Phishing attacks used to be the most common form of email attacks back in the day. Not only have email services taken proactive action to automatically detect and flag potential phishing links, but awareness has also made you cautious enough not to blindly click on a link in an email that says you just won a million dollars.
However, attackers have found a new method to scam users by sending phishing links using an unexpected medium – Google Calendar. Security experts from Kaspersky Labs have discovered that event invites can be sent to victims containing phishing links to the free calendar service.
When a user sends a calendar event invite, it’s automatically added to the receiver’s calendar in the default setting. This also triggers an email notification about the event entry being added to the calendar. Although Gmail is able to detect phishing links from suspicious email addresses, the problem here is that the email is coming from Google’s own service, so it doesn’t flag off any warning.
Attackers have been exploiting this default feature throughout May, according to Kaspersky. Users who have Google Calendar installed receive a notification whenever an event is added and naturally the user is inclined to click on the link. Based on Kaspersky’s research, most of the phishing links took the users to a website to fill out a questionnaire running a prize money. After the questionnaire is completed, users have to add their credit card details along with personal details such as name, phone number and address. The fraudulent website would ask users to add these details in order to receive the prize, a classic phishing technique.
How to prevent from getting scammed through Google Calendar invites?
It’s not that difficult to avoid getting scammed through phishing links. The first and foremost method is to absolutely avoid clicking on random links from unknown senders. That should essentially prevent the majority of phishing scams. In this particular Google Calendar exploit, you will have to change the default settings. Head over to Google Calendar from a desktop browser and go to the Settings menu. Scroll down to ‘Event settings’ then click on ‘Automatically add invitations’. A dropdown list appears where you need to select ‘No, only show invitations to which I have responded’. Next, under ‘View options’, uncheck ‘Show declined events’ so that all those scammy events aren’t visible in your calendar.
Additionally, avoid filling out personal information on any website or forum, especially the ones that arrive in your mailbox out of nowhere telling you that you’ve won something.