Labs in a report from Wired, bad actors are taking advantage of a Google Calendar setting that lets anyone place event invites in another user’s calendar.
In the scam, an event will pop up in a user’s Google Calendar; the description will invite them to take a survey or claim a cash reward. That includes a link, prompting users to enter personal and financial information.
Google Calendar’s architecture unfortunately gives these schemes the ring of legitimacy, since simply having an event on your calendar could trigger notifications about it. Users have to be diligent about knowing whether they or someone they know has placed the event on the calendar, or if it’s from an unknown source.
Mashable employee Dana Froome recently received a phishing event invite. Froome is diligent about her personal Google Calendar, using it to manage everything outside of work. So when she got an event invitation for something she clearly had not placed there, she was confused, and then disturbed. I live by my personal calendar, Froome said. I was taken aback by what it was. It felt invasive.
Froome searched her Gmail for the event invitation, but could find nothing there, so she deleted the invitation.
As Wired points out, users can guard against the attack by changing their Google Calendar privacy settings: Open Google Calendar’s settings on a desktop browser and go to Event Settings > Automatically Add Invitations, and then select the option ‘No, only show invitations to which I’ve responded.’ Also, under View Options, make sure that ‘Show declined events’ is unchecked, so malicious events don’t haunt you even after you decline them.
Google makes it easy to invite people to events without the need for tedious logistical email chains. But where there’s a public setting, there’s a scammer ready to exploit it.