It’s late and we’re fighting through a rather difficult month of technology challenges for our clients, but I wanted to make sure you got a heads-up on two important news items that happened this week. The first one actually happened months ago, but we are only hearing about it now, after the companies involved were able to plug the gaping security hole. As you can imagine, I’m fairly jaded when it comes to hearing about yet another vulnerability in our technology, but this one raised an eyebrow as it literally affected hundreds of millions of Android users.
Really Google? Again?
Google and Samsung recently confirmed a rather large security failure in the Camera app of both Google and Samsung smartphones that could be exploited to gain essentially unfettered access to the camera, microphone and GPS functions of your phone, all by installing a simple app that only requests storage access permissions. Discovered by security research firm Checkmarx back in July of this year and eventually fixed (supposedly) in August, Google and Samsung only just recently approved the publication of this vulnerability after confirming the patch has been successfully deployed to counteract this weakness.
While this particular incident wasn’t even out of sight of our rear-view mirror, news of a new email-delivered ransomware attack hit my inbox. For this latest campaign the hook was set to exploit everyone’s heightened awareness of keeping your computer up to date, an awareness that we have played no small part in pumping up, and now, ironically, may end up tricking clients into infecting their computers with ransomware. This time, the attack comes as the form of a fake email notification from Microsoft urging readers to, “Install Latest Microsoft Windows Update now!” and provides a spoofed EXE file renamed to appear as a JPG image file. If the reader happens to fall for the con, the attachment downloads the Cyborg ransomware variant and quickly encrypts the users data in files ending with “777”, leaving behind a note with instructions on how to get your files back if you pay the ransom in bitcoin.
The average Windows user probably doesn’t realize that Microsoft doesn’t use email to notify its customers that updates are available, primarily because it can do so right through the operating system. Unfortunately, we are all so used to receiving information via email that we’ve grown accustomed to these types of notifications for just about every other aspect of our digital lives. As a whole, we’ve become too trusting to question everything we receive digitally out of necessity as researching or vetting everything is essentially impractical for the average human. As such, you should continue to make it a rule to NEVER open an attachment that you haven’t vetted fully. Always call the sender to verify if you receive an unsolicited attachment, and if you are at all unsure, check with your nearest IT professional.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
Many of my clients, even the ones that I’ve worked with for years, view my tech troubleshooting skills as supernatural. While some of this is attributable to the perverseness of mechanical devices, “It was doing the thing until you walked into the room, and now it’s working,” the rest of the time it looks easy or magical is primarily because I’ve spent over 30 years honing my craft. Along the way, experienced technicians gather useful “shortcuts” to figuring out what’s wrong, and many of them are so simple that their use may be considered “magical.” So if you are having odd problems with your technology, either performance is slow or apps are unpredictable, here are some of the trusty tricks we troubleshooters use on taciturn technology.
“Any sufficiently advanced technology is indistinguishable from magic.”Arthur C. Clarke
- Reboot. No, I’m not trolling you. This is every master technician’s secret weapon: we are not afraid to reboot. This is the doctor’s equivalent of, “Drink lots of water, get plenty of rest and take your vitamins.” Computers (and phones!) are so stable these days that you can go months(!) without rebooting. This also goes for home routers, Wifi access points and other “smart” devices. For older devices, rebooting might be painful and slow, but it still needs to be done.
- Check your data connection. Despite how pervasive and relatively reliable wireless data has become, it’s still reliant on the inherently unpredictable nature of EMF. If you are having intermittent issues with internet-powered apps, frequently this may be attributed to an unreliable Wifi signal or spotty cellular reception. If you can eliminate that variable by going hardwire for computers and getting to full-bars for cellular devices, many problems evaporate. If you have the option to change networks, try that as well, such as switching from the local Wifi to your phone’s hotspot, or disabling Wifi on your phone and using strictly cellular data, you can identify or rule out local network problems that might be out of your control.
