I clicked a link inside a phishing calendar event but did not enter anything. Am I safe?

Probably, but assume the click revealed your IP address, browser, and confirmed your email is active. If the destination tried to drop a download, scan your device. If the destination was a wallet-drainer page and you did not sign anything, no funds moved. If you signed any transaction or message, revoke approvals and move funds to a new wallet.

The Google Calendar invite that's actually phishing

Q: How did a meeting end up on my calendar if I never accepted it?

Google Calendar's default setting Add invitations to my calendar is From everyone on many accounts. Any person who knows your email address can write a calendar invite addressed to you and it appears on your calendar automatically. Outlook has the same default. Change the setting to When I respond to the invitation in email for the strictest behavior.

Q: The invite email is from Google. Is that proof the meeting is real?

No. The email notification really is sent from Google's servers, which is why it passes SPF, DKIM, and DMARC. But the event content - title, description, and link - is supplied by whoever created the invite. Google is the delivery service, not a verifier of content. A phishing event from a stranger is delivered the same way as a real meeting from your manager.

Q: Can I block calendar invites from a specific sender?

Yes. In Gmail, open the calendar notification email, click the three-dot menu, and choose Block sender. Future emails from that address, including calendar invitations, go to spam. In Outlook, right-click the message and choose Junk then Block Sender. Both clients deliver calendar events through the email pipeline, so blocking the address blocks the invites.

Why calendar invites bypass every spam filter

When someone sends you a Google Calendar invitation, Google's servers add the event to your calendar automatically by default. The invitation email that lands in your inbox really is sent from Google. It passes SPF, DKIM, and DMARC because the cryptographic signature on the message is Google's own. Every email scanner on the path - your provider's filter, your corporate gateway, your antivirus add-on - sees a legitimate Google notification and waves it through. The phishing payload is not in the email at all. It lives inside the calendar event description, where no email scanner looks, because the description is not part of the email body - it is data attached to a calendar entry on Google's side. By the time the event sits on your calendar, the link is already past every defense your inbox has. The same architecture applies to Outlook and Microsoft 365.

The 5 calendar phishing variants

Different scripts, same delivery channel. These are the five versions hitting Gmail and Outlook users in 2026.

1. Fake "HR" benefits meeting

An event lands titled "2026 benefits enrollment - action required" with a description that says to log in to the portal. The link points to a clone of a Workday, ADP, or generic HR-portal login. The victim enters corporate credentials, the attacker captures them, foothold gained. Especially effective during real open-enrollment week.

2. Crypto airdrop "claim event"

The title reads "Coinbase airdrop claim window - May 27" or "Optimism OP airdrop - claim before deadline." The description links to a fake claim page that asks the victim to connect a wallet and sign a transaction. The transaction is a token approval or Permit2 signature that hands wallet control to the attacker. Chainalysis flagged this exact pattern in its 2024 crypto crime report.

3. Fake security alert event

"Urgent: verify your Google account - suspicious activity detected," with the Google logo pasted into the description. The link goes to a fake Google sign-in page. Microsoft 365 users see the same pattern with "Microsoft security alert" titles. A calendar event is an unusual place to receive a security alert, so users do not bring the same suspicion they would to a security email.

4. Fake invoice event with payment link

"Invoice #88421 - payment due May 28" with a description pointing at a "secure portal." The link harvests payment-card details or pulls a fraudulent ACH authorization. Finance and accounts-payable staff are the high-value targets, especially in small businesses where one person handles all vendor payments.

5. Two-stage event spam

The first invite is harmless - vague title, empty description, no link. Filters ignore it. On the day of the event, the sender edits it and pastes the phishing link into the description. The 9:55am notification for a 10am event now contains a link the spam filter never saw, because the link was added after delivery. This defeats any filter that only scans invites on arrival.

Why Google's default settings make this easy

Google Calendar's default for "Add invitations to my calendar" is "From everyone" or "Automatically add all invitations." That means any person on the internet who knows your email address can drop an event onto your calendar without you opening, accepting, or even reading the invitation. Google tightened this default in 2023 after pressure from researchers, and new accounts created since then default to "Only show invitations to which I have responded" in some regions. But the setting is per-account and is still permissive for older accounts and for many Workspace deployments where admins have not pushed a stricter default. Outlook and Microsoft 365 behave similarly - the default "Automatically process meeting requests" setting accepts meeting invitations into the calendar without explicit user action. The result on both platforms is the same: a stranger writes your address into a meeting field, presses send, and the event materializes on your calendar.

Real verifiable cases

Calendar phishing is not theoretical and not new. The pattern has been documented repeatedly.

Kaspersky 2019 Google Calendar wave. In June 2019, Kaspersky researcher Maria Vergelis published a writeup of a campaign that abused Google Calendar to push phishing events to Gmail accounts. The campaign targeted roughly 50,000 users with fake prize-money and survey-payout events that linked to credential-harvesting pages. The Kaspersky Securelist post is the foundational public reference for the technique.
Microsoft 365 calendar spam wave 2022. Microsoft's Tech Community posted an advisory in 2022 covering a sustained wave of unwanted calendar invites hitting Microsoft 365 tenants, with guidance to admins to disable the auto-accept behavior at the tenant level. Bleeping Computer covered the same wave in consumer-facing reporting.
Chainalysis 2024 crypto crime report. The annual Chainalysis crypto crime report flagged calendar-driven airdrop phishing as a growing vector. Wallet drainers operate phishing kits that include a calendar-invite delivery option alongside email and Twitter DMs, because the calendar path bypasses inbox filters that catch the same payload in email.
Google Workspace documentation update. Google's own Workspace security pages now include explicit guidance on tightening invitation settings, an acknowledgment that the default behavior is a regular attack channel.

