We've all received a spam email telling us we've won millions of dollars or need to reset our online banking password. Although these are widespread, most messaging platforms and even browsers have learned to recognize them for our protection. Because of this, attackers are finding more sophisticated means to be more attractive: Besides using Google Docs to trick users, scammers have turned to Google Calendar and are relying on its automatic event creation setting to take advantage of people.
Scammers are exploiting's Calendar default setting, which automatically adds invites to your agenda, even if you haven't accepted them. Even worse, it'll create an automatic reminder to notify you a few minutes before the fake event takes place. The appointment names usually mention you've won a reward or have received a money transfer to lure you in. The invitation would typically contain a link to collect sensitive data such as your credit card or bank account number. Since the notification comes from an app people tend to trust, they'd pay less attention to its authenticity, which is precisely what attackers want.
Interestingly, our very own Artem has been receiving these and noticed the actual message containing the calendar invitation is recognized by Gmail as being spam, without preventing Calendar from adding the event to its schedule. Thankfully, there is an option to report unwanted events in Calendar as well, which will hopefully help Google better protect us from such attacks.
To be on the safe side, it's better to proactively defend yourself from these scams by deactivating automatic event creation. To do so, head over to Calendar's settings using a computer, navigate to Event Settings -> Automatically add invitations -> No, only show invitations to which I've responded. You can also prevent Calendar from showing declined events in your agenda by going to View Options and deselecting Show declined events.
It's quite sad some people are finding such ingenious ways to extort money out of naive users. We should be on the lookout for these and make sure to spread the word to raise awareness about this new form of phishing, especially because some could pose as event planning invites. Finally, flagging suspicious events as spam is a good way to help Google improve its safety features and potentially prevent these attacks from happening.