Share
CALENDAR PHISHING

The Google Calendar invite that's actually phishing

A meeting appears on your calendar tomorrow at 10am. The title says "Q4 benefits review - mandatory." You did not accept the invite, but it is already there with a Google Meet link, a description, and a clickable URL inside the description.

SafeBrowz Threat Research Security ResearchMay 25, 20269 min read
🛡 LIVE CHECK

Paste a suspicious link here to check it

Got a link from a text, email, or ad you are not sure about? Paste it below. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

Quick Take

Verdict: Scam. A real billing charge is never delivered as a Google Calendar invite. Treat any calendar event that shows a subscription renewal, an invoice, a "payment failed" notice, or a phone number to call to dispute a charge as phishing. Real companies bill you by email, in-app message, or account notification, not by dropping a meeting onto your calendar.

The fix takes two minutes. Turn off auto-add in Google Calendar (Settings, then Event settings, then set "Add invitations to my calendar" to "Only if the sender is known" or "When I respond to the invitation in email"), then delete and report the event. Never call the number in the event. Google named this "Calendar Phishing" in its June 8, 2026 Fraud and Scams Advisory.

Why calendar invites bypass every spam filter

When someone sends you a Google Calendar invitation, Google's servers add the event to your calendar automatically by default. The invitation email that lands in your inbox really is sent from Google. It passes SPF, DKIM, and DMARC because the cryptographic signature on the message is Google's own. Every email scanner on the path - your provider's filter, your corporate gateway, your antivirus add-on - sees a legitimate Google notification and waves it through. The phishing payload is not in the email at all. It lives inside the calendar event description, where no email scanner looks, because the description is not part of the email body - it is data attached to a calendar entry on Google's side. By the time the event sits on your calendar, the link is already past every defense your inbox has. The same architecture applies to Outlook and Microsoft 365.

The 5 calendar phishing variants

Different scripts, same delivery channel. These are the five versions hitting Gmail and Outlook users in 2026.

1. Fake "HR" benefits meeting

An event lands titled "2026 benefits enrollment - action required" with a description that says to log in to the portal. The link points to a clone of a Workday, ADP, or generic HR-portal login. The victim enters corporate credentials, the attacker captures them, foothold gained. Especially effective during real open-enrollment week.

2. Crypto airdrop "claim event"

The title reads "Coinbase airdrop claim window - May 27" or "Optimism OP airdrop - claim before deadline." The description links to a fake claim page that asks the victim to connect a wallet and sign a transaction. The transaction is a token approval or Permit2 signature that hands wallet control to the attacker. Chainalysis flagged this exact pattern in its 2024 crypto crime report.

3. Fake security alert event

"Urgent: verify your Google account - suspicious activity detected," with the Google logo pasted into the description. The link goes to a fake Google sign-in page. Microsoft 365 users see the same pattern with "Microsoft security alert" titles. A calendar event is an unusual place to receive a security alert, so users do not bring the same suspicion they would to a security email.

4. Fake invoice event with payment link

"Invoice #88421 - payment due May 28" with a description pointing at a "secure portal." The link harvests payment-card details or pulls a fraudulent ACH authorization. Finance and accounts-payable staff are the high-value targets, especially in small businesses where one person handles all vendor payments.

5. Two-stage event spam

The first invite is harmless - vague title, empty description, no link. Filters ignore it. On the day of the event, the sender edits it and pastes the phishing link into the description. The 9:55am notification for a 10am event now contains a link the spam filter never saw, because the link was added after delivery. This defeats any filter that only scans invites on arrival.

The fake-renewal invoice event spiking right now

One variant has pulled ahead of the rest in 2026: the fake subscription-renewal receipt. Instead of an email, the scammer sends a Google Calendar event that auto-adds to your calendar because Calendar's default accepts invites from anyone. The event is styled as a billing notice - "Your subscription renews for $499.99," "Payment of $329 successful," or "Auto-renewal processed." It carries an invented membership ID and transaction code to look like a real receipt, and a phone number in the event description to call and "dispute" or "cancel" the charge.

Two things make it work. First, because it arrives as a calendar event and not an email, it never touches your spam filter - the same reason the rest of this page exists. Second, the large dollar figure is designed to make you panic and call before you think. There is no malicious link to click; the trap is the phone number. This is a callback phishing scam (also called TOAD, telephone-oriented attack delivery). Once you call, the person on the line is the scammer. They will ask for your card or bank details to "process the refund," push you to install remote-access software so they can "fix" the charge, or walk you into wiring money. Some versions instead send you to a phishing page that harvests your login or payment data.

