Did you know you can customize Google to filter out garbage? Take these steps for better search results, including adding my work at Lifehacker as a preferred source.
Apple Calendar spam isn’t new: iCloud users began reporting an influx of junk invites nearly a decade ago, and scammers have returned to this tactic over the years to proliferate malicious links to phishing sites. The folks over at 9to5Mac recently reported receiving a recent rash of spam invites containing malicious links that lead to cryptocurrency scams.
Bad actors are also abusing Calendar invites to send phishing emails that look like PayPal purchase notifications—and because the messages come from Apple’s mail server, they can slip past security measures and find their way into your inbox.
Scammers are using Calendar to send callback phishing emails
This latest scam, detailed by BleepingComputer, is a form of callback phishing, which aims to get targets on the phone in order to collect sensitive information or connect to users’ devices.
The scheme begins with a calendar invite to an event titled “Purchase Invoice.” The notes for the event state that the recipient’s PayPal account has been billed for a large sum of money and directs the user to call a support number to discuss, make changes to, or cancel the payment. The hope is that you will be scared into believing your PayPal account has been compromised. If you call, the scammer on the other end will likely try to extract sensitive information or direct you to download and install malware to your device under the guise of issuing a refund.
On closer inspection, you’ll find that the message originated from [email protected], a legitimate Apple mail server, which allowed it to get through security checks and spam filters. As BleepingComputer describes, anyone can create an iCloud Calendar event and add others to initiate email invitations from Apple’s servers.
In this case, scammers also appear to be using a Microsoft 365 email address that is actually a mailing list, which forwards messages to recipients added to the group—the targets for this scam. Threat actors used a similar tactic earlier this year to send emails that appeared to be from [email protected].
How to combat fake calendar invites
Unfortunately, there’s not much you can do to prevent fraudulent iCloud Calendar invites from ever reaching your inbox, and declining them may actually make the problem worse. You can transfer spam events to a separate calendar and delete calendars entirely, but when it comes to the notification emails and any directions listed within, the best thing to do is not engage.
Always proceed with an abundance of caution with calendar invites you weren’t expecting, and watch out for scam hallmarks like a sense of urgency related to payment or account security issues. Never call phone numbers listed in these messages—if you’re concerned about your account, log in via the legitimate website or app to check activity and reach out to the company using contact information found there.
