New Google Calendar notification attack could be hiding in your inbox — here's how to protect yourself

An email icon open on a laptop screen
(Image credit: Future)

Millions of Google users are getting a warning from Check Point security researchers this week who have identified a new attack method which uses a combination of Google Calendar, Drawings, Forms and Gmail in an attempt to phish users and bypass email security policies.

As reported by Forbes, attacks using this method have been employed roughly 2,300 times over the course of a two week period. The threat actors behind them started by modifying sender headers to make emails appear that they were sent through Google Calendar from a known and legitimate individual. Initially, this method was used to exploit the features within Google Calendar to link to malicious Google Forms, then evolved to align with the capabilities of Google Drawings after it was realized that security products were able to flag these malicious calendar invites.

In the malicious Form or Drawing, another link is presented, often a fake reCAPTCHA or support button but either way, the end goal is always payment fraud. At least 300 brands so far have been impersonated by hackers in this manner in attempts to phish victims.

Stu Sjouwerman, CEO and founder of human risk management specialists KnowBe4, warned of an ongoing attack campaign targeting Google users by way of Calendar invites, saying: “Attackers only need your Gmail address to send you an invite and the event will be placed in your calendar by default.”

In a report written by Sjouwerman back in 2019, he details these kinds of attacks; fortunately mitigating them is simple enough.

How to stay safe

Simply head to the settings menu in Google Calendar and switch the option to automatically add invitations to “only show invitations to which I have responded.” Then, go to the events option in Gmail's settings and uncheck “automatically add events from Gmail to my calendar” – however, be forewarned this will also disable legitimate events.

Google advises those with a Google Workspace subscription to use email verification for appointment schedules to prevent unwanted meetings. This way you can ask guests to verify their email address before they schedule an appointment in Google Calendar. Google also recommends users enable the known senders setting within Google Calendar, which helps defend against this type of phishing attack by alerting the user when they receive an invitation from someone who is not in their contact list or someone they have not interacted with from their email address in the past.

Additionally, when protecting yourself from common phishing attacks best practices still apply: The easiest way to stay safe from phishing is to avoid clicking on any email or message from an unknown sender. Also, make sure you know the policies for your company and double check the sender’s email address: Is this a regular known source or person?

You also want to make sure you’re using one of the best antivirus software options and that it’s kept current and up-to-date. Likewise, when picking an antivirus, you one see if you can get a security suite which includes access to one of the best VPNs with browser-level privacy protection included. Check that your mobile devices are protected against malware and threats too. We have recommendations for the best Android antivirus apps, but because of Apple’s restrictions there’s no equivalent for the best iPhones.

Abusing Google's services to deliver malware and to launch attacks on unsuspecting users is nothing new. However, if you aren't aware of these tactics, you or someone else you know could easily fall for them. This is why it's important to stay up to date on all of the latest attack methods used by hackers even if you consider yourself security savvy and practice good cyber hygiene.

More from Tom's Guide

Network
Arrow
Intego
Norton
Contract Length
Arrow
Showing 2 of 2 deals
Filters
Arrow
TOPICS
Amber Bouman
Senior Editor Security

Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps. 

Read more
A Gmail icon on a phone
Google Gmail warning issued for billions of users — watch out for these holiday scams
and image of the Google Chrome logo on a laptop
Billions of Chrome users at risk from new browser-hijacking Syncjacking attack — how to stay safe
A person typing on a computer while hackers use phishing to steal a file from their computer
Phishing: What is it, and how to avoid it
A person sat at a computer and a tablet, coding
What is social engineering and how to avoid becoming a victim
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
Green skull on smartphone screen.
Hackers are spreading info-stealing malware and taking over accounts using fake wedding invitations — how to stay safe
Latest in Online Security
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Victims of Identity Theft
FTC says Americans lost $12 billion to scams last year and these were the worst ones — here's how to stay safe
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
CAD renderings of the Google Pixel 10 Pro
Latest Google Pixel 10 leak could make you want to skip it altogether
Nintendo Switch 2
Nintendo Switch 2 — analysts say it will be massive hit even with price hike
Jason Sudeikis as Ted Lasso in Ted Lasso season 3
‘Ted Lasso’ season 4 is official — here’s what Jason Sudeikis revealed
Nintendo Switch 2
Nintendo Switch 2 shipments rumor hints at possible release window
android 16 logo on a samsung galaxy smartphone
One of Apple’s most controversial AI features could be coming to Android phones
iPhone 17 Pro render
iPhone 17 Pro Max leak claims it’s ready for production — and seems to confirm its new design