Calendar Phishing

Calendar Phishing

September 19, 2019

Calendar Phishing

What is Calendar Phishing?

 

A new email-based scam has surfaced, and it is gaining popularity. Instead of a phishing email coming into your inbox, cybercriminals are now targeting your calendar. We have seen firsthand that scammers are sending large numbers of unsolicited calendar events to unsuspecting users. What’s worse is that due to Google’s default settings, they are being automatically accepted and added to your Gmail calendar.

By default, Gmail accepts and adds events to your calendar, even from unknown contacts. The scammer will include a link to a phishing site within the invitation and when the invite is accepted, Gmail will provide the user a pop-up notification. Without more detailed information, the link could appear legitimate and is more likely to be clicked.

This attack is not isolated to Gmail users either. While Outlook does not auto-accept calendar invites, the invite itself could be manipulated to appear legitimate and contain the same malicious link.

Currently, the most common destination of the phishing link is a website that displays a message stating that the user has won an iPhone or other valuable prize. In order to claim the prize, the user must submit personal data. This data includes name, address, phone number and payment information for shipping the prize. Instead of receiving the iPhone, the criminals now have your identity and money.

It would not be surprising to see this style of attack evolve into a credential phishing technique. Without much work, a scammer could create a convincing invite that appears to come from Microsoft, asking you to verify your account via a link. This link could redirect users to a fraudulent Microsoft page in attempt to convince a user to input their username and password.

(example of a Gmail invite to an Outlook account)

“Calendar phishing” is a relatively new attack vector that has been successful because users are not aware that their calendar could contain a threat. Luckily, it is simple to avoid this type of scam with a bit of awareness and a quick adjustment of your Google calendar settings.

To Turn off automatic adding of invitations to your Gmail calendar:

  • Open Google Calendar

  • Click the gear icon and choose “settings”

  • Scroll down to “Event Settings”

  • Click the “Automatically add invitations” drop down menu and change it to “No, only the invitations to which I have responded”

  • Below this option you will see a “View Options” category, from here make sure the check box next to “show declined events” is unchecked unless you want to see these events.

The best way to stay protected from the constantly evolving threat landscape is by staying informed and keeping security top of mind. If you haven’t already, check out some of our other small business security articles:

Password Best Practices | How to Spot a Bad Link | Phishing Security White Paper