Google named this "Calendar Phishing" as an emerging tactic in its June 8, 2026 Fraud and Scams Advisory, describing fake renewal notices added directly to Calendar invites. Security firm Malwarebytes documented an active campaign in March 2026 in which scammers impersonated Malwarebytes itself with fake renewal notices placed in victims' calendars. Techlicious reported on June 10, 2026 that victims received fake multi-year renewal receipts loaded with invented membership IDs and transaction codes, each with a phone number in the event description to call and dispute the charge.

The tell is simple: no legitimate company sends a bill, a renewal receipt, or a refund offer as a calendar appointment created by a private email address. A renewal you actually have shows up in your account billing history and your email from the company's own domain - not as a meeting on your schedule. If a calendar event asks you to call a number about money, it is a scam. Do not call. Delete it, report it, and turn off auto-add so the next one never lands.

Why Google's default settings make this easy

Google Calendar's default for "Add invitations to my calendar" is "From everyone" or "Automatically add all invitations." That means any person on the internet who knows your email address can drop an event onto your calendar without you opening, accepting, or even reading the invitation. Google tightened this default in 2023 after pressure from researchers, and new accounts created since then default to "Only show invitations to which I have responded" in some regions. But the setting is per-account and is still permissive for older accounts and for many Workspace deployments where admins have not pushed a stricter default. Outlook and Microsoft 365 behave similarly - the default "Automatically process meeting requests" setting accepts meeting invitations into the calendar without explicit user action. The result on both platforms is the same: a stranger writes your address into a meeting field, presses send, and the event materializes on your calendar.

Real verifiable cases

Calendar phishing is not theoretical and not new. The pattern has been documented repeatedly.

  • Kaspersky 2019 Google Calendar wave. In June 2019, Kaspersky researcher Maria Vergelis published a writeup of a campaign that abused Google Calendar to push phishing events to Gmail accounts. The campaign targeted roughly 50,000 users with fake prize-money and survey-payout events that linked to credential-harvesting pages. The Kaspersky Securelist post is the foundational public reference for the technique.
  • Microsoft 365 calendar spam wave 2022. Microsoft's Tech Community posted an advisory in 2022 covering a sustained wave of unwanted calendar invites hitting Microsoft 365 tenants, with guidance to admins to disable the auto-accept behavior at the tenant level. Bleeping Computer covered the same wave in consumer-facing reporting.
  • Chainalysis 2024 crypto crime report. The annual Chainalysis crypto crime report flagged calendar-driven airdrop phishing as a growing vector. Wallet drainers operate phishing kits that include a calendar-invite delivery option alongside email and Twitter DMs, because the calendar path bypasses inbox filters that catch the same payload in email.
  • Google Workspace documentation update. Google's own Workspace security pages now include explicit guidance on tightening invitation settings, an acknowledgment that the default behavior is a regular attack channel.

The 3-step lockdown

Three settings changes block the bulk of calendar phishing at the source. Five minutes of clicking.

  1. Google Calendar. Open Calendar, click the gear icon, choose Settings, then on the left choose Event settings (under General). Find the row "Add invitations to my calendar" and change it from "From everyone" to either "Only if the sender is known" or "When I respond to the invitation in email." The "When I respond" option is the strictest - nothing lands on the calendar until you actively accept the email invitation in Gmail. "Only if the sender is known" is the friendlier setting and still blocks most spam because it only auto-adds events from people in your contacts or domain.
  2. Outlook desktop. Open Outlook, go to File, then Options, then Calendar. Find the section "Automatic accept or decline" and click "Auto Accept/Decline." Uncheck "Automatically accept meeting requests and remove canceled meetings." On Microsoft 365 admin side, an administrator can push the equivalent setting tenant-wide using the Set-CalendarProcessing PowerShell cmdlet with AutomateProcessing set to None for user mailboxes.
  3. Block the sender at the email layer. When a phishing event lands, open the email notification in Gmail and use "Block sender" from the three-dot menu on the message. In Outlook, right-click the message and choose "Junk - Block Sender." Blocking the email address at the inbox level also stops future calendar invites from the same address, because both flow through the same delivery system.

If you clicked a calendar event link

Same recovery as any phishing click. Speed matters in the first hour.

  1. Within 30 minutes. If you entered card details, call your card issuer for a fraud lock and a replacement card. If you entered a password, change it from a different device and turn on two-factor authentication on that account.
  2. Within 2 hours. If you connected a wallet or signed a transaction, go to revoke.cash and revoke every active token approval. If you signed a Permit2 message, move remaining funds to a fresh wallet from a clean device.
  3. Within 24 hours. File a report at reportfraud.ftc.gov and ic3.gov (US), Action Fraud (UK), or Scamwatch (Australia). Report the phishing event to Google or Microsoft from the email notification.
  4. Within 1 week. If identity data was exposed (SSN, national ID, date of birth), place a free credit alert. Check account login history and sign out unfamiliar sessions.

How to identify a phishing event quickly

Five signals show up in almost every calendar phishing event. Two or more, treat as malicious.

