The Independent's journalism is supported by our readers. When you purchase through links on our site, we may earn commission.
One billion Google calendar users exposed to fake invite scam
Fake invite scam first discovered by security researchers in 2017
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Google has said it is “working diligently” to fix a major flaw that allows hackers to hijack a person’s Google Calendar through unwanted email invites.
The flaw allows cyber criminals to take advantage of a default setting that automatically adds invitations to a person’s Calendar when they are sent via email.
Unsolicited invites then appear as a notification through the Google Calendar app, which if clicked on can lead users to an official-looking page requesting personal and financial details.
“We’re aware of the spam occurring in Calendar and are working diligently to resolve this issue,” Google wrote in an update to its Calendar Help page.
“We’ll post updates to this thread as they become available... Thank you for your patience.”
Google included details of what people should do if they see a suspicious invitation or event in their inbox. It advises recipients to report the event as spam, which will remove all events from that organiser from the person’s calendar.
Around 1.5 billion people in 143 countries use Google’s Gmail and Calender apps, which are provided to anyone who signs up for a Google account.
The fake invite scam was first discovered by security researchers in 2017 but Google is only now addressing the issue.
Black Hills Information Security published details of the exploit in a detailed blog post two years ago, describing how controls designed to prevent such attacks could be easily bypassed.
In researching the flaw, the cyber security firm discovered that it was not even necessary to send an email to create an event in someone else’s calendar.
When creating an event in Google Calendar, it is possible to select “Don’t Send” when prompted to sent invitations to guests of the event.
The researchers noted that this was a particularly useful feature for hackers, as users have grown weary of receiving spam and malicious links in emails. Receiving an official notification through Google Calendar is less likely to provoke suspicion, they noted.
“Possibly the most interesting element of the calendar is that it can create a sense of urgency simply by alerting a user to something. Perhaps the user completely ‘forgot’ they had a meeting scheduled,” the blog states.
Links within the event or notification will then take victims to a fake Google authentication page that captures their credentials.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments