There was the Netlix email scam , the Facebook message scam , the IRS scam and now there's a new way for thieves to go phishing: your Google Calendar.
According to a press release from Kaspersky Lab , a global cybersecurity company, scammers have found a new way to exploit default security settings to their advantage — and all they need is a digital calendar.
Here's how this "calendar phishing" works, according to Kaspersky: the perpetrator sends an unsolicited calendar invite to an unsuspecting Gmail user, the invite will contain a phishing link and, due to Gmail's default settings, the person will get a calendar notification with the phishing URL and will most likely click on it.
"In most of the cases observed, the user was redirected to a website that featured a simple questionnaire and offered prize money upon completion," the release states. "To receive the prize, the user was asked for a 'fixing; payment, for which they need to enter their credit card details and add some personal information, including their name, phone number and address. Instead of being used to deliver the prize, this information went straight to the scammers who can exploit it to steal the victim’s money or identity."
The people who should be most concerned about this scam are those who use Gmail on their smartphones, since the scam largely relies on users clicking a pop-up notification. The default settings for Google Calendar allow people to send and receive calendar invites freely, even from strangers, and the invites are automatically added to the calendar.
Tons of Gmail and Google Calendar users were fooled by this latest phishing scam in May, according to Kaspersky.
“The ‘calendar scam’ is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps,” Maria Vergelis, a security researcher at Kaspersky, said in the press release. “But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it. So far, the sample we’ve seen contains text displaying an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time."
But never fear — there's a fix. Just follow these simple steps to avoid the scam, or watch the video in the player above:
- Turn off the automatic adding of invitations to your calendar. First, open Google Calendar, click the settings icon (it resembles a gear) and then go to event settings. Find the "automatically add invitations" option, click on the dropdown menu and select "No, only show invitations to which I've responded." Below this, in the view options section, make sure "Show declined events" is not checked.
- If you are not sure whether a website you are redirected to is real and safe, never enter personal information. Not sure if a site is safe? Look for the little icon of a lock next to the web address — that let's you know if a site is most likely secure.