Researchers at cybersecurity firm Kaspersky have uncovered a new type of phishing scam that targets users through unsolicited Google Calendar notifications. These attacks abuse a feature in Calendar that automatically adds invitations and events to a user’s calendar. What makes this so effective is the unexpected attack vector; most users are accustomed to ignoring and blocking spam emails, but may not be as diligent with seemingly-legitimate calendar invitations.
Kaspersky observed multiple incidents of unsolicited pop-up calendar notifications. These invites would often carry a link to a phishing URL. Users were often directed to a website offering prize money for completion of a survey, and asked to provide a “fixing” payment, and others were asked to provide credit card details and other personal information in order to receive their “prize,” which scammers were then free to use to steal the victim’s money or identity. While these scams may seem obvious, Kaspersky security research Maria Vergelis warns that “every simple scheme becomes more elaborate and trickier with time”.
Fortunately this particular scam is easy to avoid. Kaspersky recommends users do the following:
Turn off automatic adding of invitations to Calendar
In Google Calendar, click the settings Gear Icon, then select Event Settings
Click the dropdown menu under the “automatically add invitations” option and select “No, only show invitations to which I’ve responded”
In the View Options section, ensure “Show declined events” is unchecked unless you wish to view these invitations
Never provide personal information unless you are certain a website is legitimate.
Use a reliable comprehensive security solution on your system to protect against malware and other threats.
If you have questions or concerns about your facility’s online security, including your email, calendar, and other Google applications, reach out to Nodal! For Kaspersky’s article on this topic, including more detail and recommendations, check out their press release here.