- Close apps you aren’t using. Remember the good ole days when running two programs was considered multi-tasking? Me neither. Having half a dozen applications running on a computer is trivial even for budget computers and mobile devices, and you can bet that even though your device is putting on a brave face, it might be one straw shy of a broken back. If you are inquisitive, try closing apps one at a time and testing if the problem still exists. If you ain’t got time for that, see #1. And yes, you can close apps running in the background on phones too!
- Make sure you haven’t run out of storage space. Computers and mobile devices can store a ton of data, but today’s technology also creates way more data than ever before. When your device runs out of space, it can’t do the things it needs to do (like upload those 16-megapixel photos and 4k cat videos to the cloud, see #2), which just creates a vicious circle. Smartphones are notoriously bad at letting you know you are out of space, and will confuse the issue with trying to sell you more cloud storage when you just need to remove some old apps to give your phone some breathing room.
- Check the date & time. Most of the time, computers and mobile devices can check on the internet and keep their clocks proper, but that doesn’t mean that it’s doing so reliably, especially around Daylight Savings Time or if you are crossing time zones while traveling. If your clock is off by even a little bit, some security systems flag that as a possible hack and can result in web pages not loading, passwords not working, and various other unpredictable behavior. Also, a consistently incorrect time on a device is indicative of other issues, especially if the clock is regularly slow or fast, which should not occur on modern technology.
- Try switching ports/devices. If the problem is related to something connected to something else, try either device with something else. Thumb drive not showing up? Try a different port (or computer). Phone not charging? Try a different cable or charger, or try a different phone to identify the culprit. Solving a problem properly requires knowing exactly which device is the actual root of the problem. Be careful though – just because something fits does not necessarily means that it will work, especially devices that supply power. Try to stick to the same type of device/cable/port if that is available to you.
- Did you try rebooting?
I’m sure that when the first prototypes of today’s smart speakers were demonstrated it probably felt like part of the bright, shiny future from Star Trek: Next Generation had arrived. Finally we were going to have the modern-day equivalent of Majel Barrett politely making things happen just with the power of our voice. It’s taken a few years for the devices to gain a toe-hold in the home, and they have come with their fair share of problems. In a recent addition to the pile, hackers have discovered a security flaw in the basic hardware design of voice-controlled devices, including smartphones and tablets, that allows them to be exploited at a distance via this feature using a simple laser pointer.
“Alexa, buy blackout curtains.”
In a paper published on Nov 4, a team of academic researchers revealed that by using a focused beam of light they could trick Alexa, Siri and Google Voice controlled devices into acting as if they had received an actual voice command. The researchers were able to mimic sound waves using light pulses that were directed at the device’s microphone diaphragm, and they demonstrated this capability across hundreds of feet through windows and even obstructions on the mic itself. They were able to get the devices to perform tasks that it normally had access to, such as turning lights on and off, opening garage doors, unlocking smartlocks on doors and cars, and even purchasing items online.
What does this mean for you?
If you have a voice-activated device that can control access to things you don’t want strangers accessing, either make sure your device is not in view of any open window, or disable that function. Most smart speaker devices have a way to disable voice control – something you may want to consider engaging when you leave your “smart” speaker unattended. Unfortunately, the nature of this weakness is something that (probably) cannot be fixed by a firmware update as it’s exploiting a core component of the microphone’s analog to digital process. At the moment, there are no documented incidents of this sort of hack occurring “in the wild,” but now that the news is out, it may be time to tuck those devices into a drawer for the time being.
Image courtesy of Miles Stuart from FreeDigitalPhotos.net
Last week I explained why email continues to be the number one source of malware infections, but this week’s blog is for the TLDR crowd: how to reduce the amount of risk we incur each day using email. Enough talk, more tips, Woo!
