Even the most cyber-savvy among us may be persuaded to click a link in a phishing email if it looks like it’s from Google. Why? Because we trust Google. We use Google for email, for road trip directions, we use it to store files, to catch up on the news, to find a cool photo. It has become so much more than a search engine.
Owing to that familiarity, the latest scam involving Google is insidious indeed. Malicious links are dropped into your Google Calendar — you don't even need to click anything in an email to fall victim.
How the scam works
Kaspersky Lab, the multi-national cybersecurity firm, uncovered the con and have researched how it plays out.
Basically, scammers consult a prepared email list to send meeting or event invites to multiple Google Calendar users. They use weaknesses in calendar settings — the default being to automatically add any event and a notification about it — to plunk their own events into your schedule.
The event could be called something like “There’s a money transfer in your name”; even if you delete it initially, it’ll still remind you about it several times, upping the chances you’ll eventually click on it and be convinced to fill out a harmful form with your personal information.
It’s profitable because of the sheer number of emails criminals can send out with fraudulent invites and events. The scam’s success rate is high — the notifications and calendar entries both appear to come from Google, which helps ease users’ suspicions.
How to avoid it without scrapping your Google Calendar
Once you’re aware it exists, it’s easy to get on top of this scam.
A couple of simple steps to take:
Protect yourself through the app itself by going to Google Calendar’s settings on a desktop, and going to “Event Settings > Automatically Add Invitations.” From there, select “No, only show invitations to which I’ve responded.”
Under “View Options,” uncheck “Show declined events.” That way phishy events won’t continue to pop up after you’ve already declined them.
Cybercriminals are always on the lookout for new victims and innovative ways to scam them out of their money or data. But staying informed and alert can go a long way in mitigating risk.
To figure out how your team/organization can reduce cyber risk, reach out to the Beauceron Security Team @ email@example.com or 1-877-516-9245.