Use Gmail? You must adjust one setting NOW to avoid scam targeting thousands of Google users
As the most popular email client on the planet, it's unsurprising that hackers are targeting Gmail users
GOOGLE PRESS OFFICE
Millions of Gmail users have been urged to dive into the settings and flip one critical switch to block a sophisticated new phishing scam.
Security researchers at Check Point have identified a crafty new attack method where cybercriminals send seemingly legitimate calendar invites (using the calendar file .ics) to your inbox in a bid to steal personal data. The trick works because of the trusted nature of Google Calendar notifications.
With more than 500 million people relying on Google Calendar every day, there's a long list of potential victims for hackers. If you instinctively click on a notification from Google Calendar at the top of your Gmail inbox — you're someone who could easily fall victim to the scam unearthed by Check Point.
Scammers are modifying the headers in spam emails to make it appear as if it's an automated notification sent via Google Calendar. This is designed to trick Gmail users into clicking on the fraudulent Google Calendar notifications — sending them to malicious Google Forms. Check Point experts have found examples that trick users into providing personal or financial details under the guise of securing cryptocurrency.
Security experts at Check Point have shared an example of a scam email designed to trick people into clicking the .ics calendar file
CHECK POINT RESEARCH
Sometimes there's another link, often disguised as a reCAPTCHA verification or support button, to trick victims. Some 300 brands have been impacted thus far, with cyber researchers observing over 4,000 of these phishing emails sent in a four week period.
"Due to Google Calendar's popularity and efficiency in everyday tasks, it is no wonder it has become a target for cyber criminals," Check Point researchers explained in a blog post. "Many of the emails appear legitimate because they appear to directly originate from Google Calendar."
So, what can you do?
Aside from triple-checking unsolicited calendar invites that appear in your inbox, Google has highlighted a setting that will stop these scams in thier tracks. According to the Californian firm, enabling a little-known feature called "Known Senders" in Google Calendar will prevent the scam.
Reacting to the disturbing findings from Check Point, a spokesperson for Google said: "We recommend users enable the 'Only If The Sender Is Known' setting in Google Calendar. This setting helps defend against this type of phishing by alerting the user when they receive an invitation from someone not in their contact list and/or they have not interacted with from their email address in the past."
Adjusting whether Google Calendar invites are automatically loaded up in your Gmail inbox is a matter of switching this one setting
GOOGLE PRESS OFFICE
To do that, open Google Calendar and then launch the Settings menu.
On the left-hand side of the window, under General, click Event Settings and then Add invitations to my calendar.
You'll then be able to choose the criteria for when Google will automatically add events to your calendar:
- From everyone: All invitations are automatically added to your calendar.
- Only if the sender is known: Events are automatically added to your calendar if the sender is in your contacts, part of your organization, or someone you previously interacted with.
If an event isn’t added to your calendar, you get an invitation email.
After you mark a sender as known or you interact with them, future invitations from that sender are automatically added to your calendar. - When I respond to the invitation in email: An event is added to your calendar only after you respond to the email notification.
To follow the security advice from Google to combat this scam, it's the second option that you'll need to choose.
The latest threat to Gmail users comes amid a broader surge in phishing attacks, with Netskope Threat Labs reporting that dangerous clicks nearly tripled across 2024 compared to the previous year.
Security experts advise users to remain vigilant and avoid clicking on any unsolicited calendar invites or links.
LATEST DEVELOPMENTS
- Will you start PAYING for Windows 10 this year?
- Google attempts to poach Windows 10 users with free lifeline
- Best VPN deals
- Millions of Britons unlock faster broadband speeds
- Countdown begins to biggest shake-up in history of TV licence fee
Jake Moore, global cybersecurity advisor at ESET, emphasises the importance of regular security checks. He said: "Looking at your device's safety checks are a great way to double down on protecting your personal data."
Users are advised to manually verify any calendar invitations they weren't expecting, even if they appear to come from known organisations. The safest approach is always to avoid clicking links in emails altogether and instead access services directly through official websites or apps.
Google continues to monitor and block unwanted and potentially dangerous messages, detecting "more than 99.9% of spam, phishing and malware in Gmail."
You may like
