Back in June, we told you about a scam involving the Gmail and Google Calendar apps. Criminals, taking advantage of a default feature that allows them to add invitations to a Calendar user's schedule via Gmail, were creating fake events like wire transfers. The description of the event would note that an important piece of information, such as the bank account owner's PIN number, was missing. A notification from the Calendar app would show up on the phone, and when tapped, would link to an official-looking form where the PIN number could be filled in and sent back to the scammer. And because the notification came from the trusted Google Calendar app, the victim would have no reason to question its authenticity.
In another variation, a fake Calendar entry might say that the phone owner just won a contest and needs to provide his/her social security number for tax purposes. Again, a notification would appear on the phone and the target would tap on a link to reveal an official-looking document. The victim enters his social security number and his bank and brokerage accounts are subsequently drained.
Google has finally taken notice of the scheme and recently put up a post on the Calendar Help page (via Forbes). The message reads, "We're aware of the spam occurring in Calendar and are working diligently to resolve this issue. We'll post updates to this thread as they become available. Learn how to report and remove spam. Thank you for your patience." It is more than a little self-serving that Google refers to this as "spam" when the truth is that a real security threat has been identified. On the other hand, Google has included a useful link in its post that tells users what to do in case a suspicious event appears on their phone.
Google warns users not to respond to event invites from their phone, Instead, from a desktop or laptop computer, you should open the desktop Google Calendar app at calendar.google.com. After double clicking on the suspicious event, on the top of the screen tap on More Actions and then Report as Spam.
The scam or security issue was first discovered by researchers back in 2017
There is also a way to change the settings on Google Calendar to prevent this from happening to you. Go into the Google Calendar settings and under "Event," change the setting from "Automatically add invitations" to "No, only show invitations to which I have responded." At the same time, you should prevent Gmail entries from automatically adding events on the Calendar app by unchecking the box marked "Add automatically" under the "Events from Gmail" heading. These are changes that we told you to make back in June and now that Google is getting involved, you might want to take the time to protect yourself from this scam.
The fact that Google is now looking into this indicates how dangerous the issue is. Outside of stealing money from unsuspecting consumers (who are trusting the Google name, we should point out), security codes and other secret information could be obtained by terrorists with a goal far more deadly than stealing some cash. First spotted by two researchers at Black Hills Information Security in 2017, the scam/security threat was not addressed by Google until a few days ago.
The criminals trying to pull off this scheme are counting on the victims not paying attention to the notifications they are receiving. Blinded by prospects of receiving a bank wire or winning a contest, there are many phone owners who wouldn't think twice about providing the requested information. Multiply this by the huge number of Gmail and Calendar uses and you can see why it is an enticing scheme for those who aim to separate people from their hard-earned money. Let's just be glad that Google finally woke up before a plot more deadly was devised using two seemingly innocuous apps like Gmail and Calendar.