If you don’t have a Google account or use the Google calendar feature, you can stop reading and maybe read something from our back catalog. Still with us? Good, I’ll explain what’s happening, and then how you can plug this particular vulnerability. To put it simply, scammers are sending calendar invites to Google users that have malicious links embedded in the text of the invite. Not so bad, right? You know how to spot those. Except these aren’t emails – they are calendar invites that are being automatically added to your calendar courtesy of some default settings that Google has still not changed despite being warned about it nearly 2 years ago. The problem comes when these fake invites actually pop up as a notification on your phone or computer, and as we are all trained to do, we click to get more information, possibly on a disguised link in the text of the invite, and BAM, you are infected.
Here’s how you stop this
You have to do this via a web browser, and I would recommend using a computer instead of your phone, mostly so you can confirm you are changing the correct setting by matching what you see with the screenshots below.
Log into your Google Account. This link will take you to your calendar if you are already logged in, or to the login screen if you are not – https://calendar.google.com/
Look for the gear icon in the upper right corner of the calendar web page and click “Settings”:
Under the “General” menu, click “Event settings” and then look for the “Automatically add invitations” setting which probably says “Yes”:
Change that setting to “No, only show invitations to which I have responded”
Next you may want to consider disabling Google’s “Events from Gmail” function which automatically adds events to your calendar based upon emails you receive, such as flight confirmations, restaurant reservations, concert ticket receipts, etc. If you don’t regularly rely on this feature, you should turn it off until Google is able to further secure calendars from fake invitations.
If you want to disable this feature, look in the left column for “Events from Gmail”, click it, then uncheck the “Automatically add events from Gmail to my calendar”.
Finally, if you already have fake invites in your calendar, you can report them as spam, and Google will automatically remove any other invites on your calendar from that same sender. You also have to do this from a computer web browser. Do not do this from your calendar app on your mobile device.
To report a Google calendar event as spam, find the event in your calendar, open it and then click the three-dot icon “Options” and then select “Report as spam”:
Photo courtesy of Stuart Miles from FreeDigitalPhotos.net
Terrific article. Thanks.