The 3-step lockdown

Three settings changes block the bulk of calendar phishing at the source. Five minutes of clicking.

Google Calendar. Open Calendar, click the gear icon, choose Settings, then on the left choose Event settings (under General). Find the row "Add invitations to my calendar" and change it from "From everyone" to either "Only if the sender is known" or "When I respond to the invitation in email." The "When I respond" option is the strictest - nothing lands on the calendar until you actively accept the email invitation in Gmail. "Only if the sender is known" is the friendlier setting and still blocks most spam because it only auto-adds events from people in your contacts or domain.
Outlook desktop. Open Outlook, go to File, then Options, then Calendar. Find the section "Automatic accept or decline" and click "Auto Accept/Decline." Uncheck "Automatically accept meeting requests and remove canceled meetings." On Microsoft 365 admin side, an administrator can push the equivalent setting tenant-wide using the Set-CalendarProcessing PowerShell cmdlet with AutomateProcessing set to None for user mailboxes.
Block the sender at the email layer. When a phishing event lands, open the email notification in Gmail and use "Block sender" from the three-dot menu on the message. In Outlook, right-click the message and choose "Junk - Block Sender." Blocking the email address at the inbox level also stops future calendar invites from the same address, because both flow through the same delivery system.

If you clicked a calendar event link

Same recovery as any phishing click. Speed matters in the first hour.

Within 30 minutes. If you entered card details, call your card issuer for a fraud lock and a replacement card. If you entered a password, change it from a different device and turn on two-factor authentication on that account.
Within 2 hours. If you connected a wallet or signed a transaction, go to revoke.cash and revoke every active token approval. If you signed a Permit2 message, move remaining funds to a fresh wallet from a clean device.
Within 24 hours. File a report at reportfraud.ftc.gov and ic3.gov (US), Action Fraud (UK), or Scamwatch (Australia). Report the phishing event to Google or Microsoft from the email notification.
Within 1 week. If identity data was exposed (SSN, national ID, date of birth), place a free credit alert. Check account login history and sign out unfamiliar sessions.

How to identify a phishing event quickly

Five signals show up in almost every calendar phishing event. Two or more, treat as malicious.

Sender you do not recognize. Real meetings come from a known colleague, vendor, or recruiter. An event from a name you cannot place with no prior email thread is suspicious by default.
Vague title with no context. "Q4 review," "follow-up," "urgent meeting" without project or client names. Real meetings have specifics.
You are the only attendee. Open the event and check the attendee list. Phishing events typically show only your address because the attacker is blasting one event per target.
Round, generic time slot. Real meetings often land on odd times (10:15, 2:30, 9:45) because they were booked around other meetings. Perfectly round slots with no neighbors are a weak signal that stacks with the others.
Description link goes to an unexpected domain. Hover without clicking. Generic shorteners (bit.ly, tinyurl, t.co) or domains you have never heard of are red flags. Real Google security links go to accounts.google.com, not lookalikes.

Where browser security fits in

The settings lockdown stops most phishing events from landing on your calendar in the first place. For the events that do land, and for the moment a user clicks the link in the description, browser-layer protection catches the destination URL. SafeBrowz is a free Chrome, Firefox, and Edge extension that scans destination URLs before the page loads and blocks credential-harvesting clones, wallet-drainer claim pages, and fake Google or Microsoft sign-in pages. It does not block the calendar event itself - the lockdown settings do that - but it does block the landing page if a user clicks anyway. The combination of strict calendar settings plus a browser-layer scanner closes both halves of the attack chain.

Frequently asked questions

How did a meeting end up on my calendar if I never accepted it?

Google Calendar's default "Add invitations to my calendar" is "From everyone" on many accounts. Anyone who knows your email can write an invite and it appears automatically. Outlook behaves the same. Change the setting to "When I respond to the invitation in email" for strict behavior.

The invite email is from Google. Is that proof the meeting is real?

No. The notification really is sent from Google's servers, which is why it passes SPF, DKIM, and DMARC. But the event content (title, description, link) is supplied by whoever created the invite. Google delivers; it does not verify. A phishing event from a stranger is delivered the same way as a real meeting from your manager.

Will declining the event tell the attacker my address is valid?

Yes. Any response, accept or decline, confirms to the organizer that your address is monitored. Do not click respond. Delete the event with notify-organizer turned off, or change the calendar setting so events never land in the first place, and report the email as phishing.

Can I block calendar invites from a specific sender?

Yes. In Gmail, open the calendar notification, click the three-dot menu, choose Block sender. In Outlook, right-click the message and choose Junk then Block Sender. Both clients deliver calendar events through the email pipeline, so blocking the address blocks the invites.

I clicked a link but did not enter anything. Am I safe?

Probably, but the click revealed your IP and confirmed your email is active. If the page tried to drop a download, scan your device. If you did not sign any wallet transaction, no funds moved. If you signed anything, revoke approvals and move funds.

Does this same trick work on Zoom, Teams, or Apple Calendar?

The core trick - delivery through a legitimate calendar service whose notifications pass email authentication - works against any calendar that auto-accepts invites. Apple Calendar on iCloud has a stricter default and uses a separate Inbox for invitations. Teams calendar inherits Outlook settings. Tighten auto-accept on every calendar tool you use.