Google Calendar phishing emails have been affecting about 300 organizations with over 4,000 emails sent in four weeks, according to Check Point researchers. The scammers send fake invites that appear to be legitimate messages from someone the victim knows, but are actually designed to trick users into clicking on a malicious link.
The links lead to pages disguised as cryptocurrency mining or Bitcoin support, where users are asked to complete a fake authentication process and provide personal information and payment details. To avoid falling victim, Check Point recommends enabling the ‘known senders’ setting in Google Calendar, which alerts users when they receive an invitation from someone not in their contact list.
Additionally, experts suggest taking extra precautions upon receiving event invites with “unexpected” or “unusual steps,” completing a CAPTCHA puzzle if necessary. Users should also hover over links and type the URL into Google to verify its authenticity before clicking. Enabling two-factor authentication for Google accounts is also essential to protect against phishing attacks.
According to the FBI, there were 298,878 complaints of phishing and spoofing last year, with total losses of $18,728,550. This type of social engineering attack can be simple for criminals to pull off but yields a significant return on investment.
Source: https://www.theregister.com/2024/12/18/google_calendar_spoofed_in_phishing_campaign