  • Sender you do not recognize. Real meetings come from a known colleague, vendor, or recruiter. An event from a name you cannot place with no prior email thread is suspicious by default.
  • Vague title with no context. "Q4 review," "follow-up," "urgent meeting" without project or client names. Real meetings have specifics.
  • You are the only attendee. Open the event and check the attendee list. Phishing events typically show only your address because the attacker is blasting one event per target.
  • Round, generic time slot. Real meetings often land on odd times (10:15, 2:30, 9:45) because they were booked around other meetings. Perfectly round slots with no neighbors are a weak signal that stacks with the others.
  • Description link goes to an unexpected domain. Hover without clicking. Generic shorteners (bit.ly, tinyurl, t.co) or domains you have never heard of are red flags. Real Google security links go to accounts.google.com, not lookalikes.

Where browser security fits in

The settings lockdown stops most phishing events from landing on your calendar in the first place. For the events that do land, and for the moment a user clicks the link in the description, browser-layer protection catches the destination URL. SafeBrowz is a free Chrome, Firefox, and Edge extension that scans destination URLs before the page loads and blocks credential-harvesting clones, wallet-drainer claim pages, and fake Google or Microsoft sign-in pages. It does not block the calendar event itself - the lockdown settings do that - but it does block the landing page if a user clicks anyway. The combination of strict calendar settings plus a browser-layer scanner closes both halves of the attack chain.

Frequently asked questions

Is the Google Calendar invoice or subscription-renewal event a real bill?

No. A real charge is never delivered as a Google Calendar invite. Real companies bill you by email from their own domain, in an in-app message, or in your account billing history - not as a meeting on your calendar. Any calendar event showing a renewal amount, an invoice, or a phone number to call to dispute a charge is phishing. Do not call the number, delete the event, and turn off auto-add invitations in Calendar settings.

A calendar event says my subscription renewed for hundreds of dollars and to call a number. What do I do?

Do not call the number. This is a callback phishing scam, also called TOAD. The large amount is meant to panic you into calling before you check. On the call, the scammer asks for card or bank details, pushes you to install remote-access software, or talks you into wiring money. Verify any real charge only in your account's billing history on the company's official site. Then delete and report the event.

How did a meeting end up on my calendar if I never accepted it?

Google Calendar's default "Add invitations to my calendar" is "From everyone" on many accounts. Anyone who knows your email can write an invite and it appears automatically. Outlook behaves the same. Change the setting to "When I respond to the invitation in email" for strict behavior.

The invite email is from Google. Is that proof the meeting is real?

No. The notification really is sent from Google's servers, which is why it passes SPF, DKIM, and DMARC. But the event content (title, description, link) is supplied by whoever created the invite. Google delivers; it does not verify. A phishing event from a stranger is delivered the same way as a real meeting from your manager.

Will declining the event tell the attacker my address is valid?

Yes. Any response, accept or decline, confirms to the organizer that your address is monitored. Do not click respond. Delete the event with notify-organizer turned off, or change the calendar setting so events never land in the first place, and report the email as phishing.

Can I block calendar invites from a specific sender?

Yes. In Gmail, open the calendar notification, click the three-dot menu, choose Block sender. In Outlook, right-click the message and choose Junk then Block Sender. Both clients deliver calendar events through the email pipeline, so blocking the address blocks the invites.

I clicked a link but did not enter anything. Am I safe?

Probably, but the click revealed your IP and confirmed your email is active. If the page tried to drop a download, scan your device. If you did not sign any wallet transaction, no funds moved. If you signed anything, revoke approvals and move funds.

Does this same trick work on Zoom, Teams, or Apple Calendar?

The core trick - delivery through a legitimate calendar service whose notifications pass email authentication - works against any calendar that auto-accepts invites. Apple Calendar on iCloud has a stricter default and uses a separate Inbox for invitations. Teams calendar inherits Outlook settings. Tighten auto-accept on every calendar tool you use.

Related reading

Bottom line: Calendar phishing wins because the invite email really is from Google or Microsoft, the phishing link lives in the event description where no email scanner reads, and the default calendar settings let any stranger drop a meeting onto your calendar. Five minutes of settings work blocks the bulk of it. Set "Add invitations to my calendar" to "When I respond to the invitation in email" in Google Calendar, uncheck "Automatically accept meeting requests" in Outlook, and block phishing senders at the email layer when one slips through. For the link in the event description that you might click anyway, run a browser-layer scanner like SafeBrowz as a second line.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. Catches the Malicious-link injection patterns in event descriptions, Google-Meet impersonation domain patterns pattern family instantly.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs for known malicious domains.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel variants in seconds.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

Install SafeBrowz free

Add the browser extension, or the SafeBrowz Android app, that runs every check in this article automatically, on every page, before it renders. Free forever.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

Related reading