- All attachments delivered via email should be considered unsafe. This is a big hassle, but if you shift your mindset to automatically distrusting every attachment you receive regardless of who sent it, you will be safer overall. If you regularly receive attachments via email to operate your business, I recommend changing your business process to use a more secure platform to transfer files. This may not be cheap, but can you afford to get hacked? If you need a quick way for someone to send you an attachment, or to send one yourself, you can use https://send.firefox.com/ to send secure, encrypted attachments for free.
- All links in emails should be handled very carefully. Unless you understand exactly how to reveal the actual destination of a link you see in an email, do not click links in emails. When reading email on your computer, hovering over the link in question should show you the actual destination, especially if the link looks just like this and does not actually show you the URL. Become familiar with how your email application shows you the link destinations. Outlook will show you in a little pop-up when you hover over the link. Gmail will show you the destination in the lower left corner. Keep in mind that most smartphone email apps will NOT show you the destination URL, and as such, I don’t recommend you click links or open attachments on your mobile device for this very reason (see #4). If you need to investigate further, manually type the link of the site in question in your browser.
- Guard your email password as if your (digital) life depended on it. Your email password should be complex, hard to guess, and never used anywhere else. Access to your email is a key stepping stone for hackers who are intent on stealing your identity. They can also use it to destroy relationships with clients and customers by sending malware to them from your email account. Always consider carefully when being prompted for your email password whether the request is legitimate. If you get the prompt after opening an email attachment (see #1) or clicking a link (see #2), stop. Do not enter your password. Recheck the source of the prompt and make doubly sure it’s not a phishing attempt. If you are unsure, do not proceed and check with your IT professional.
- When reading emails, whether on your computer or on a mobile device, always pay 100% attention to what you are doing. The more distracted or rushed you are while processing email, the more likely it is you will make a mistake that could result in a malware infection. Phones display less information on a small screen and are often used in distracting environments, and this can lead to you being bamboozled by an email you would otherwise spot easily on a bigger screen with your undivided attention.
- Get rid of old email and social media accounts. If all they are doing is collecting junk mail, consider closing them permanently, or have the email forwarded to an account with more robust filtering services in place. Forgotten accounts can be hacked and used to steal your identity in places you might not be watching, so instead of leaving that backdoor wide open, nail it shut permanently.
- Never use an email account, business or personal, that does not have some form of filtering service attached to it that can detect and quarantine malware and spam. At the moment, among the free email platforms, Google’s Gmail has probably the best filtering, and at the other end of the spectrum, ISP email accounts, especially legacy services like ATT, SBCGlobal, Roadrunner, etc. have barely functional spam filtering. Some of the more “traditional” freemail platforms like AOL and Yahoo have improved somewhat, but they are still no match for the corporate-grade mail filtering services that can be attached to platforms like Microsoft Office 365 and Google Apps Suite. In this case, you get what you pay for, and with the exception of Gmail, free doesn’t get you much.
- Always delete emails that contain sensitive information, like passwords and PII (personally identifiable information). Do not use your email account to store important information. If a hacker gains access to your account, they may scan the entire contents of your email box for other juicy information they can use against you, your clients, your family and friends.
Image courtesy of cuteimage at FreeDigitalPhotos.net
Those of us who have been using computers for a few decades remember the days when getting a computer virus was more of a nuisance than today’s current nightmare, but back then computers and the internet played a much lesser role in our personal and professional lives. On top of this, the past purveyors of malware had a much different agenda (if they had one at all) than today’s anonymous blackmailers and ransomers. When money is the object, you can bet some very smart and unscrupulous people are going to find ways to pollute your ‘puter for profit, and sadly, email is big, red target on everyone’s back.
Why is email targeted?
- Everyone has an email account. As of this year, over half the planet uses email meaning there are literally billions of email accounts. Email extortion schemes are extremely profitable if only a very small percentage fall for the fake link or open the bogus attachment and then follow through with a ransom payment. The profitability of a ransomware campaign relies on how wide a net can be cast, and with billions of fish in the sea, lots of nets can be cast.
