Get Started Today!  (415) 295-4898

croom new

415 IT Blog

Don’t Be Snagged by This Google Calendar Phishing Scam

Don’t Be Snagged by This Google Calendar Phishing Scam

Gmail and the applications associated with it seem to have some level of inherent trust among users. We just don’t anticipate threats to come in via something from Google. However, it does happen, as a recent spat of phishing has shown using Gmail and Google Calendar. What’s worse, this particular scam has been around for some time.

We’ll review how the scam works, and what can be done to protect your business from its effects. 

How This Scam Works

Let’s outline the scenario: a user logs into their Google account and finds an invite for a Google Calendar event. The invite is for a crucial company-wide meeting - apparently to discuss a new vision for the company, changes to policies moving forward, that kind of thing - that is scheduled to take place at the end of the day. A link is included for the complete agenda to the meeting. Clicking the link brings the user to an authentication page, where the user inputs their credentials.

Uh oh… the user was caught up in the scam.

This scam is unnervingly simple to enact. An invite is sent to a user for a calendar event, which is automatically added, and the user notified. In that notification, a scammer includes fraudulent links to a facsimile Google login page - which is actually just a means for a hacker to steal the user’s credentials. Sometimes, this link will just allow malware to install itself on the user’s systems.

Some attackers have fooled personal users by claiming that they won a cash prize - informing them through the fraudulent calendar entry.

How This Was Discovered

This scam was actually first reported back in 2017 by researchers at an IT security firm, but no apparent steps to resolve it were taken by Google.

One of the researchers noticed that an unfamiliar calendar event had been added to their Calendar when another user at the firm shared an upcoming flight itinerary through Gmail. However, the event was automatically added to the researcher’s calendar. Digging deeper into the implications this accident brought up, the firm realized that an email doesn’t need to be sent to add an event to someone’s calendar. Then came the thought: sure, we all know to look for phishing in our emails, but would we ever question a Calendar entry?

As the firm’s tests indicated: apparently not.

How to Help Stop This Scam

While Google is still working on a fix - after finally acknowledging the issue, that is - there are a few things that your users can do to help prevent this scheme from taking advantage of your business. They need to disable any events from Gmail being added to the Calendar automatically, and they also need to disable any event invitations from being automatically added as well.

These options can be found in Settings in the Google Calendar application. Under Event settings, deselect the option for Events from Gmail to “Automatically add events from Gmail to my calendar.” You also need to change the Automatically add invitations option to “No, only show invitations to which I have responded.”

Hopefully, enacting this will keep you from experiencing a phishing attack from an unexpected source - your agenda. Subscribe to our blog for more information about optimizing your IT (and its security), and for more assistance, give 415 IT a call at (415) 295-4898.

Cybersecurity Insurance Gaining Steam
How to Keep Your Employees from Burning Out
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Friday, November 15 2019

Captcha Image

Mobile? Grab this Article!

