Desperate Spammers Are Targeting Calendars With ‘Meeting’ Invites
Faced with powerful automated filters on Gmail, criminals have found a new, annoying way to catch your attention
My email inbox is a mess. Ever since my work email address became public, spam has torn through it like a Tasmanian devil trying to sell little blue pills. I’ve resigned myself to the disorder in my inbox, but my calendar is sacred. It runs my entire life, from work meetings to outings with my kids. But now spammers are trying to ruin that, too.
It works like this: A spammer sends you an invite to a “meeting” using the collaborative tools built into Google Calendar, iCloud, or other online scheduling tools. By default, these services add the event to your calendar whether you’ve accepted or not — meaning that spammer’s event proclaiming “hot singles in your area” is now on your agenda, with no intervention from you. In fact, there’s a good chance you won’t see the invite at all: Gmail, for example, may automatically place the invite in your spam folder, but Google Calendar will still process the invite, perhaps leading to a mysterious notification on your phone down the line.
“The vast majority of traditional email spam is blocked by filters, and so they’re trying to find another way to get some eyeballs.”
Unlike email spam, invite spam seems to affect certain people and not others, with no simple reasoning as to why. But there’s a clear motivation behind it: “Desperation,” says Graham Cluley, an independent security analyst. “The vast majority of traditional email spam is blocked by filters, and so they’re trying to find another way to get some eyeballs.” Your calendar lacks the spam filters that your email benefits from, and spammers have found a way to exploit that.
This has been happening for years, explains Cluley, though it’s been getting more media attention lately. Kaspersky Labs, a cybersecurity company, published a press release detailing a rash of these spam calendar invites in May. ZDNet traces a rise in the technique’s usage back to 2016.
I asked my friends, family, and Twitter followers what kinds of spam they’ve seen in their calendar, and responses ranged from promises of passive income to Russian-language messages involving unclaimed money. (Plus, of course, the usual sex solicitations.) ZDNet notes a few more nefarious uses, like one spammer who targeted employees of a specific company and spoofed the invite to appear as if it were coming from the CEO. My informal poll found different time periods for these waves, too: some folks dealt with the majority of spam a year ago or more, with others still clawing their way out from under a pile of fake events.
Thankfully, there’s an easy way to block this spam from appearing in your calendar. Open Google Calendar on the web and head to Settings > General > Event Settings. Under “Automatically add invitations,” choose “No, only show invitations to which I’ve responded” from the dropdown menu. You may also want to uncheck the “Automatically add events from Gmail to my calendar” option under the “Events from Gmail” setting, which parses dates, times, and locations from certain emails and creates calendar events from them — but this may not be strictly necessary to avoid the spam. Both of these settings have equivalents in many other calendar services too, including iCloud and Outlook.
It isn’t just your calendar, though. Kaspersky explains that spammers can, and do, use these same tactics to bombard you with junk in Google Photos, Google Drive, and other similar cloud services. Like the calendar scam, notifications will appear in your email as well, but these services help make their scams look more legit — after all, that suspicious link goes to Google Drive, not a scummy no-name website — so ne’er-do-wells hope even savvier users may be tricked into clicking it. This paints a bleak picture of our potential future, with spam infiltrating every corner of our digital life — just wait until these messages start gracing your smart watch or AR glasses.
“We are deeply committed to protecting our users from spam across our services,” said a Google spokesperson in a statement over email. “In Gmail, for example, our machine learning models can detect spam and phishing messages with 99.9% accuracy. And in Calendar, users have the ability to report spam and prevent events from automatically being added to their calendar grid. While we’ve made great progress, sometimes spam gets through, so we are investing in new ways for users to identify and block spammers and we expect these changes to roll out over the coming months.”
If you’re thinking this is all common sense and you’d never click on such an obvious fake link anyway, you’re probably right. “It’s a pretty desperate tactic and is unlikely to catch out many folks,” says Cluley. But if this truly is on the rise, then consider this a reminder to check in with your less savvy friends and family who may see this on their phone tomorrow. Remind them of good anti-scam practices and show them a few examples like the screenshots in this article. If they know it’s out there, they’re less likely to be one of the few duped into clicking.