- The cost to send an email is microscopic. Even campaigns that send millions of phishing emails have incredible ROI if only a tiny percentage actually hook a victim. With the right infrastructure (typically hacked servers belonging to someone else), malware teams can push out millions of emails with a few hours of investment of time and minimal hardware costs. On average, ransom demands to small companies are now upwards of $13000 per incident. You don’t even need to do the math to see why this is happening.
- It’s incredibly easy to fool someone via email. Yes, you still get a ton of poorly spelled and grammatically awkward offers to share in the inheritance of foreign princes, but mixed among all the general pollution and real emails are fakes that are becoming increasingly hard to catch. Email scammers are upping their game daily, especially since it definitely leads to more victims getting tricked.
- Each of us gets too much email. I don’t know a single adult who would say otherwise. Even those of us who are really damn good at grinding that email box down to zero each day (not me) do so at great expense of time and energy. And, like any working adult who is pressed for time, this means we are more likely to cut corners (ie. security) and make hasty decisions that leads poor outcomes.
- Email technology has not advanced to match the growing sophistication of malware. Outlook is literally 22 years old and has not changed much in how we process email. SMTP, the primary delivery mechanism for internet email was first released in 1981, and while security and encryption has been tacked on in the intervening years, the core technology is essentially unchanged. Email technology needs its equivalent of the hybrid/electric car to change the industry, and seeing as how long it’s taken those types of cars to affect meaningful change, I don’t expect a quick change on the email side either.
- We are completely dependent on email. Even if we wanted to cut email out of our lives, too much relies on this system of communication to even consider how we would function without it.
Next week: how to bolster your email security perimeter.
Image by Gerd Altmann from Pixabay
There’s no way to spin this: Facebook is currently running a political ad with a false claim that Biden tried to bribe Ukraine regarding an investigation into a firm that employed his son. Facebook’s own fact-checking partners have debunked this claim, and yet, the ad has been viewed millions of times and even re-broadcasted by traditional media outlets.
According to its own misinformation policy governing ads, Facebook
“…prohibits ads that include claims debunked by third-party fact checkers or, in certain circumstances, claims debunked by organizations with particular expertise.”https://www.facebook.com/policies/ads/prohibited_content/misinformation
Open and shut case, right? Not so fast, or at least, no so fast as of September 24th, when Facebook “clarified” why it was allowing political ads containing lies to run on its platform unchecked. Facebook VP of Global Affairs and Communications Nick Clegg announced on the stage at the Atlantic Festival in Washington D.C.
“We have a responsibility to protect the platform from outside interference, and to make sure that when people pay us for political ads we make it as transparent as possible. But it is not our role to intervene when politicians speak.”https://newsroom.fb.com/news/2019/09/elections-and-political-speech/
And furthermore, Mr. Clegg cites a policy established in 2016 (approximately one month prior to the November 2016 elections) that literally grants an exception to ANY content it deems “newsworthy, significant or important to the public interest…“
“..if someone makes a statement or shares a post which breaks our community standards we will still allow it on our platform if we believe the public interest in seeing it outweighs the risk of harm.” (emphasis mine)https://newsroom.fb.com/news/2019/09/elections-and-political-speech/
I can get behind the principle of this – Facebook is trying to tread the fine line between unbiased distribution of information while facing the impossible task of fact-checking the millions of posts that are published on it platform. But here’s the hitch: Facebook is telling us that it has our best interests at heart, but has repeatedly demonstrated that this is just not the case. Also consider the fact that Facebook considers profanity banworthy but not outright falsehoods. Based solely on that alone, I would question whether or not Facebook has an accurate understanding of what is actually harmful. That and the incident where the spread of false information via Facebook actually lead to genocide, something that the world seems to have conveniently forgotten.