Qr Code

Tag Cloud

Security Tip of the Week Technology Productivity Best Practices Data Backup Business Computing Network Security Data IT Support Hosted Solutions Data Recovery Privacy Software Cloud Email IT Services Outsourced IT Tech Term Internet Managed IT Services Malware Business User Tips Innovation Computer Windows 10 Efficiency Hackers Cloud Computing Small Business Upgrade Business Management Microsoft Collaboration Hardware Phishing Ransomware Google Paperless Office Cybersecurity Business Continuity Managed Service Mobile Devices Android Communication VoIp Workplace Tips Encryption Communications Server Office 365 Remote Monitoring Managed Service Provider Backup Internet of Things Passwords Artificial Intelligence Vulnerability Managed IT Smartphones Healthcare Saving Money Browser Applications Mobile Device BDR Managed IT services Business Technology Holiday Data Management Laptops Disaster Recovery Wi-Fi Help Desk Government Save Money Document Management Quick Tips Automation Microsoft Office Compliance Blockchain Smartphone Processor Employer-Employee Relationship Tip of the week Project Management Information Scam Redundancy Avoiding Downtime Windows 7 Antivirus Bandwidth Social Media Website Access Control BYOD Windows Data Security Infrastructure Miscellaneous RMM Vendor Management Chrome Two-factor Authentication IT Management Router VPN Analytics Customer Relationship Management Machine Learning Search Mobile Security OneDrive Professional Services Training Consultation Employees Unified Communications Facebook Recycling Downtime Files Employee-Employer Relationship Virtual Private Network The Internet of Things Company Culture Gmail Risk Management Cooperation Network Word Remote Workers Password Unified Threat Management Apps Software as a Service Net Neutrality Regulations Patch Management IoT Management Mobility Hard Drive Tablet File Sharing Internet Exlporer File Management Server Management Data Loss Dark Web Proactive Smart Technology Alert Gadgets Storage Monitoring Maintenance Utility Computing Bring Your Own Device Assessment HIPAA Remote Monitoring and Management Financial Users Networking Operating System Network Management Tech Support How To Test Technology Tips Managed Services SaaS G Suite Unified Threat Management Office Private Cloud Data Warehousing Flexibility WPA3 Legislation Shared resources Going Green Mobile Shortcut Proactive IT Electronic Health Records Procurement Distributed Denial of Service Database Management Smart Tech Settings Personal Information Consulting Specifications 5G Touchscreen Mobile VoIP Hacking Development Instant Messaging Bitcoin IT Technicians Cost Management Lenovo Digital Payment Hotspot Manufacturing Time Management Vendor Motherboard Chromebook Bookmarks ROI Operations Virtual Assistant Fleet Tracking Zero-Day Threat Virtualization Batteries Heating/Cooling IT Consulting Cyberattacks Social Managed IT Service GDPR Connectivity Samsung Transportation Active Directory Migration eWaste Managed Services Provider Mobile Device Management Black Friday Wireless Internet Big Data Trending Cookies Cables SharePoint Customer Service Wasting Time Current Events Superfish Wireless Mouse Language Smart Devices Statistics Vulnerabilities Mail Merge User Error Favorites Money Asset Tracking Backup and Disaster Recovery CIO applications Remote Work Servers Managing Stress Data Breach Read Only Security Cameras Break Fix Finance Permissions Windows Server Chatbots Point of Sale Tech Terms Cyber Monday Staff Employer/Employee Relationships Apple Nanotechnology Wires Downloads MSP Database Recovery Mirgation Computing Infrastructure Hard Disk Drives Sensors Bluetooth Mobile Computing Address WiFi Conferencing Microsoft Excel Human Error Spam Enterprise Content Management Printing Augmented Reality Notes Wearable Technology Star Wars Authentication Google Calendar Fraud User Management Identity Theft Enterprise Resource Planning Techology E-Commerce Theft Proactive Maintenance Solid State Drive App Voice over Internet Protocol Projects Cache Electronic Medical Records Computing Alerts Solid State Drives Payment Cards Geography Meetings OneNote Permission Travel Value of Managed Services Websites Social Networking Technology Laws Remote Worker Virtual Reality PowerPoint Display Authorization Teamwork Information Technology Identity Outlook Disaster Resistance Features Firewall Cybercrime Screen Reader Emergency Multi-Factor Security Return on Investment Remote Computing Comparison Licensing Options Telephone Modem High-Speed Internet Printer Politics Regulation Twitter Education CEO Printers Students Marketing Daniel Stevens Cyber security

Latest Blog

In managing business technology, we are always talking about downtime--how expensive downtime is, how downtime hurts productivity, how there are a multitude of separate situations that can cause downtime. That kind of doom and gloom may not get you to act, but it may just pu...

Latest News

We are proud to announce that 415 IT and our CEO, Daniel Stevens, were recently featured by CIO Applications. We discussed how and why we serve our clients, as well as some sneak peeks for our future. Read our interview by visiting:  https:...