Invites from iCloud Calendar are being sent out with notifications that look like they’re coming directly from Apple email servers. However, they’re actually part of a new phishing campaign designed to trick you into giving hackers access to your Mac and all of the sensitive personal and financial data store on your computer.
As reported by Bleeping Computer, who received one of these suspicious emails from a reader, the sender is listed as noreply@email[.]apple[.]com which means these messages can bypass standard security checks as they appear to come directly from Apple’s mail servers.
As a result, they’re more likely to land in target’s inboxes, and more likely to be opened. The phishing email is actually an iCloud invite, where the threat actor has used the notes field to fill in phishing text and invited Microsoft 365 email addresses. When an iCloud Calendar event is created that has external email addresses invited to it, an email invitation is sent out from Apple’s servers from the calendar owner’s name with the email address of noreply@email.apple.com.
It would seem that this invite is being sent out to a mailing list that is automatically forwarding out the email it receives to all the other group members; and the mailing list members are all targets of the phishing scam. One email claimed to be a payment receipt for roughly $600 charged against the victims PayPal account, and included a phone number to call if the target wanted to discuss the payment or make changes. The target could call to contact “the support team” however, the scammer on the other line would actually try to get the victim to give out personal information, connect to their computer or download and run malicious software.
How to stay safe from phishing
If you receive an unexpected calendar invite, as with any unexpected email or invite, it should be treated with caution and suspicion. Javvad Malik, a lead security advocate at KnowBe4, says "People don't scrutinize calendar links the way they do email links, so a meeting invite with a callback number lowers defenses and funnels victims into vishing or remote-access scams."
"Don't just hunt for misspellings and spoofed domains, look at the intent. Ask if this communication was expected, is it trying to spike emotion, and is there an artificial time limit pushing you to act now? If the answer is yes to any, stop and self-verify via a known channel. And treat calendar invites with the same skepticism as email."
As with any phishing campaign, If you receive a suspicious email, do not click on anything within it. Instead, simply go directly to the URL or web address in your browser to see if there are messages for your account there. Additionally, make sure that you enable two-factor authentication (2FA) to add an extra layer of security for your online accounts to prevent scammers from accessing them if they do manage to steal your credentials.
Finally, you want to protect your devices from the latest cyber threats by making sure you have one of the best antivirus programs (or in this case, the best Mac antivirus software) installed and up-to-date on your computer. You also want to make sure that you're familiar with all of its features that can help you stay safe online like a VPN or a hardened browser.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
More from Tom's Guide
- Roblox announces age verification features for in-game communications —what you need to know
- TP-Link router flaws lets botnets attack Microsoft 365 accounts — check yours now
- Google just fixed 84 Android security flaws including two actively exploited zero-days — update your phone right now
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