Given that political ads are resulting in millions of dollars in revenue a week for Facebook, and that Mark Zuckerberg has been quietly hosting private dinners with high-profile right-wing conservatives (a verifiable large source of ad revenue) who have been critical of Facebook in the past, its pretty clear that Facebook knows exactly which side butters its toast.
I don’t care which side of the political spectrum an ad comes from, but I do care if you are relying on falsehoods instead of facts to profit, and I find it offensive that the world’s biggest social media platform on which billions trust as their primary news source disrespects its customers with double standards and naked profiteering. At minimum, you should be taking everything you see on Facebook with a huge grain of salt, especially the political ads.
I’ve spent the last 2 blogs getting you pumped up to upgrade to Windows 10, but you should know that despite being an overall improvement from Windows 7 and 8 in many ways, there are several aspects of the “new” operating system that are markedly different from Windows 7, and a few that are, in my opinion, a step backwards from the stability of Windows 7. Regardless of these blemishes, none of us are being given an option to live in the past except at increasing risk, so get ready to love Windows 10, warts and all.
The Bad and the Ugly (Sorry, no “Good” today!)
If you’ve not spent any time doing work on a Windows 10 computer, these may be eye openers for you and as near as I can tell, they are unavoidable for the moment:
- Windows updates are forced. You can defer them for awhile, but at a certain point, you will get updated if you are connected to the internet. There are ways to work around this to a limited degree, but it’s not recommended unless you know specifically that a Windows 10 update will break an application on your computer. And even in these special circumstances it is in your best interest to get that app updated so that it will be in-step with Microsoft’s update cadence. The longer you go, the more onerous the update will be when it happens. See the next wart to understand why you don’t want this
- Windows updates will sometimes temporarily slow down your computer A LOT. Depending on the size of the update, this may be for a few minutes, or, for slower, older computers, the slow down will be several hours and it…will…be…punishing. You can’t stop it (without dire consequences) and there really isn’t any way to make it go faster other than to stop using your computer altogether while it’s updating.
- Windows updates will break your printers (sometimes). I know it’s Microsoft trying to be helpful by providing “updated” printer drivers for your installed printers, but 9 times out of 10, their driver isn’t as fully featured as the manufacturer’s driver, and on older printers, often doesn’t work at all. Be prepared to reinstall your printer drivers after a major Windows update.
- Windows updates will break your PDF reader setting. Again, Microsoft is trying to be helpful by providing you with a PDF reader by changing your computer’s default PDF app to it’s new browser Edge, and to be fair, it does an OK job as a PDF reader. But for those of you who spent an arm and leg to pay for Acrobat, I’m sure that Microsoft’s cheekiness rubs you at least $200 in the wrong direction.
- The fancy new Start Menu will occasionally be populated by games and apps that you did not install. I won’t provide an excuse for this behavior. I find it galling but put up with it because I’m too lazy to remove them, and frankly, I don’t even use the Start Menu, so I don’t see the blatant marketing. Again, there are fixes that require a certain amount of Macguyver’ing that most folks just won’t do, so get ready to ignore yet more advertising on your computer.
- Cortana is useless. It’s not Siri, Alexa nor is it OK Google. I’ve not met anyone who finds it useful or even accurate on a consistent basis. Don’t even bother. You can turn it off but you can’t remove it (yet).
- Windows 10 wants to control your other application defaults. This particular aspect isn’t as consistently annoying as the PDF one mentioned above, but Windows 10 will occasionally challenge you by changing your default printer, internet browser, photo viewer and email reader to the Microsoft designated app.
I’d like to say that none of these are showstoppers, but for many of clients the top 2-3 are frequent work-stoppers, often enough that they’ve come to dread Windows updates almost as much as we do here at C2. I’ve talked a little about this in a previous blog, but despite quite a bit of rabble-rousing from our industry, Microsoft continues to use us as captive beta-testers. Unfortunately, most average Windows users don’t make good testers, so it’s become something of a vicious circle. Over the years of using Windows 10, the one thing I’ve noticed is that the longer you put off applying the updates, the worse it gets in terms of impacting you at exactly the wrong time. My best advice for everyone using Windows 10 – apply those updates on your own terms – don’t wait for Microsoft take that decision (and time) out of your hands.
