Change This Setting to Avoid This Google Calendar Spoofing Attack

Your Google Calendar is under attack from hackers spoofing email headers to access your private information. This phishing campaign could affect up to 500 million users, with sensitive personal and corporate information up for grabs—but you can stay safe by changing a single setting.

How the Google Calendar Spoofing Attack Works

The Google Calendar phishing campaign was first discovered by cybersecurity experts at Check Point Software.

Attackers send an invite that looks like a typical one from Google Calendar. To make it believable, they modify the email headers of the invite, making it look like it was sent by a legitimate company or a person known to the target. Most invites look identical to the ordinary Google Calendar invite, while others use a custom format.

The link in the invite takes the target to a phishing page where victims are made to complete a fake authentication process, share personally identifiable information (PII) or corporate information, and in some cases, even share payment details. Pilfered information is used for financial scams, credit card fraud, identity theft, and other fraudulent activities.

After realizing that Google’s email scanning feature was flagging these malicious calendar invites, attackers modified the campaign and started using Google Forms and Google Drawings. Sending the calendar invite file (.ics) with a link to Google Forms or Google Drawings allowed them to sneak past Google’s security scans.

After users open the Google form, they are made to click on another link that leads to the phishing page, disguised as a fake reCAPTCHA or support page.

Change This Google Setting to Protect Yourself

Google recommends changing the “known senders” setting in Google Calendar to protect against this spoofing and phishing attack.

1. Click the Gear icon on the top right of your Google Calendar, then click Settings.
2. On the left you’ll see the menu, click Event Settings. Click Add Invitations to My Calendar to access the drop-down menu.
3. Now click Only if the sender is known.

Changing this setting will filter all the invitations added to your calendar to include only those from people in the same company you work for (with the same domain), people in your contact list, or people you’ve interacted with before. You’ll also receive alerts when you receive an invite from someone not on your list or you haven’t communicated with before.

As with all these attacks, avoid clicking on clicks if you don’t know the sender. Even if the sender is someone you know, it’s best to reach out to the person to double-check first, especially if the invite is for an unexpected event or meeting.