Hopefully you read last week’s blog about the upcoming demise of Windows 7 and have made the decision to purchase a new Windows 10 machine. Even if you’ve decided to take the decidedly rougher path of Windows 7 to 10 upgrade on the same machine, you should still keep reading so that you can truly weigh both options and know what’s ahead on either path. For most of us, getting a new computer is not something that happens very frequently. Even yours truly has been using the same laptop for over 6 years now! Unfortunately, transitioning to a new computer is never easy, especially if you are moving to a new operating system, but with some preparation and planning, the process doesn’t have to be a showstopper.
Get your transition ducks in a row
The below recommendations apply to both new machine upgrades as well as Windows 7 upgrades, so get ready to do some homework! Even if you are planning to engage a professional to handle the migration for you, you can save yourself some time and money by doing a little preparation.
- First and foremost, backup your data, then make sure that backup is good. I just had a client run a backup to an external USB drive, only to find that device had failed after a few weeks resulting in 100% data loss, so make sure you consider a cloud backup for real peace of mind. Note that no professional worthy of the title will perform an in-place Windows 10 upgrade without verifying your data is backed up.
- Clean up your files. Make sure you know where all your data is, what the folders are called, and for deity’s sake, delete old files you don’t need. Just like moving house, don’t pack up stuff and pay to have it moved just so you can throw it away at the new place. You backed up your data, right?
- Take an inventory of your applications. Make sure they will work on Windows 10, and if not, purchase new or upgrade your existing licenses to versions that are supported on Windows 10. This is also a good time to gather your installation discs (if you still have them), activation codes, account logins and passwords. Most modern applications like MS Office, Adobe Acrobat, Quickbooks, etc can be downloaded from the internet but just about all of the expensive ones will require a login, activation code, or some other proof of purchase when reinstalling them on a new machine. They may also require that you remove the software on the old machine before you can install on the new, so plan accordingly.
- Decide if you want to transfer all of your existing app settings and customizations, or if you’d like to start new. For some things like browser bookmarks and saved passwords, this can be accomplished by using persistent cloud accounts associated with the browser of your choice – Google, Firefox and Microsoft all offer this option as part of their respective browsers, but you need to set up the account and turn on account syncing for this to work. Other things, like Outlook interface customization are harder to sync across computers, and in some cases impossible if you are moving to a new version of the app. If you are in doubt, take pictures of your custom settings and changes. The pictures will be invaluable when trying to set up your new computer and you’ve already uninstalled the app on the old computer.
- Run a malware scan on your computer. Make sure the OS is clean and your files are clean as well. You don’t want to transfer any trojans onto your new computer, especially as it may be slightly more vulnerable during the transition.
- Plan for the downtime. Depending on the path you are taking, upgrading existing or transitioning to new hardware, the process can take multiple hours, even when performed by an experienced professional. If you need to be working during this time, have another machine you can use, or figure out how to stay productive with your mobile devices and web-version of your apps.
Next week: how the Windows 10 upgrade sausage is actually made.
The day that many people are dreading is fast approaching: Microsoft is ending extended support for Windows 7 as January 2020, which means that it will no longer be providing updates and fixes to the extremely popular and widely used operating system. What you may not have realized was that Microsoft actually ended mainstream support for 7 back in 2015, which was when it stopped developing new features for the OS, and stopped taking support calls from users about Windows 7. It’s a testament to the stability and relative security that it’s still in wide use essentially on the eve of it’s retirement, but like all good things, it has to come to an end.
Don’t panic. You have options, but inaction is not one of them.
The primary question I am asked when briefing clients about retiring Windows 7 in their organizations is whether they should upgrade their existing machines, or buy new ones. The simple answer to this, though definitely not the one they necessarily like to hear, is that buying new computers built for Windows 10 are, dollar for dollar, a better investment than upgrading older PCs. Of course there are exceptions, but keep in mind that most PCs that still have a factory-installed Windows 7 OS are likely 3-4 years old at this point, as computers started shipping with Windows 10 mid-2015.
If you’d like to evaluate whether or not your computer is worthy of upgrading versus replacing, consider these factors:
- If your computer is still covered by a warranty, it’s worth considering an upgrade over replacing it.
- Is your computer older than 4 years? Definitely consider replacing, as many of the hardware parts are actually approaching physical end of life and are more likely to fail, regardless of OS.
- Is your CPU an Intel processor 4th generation or higher? Older CPUs will not fair well with Windows 10.
- Do you have at least 4GB of RAM? No? Don’t bother. Four GB is the bare minimum, and 8GB is recommended.
- Running a lot of older applications that you can’t update or upgrade? Upgrading to Windows 10 will likely break those apps. If your business depends on apps that are unsupported on Windows 10, you and I need to have a different discussion.
Even though it’s technically possible to upgrade just about any computer running at least an Intel Core processor (i3, i5 and i7) and 4GB of RAM, there is still a certain amount of work involved in going through this process (which I will detail in next week’s blog). Even if upgrading to Windows 10 results in a functional computer, you are only delaying the inevitable replacement of the device. Still, this is an acceptable path if your short-term budget cannot cover an immediate replacement and you have a longer-term plan to replace the device. On later model PCs, installing Windows 10 can result in some performance gains as well as definite security improvements, but PC’s 4 years and older rarely improve in performance, and the short-term gains are typically overwhelmed the longer that PC is used in any business-critical environment.
If you don’t have a Google account or use the Google calendar feature, you can stop reading and maybe read something from our back catalog. Still with us? Good, I’ll explain what’s happening, and then how you can plug this particular vulnerability. To put it simply, scammers are sending calendar invites to Google users that have malicious links embedded in the text of the invite. Not so bad, right? You know how to spot those. Except these aren’t emails – they are calendar invites that are being automatically added to your calendar courtesy of some default settings that Google has still not changed despite being warned about it nearly 2 years ago. The problem comes when these fake invites actually pop up as a notification on your phone or computer, and as we are all trained to do, we click to get more information, possibly on a disguised link in the text of the invite, and BAM, you are infected.
Here’s how you stop this
You have to do this via a web browser, and I would recommend using a computer instead of your phone, mostly so you can confirm you are changing the correct setting by matching what you see with the screenshots below.
Log into your Google Account. This link will take you to your calendar if you are already logged in, or to the login screen if you are not – https://calendar.google.com/
Look for the gear icon in the upper right corner of the calendar web page and click “Settings”:
Under the “General” menu, click “Event settings” and then look for the “Automatically add invitations” setting which probably says “Yes”:
Change that setting to “No, only show invitations to which I have responded”
Next you may want to consider disabling Google’s “Events from Gmail” function which automatically adds events to your calendar based upon emails you receive, such as flight confirmations, restaurant reservations, concert ticket receipts, etc. If you don’t regularly rely on this feature, you should turn it off until Google is able to further secure calendars from fake invitations.
If you want to disable this feature, look in the left column for “Events from Gmail”, click it, then uncheck the “Automatically add events from Gmail to my calendar”.
Finally, if you already have fake invites in your calendar, you can report them as spam, and Google will automatically remove any other invites on your calendar from that same sender. You also have to do this from a computer web browser. Do not do this from your calendar app on your mobile device.
To report a Google calendar event as spam, find the event in your calendar, open it and then click the three-dot icon “Options” and then select “Report as spam”:
Photo courtesy of Stuart Miles from FreeDigitalPhotos.net