Fake party invitation scam: Evite phishing that steals your Google and Microsoft login
A digital party invite that asks you to enter your email address and password to open it is a scam. The FTC issued a consumer alert on May 26, 2026 about fake Evite, Paperless Post and Punchbowl invitations that spoof the Sign in with Google and Sign in with Microsoft screens to steal your email account login.
Bottom Line First
If a party, graduation or summer-event invitation asks you to enter your email password or to sign in with Google or Microsoft just to view it, it is phishing. Real Evite, Paperless Post and Punchbowl invitations open in your browser without ever asking for your email account password. The FTC flagged this campaign on May 26, 2026. The scam arrives by text or email, the link goes to a lookalike domain (something like evite-rsvp-secure[.]com, not the real evite.com), and the login box is built to harvest your Google or Microsoft credentials. If you already typed your password into one of these pages, change that email password now and turn on 2-step verification. The same verify-before-you-sign-in rule applies to the Google Calendar invite scam and to Microsoft phishing emails.
Why this scam is spreading right now
On May 26, 2026 the Federal Trade Commission published a consumer alert with a blunt title: "Asked to enter your email address and password to open a party invite? That's a scam." That phrasing is unusual for the FTC, and it is deliberate. The agency wanted one sentence that anyone could remember.
The timing is not random. Graduation season and the start of summer are the busiest weeks of the year for digital invitations. People send and receive party invites, barbecue invites, reunion invites and grad-party invites in large volume, often from senders they half-recognize. Attackers know this. A fake invite that arrives in late May or June does not look out of place the way it would in January.
Security researchers tracking the campaign, including writeups from McAfee, AARP and TechTimes, describe a coordinated operation. Roughly 80 phishing domains have been registered since December 2025 to support it. The lookalike pages impersonate three well-known invitation brands, Evite, Paperless Post and Punchbowl, and the credential-harvest step spoofs the Sign in with Google and Sign in with Microsoft login screens. The goal is not your party RSVP. The goal is the password to your email account, because that one password is the master key to password resets on everything else you own.
What the fake invitation looks like
The message usually arrives as a text or an email. The wording is simple and warm: "You have an invitation," "Sarah invited you to a party," or "Your graduation party invite is ready. Tap to RSVP." There may be a single button or link and very little else. That sparseness is intentional. A real invitation has a sender you recognize, a date, a location and an event name. A phishing invite often has none of that, just an urgent nudge to click.
The link does not open Evite. It opens a page that looks like a digital-invitation service, then immediately throws up a login wall: "Sign in to view your invitation." The page shows a Sign in with Google button or a Sign in with Microsoft button, or a plain box asking for your email address and your email password. This is the trap. The styling copies Google's and Microsoft's real sign-in pages closely, down to the logo placement and font, but the page is hosted on the wrong domain.
When you type your email and password, that data goes straight to the attacker. Some kits then show a fake "loading your invitation" spinner or a generic error so you do not immediately realize what happened. By then the credentials are already captured. Within minutes the attacker can sign into your real mailbox, read your messages, reset passwords on your other accounts using the email links those services send, and send the same fake invitation to everyone in your contacts.
The one tell that gives it away
Here is the single rule that defeats this entire campaign, and it is the same rule the FTC built its alert around:
A real party invitation never asks for your email account password.
Evite, Paperless Post and Punchbowl do not require you to sign in with Google or Microsoft to view an invite. You click the link, the invitation opens, you tap RSVP. There is no email-password login wall in front of a party invite. If you are ever asked to enter your Google or Microsoft password, or your email password, just to see who is throwing a barbecue, stop. That request makes no sense for an invitation, and that is exactly why it is a reliable signal that the page is fake.
Think about it from the service's side. Evite has no reason to know your Gmail or Outlook password, and it never asks for it. The only party that benefits from you typing your email password into a party invite is a thief. The mismatch between what is being asked and what an invitation actually needs is the tell.
Test a suspicious invite link right now
Got an invitation by text or email and not sure about the link? Paste it below before you click. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.
Red flags in a fake party invite
- It asks for your email password. The defining signal. A party invite that wants your Google, Microsoft or email account password is phishing, full stop.
- The link goes to a lookalike domain. Real invitations live on evite.com, paperlesspost.com or punchbowl.com. A link to something like evite-rsvp-secure[.]com or paperless-invite[.]net (illustrative examples, not real Evite or Paperless Post domains) is a fake.
- A Sign in with Google or Microsoft box appears before you can see the invite. You should be able to view an invitation without any account login. A login wall in front of it is the harvest step.
- Urgency. "RSVP closes today," "respond in the next hour," or a countdown timer. Real invites give you days, not minutes.
- You do not recognize the sender or the event. A generic "you have an invitation" with no host name you know and no event details is a classic lure.
- It came by text from an unknown number. A surprise invite text with a tap-here link, especially from a number you do not have saved, deserves suspicion.
- The login page is on the wrong domain. If the address bar on the sign-in screen does not read accounts.google.com or login.microsoftonline.com, the password box is fake even if it looks perfect.
- Spelling or layout that is slightly off. Subtle font, color or wording differences from the real brand can give away a cloned page.
If you already entered your password
Speed matters here. The moment your email password is captured, the attacker can start resetting your other accounts. Do not wait to see if anything happens. Act now.
- Change that email password immediately. Go directly to your provider by typing the address yourself (accounts.google.com for Gmail, account.microsoft.com for Outlook), not through any link in the invite. Pick a new password you have never used elsewhere.
- Turn on 2-step verification. Also called two-factor authentication. This blocks an attacker who has your password but not your second factor. Use an authenticator app or a hardware key rather than SMS where you can.
- Check your account recovery settings. Attackers often add their own recovery email or phone number so they can lock you out later. Open security settings and remove any recovery email, phone number or backup that you do not recognize.
- Check your forwarding and filter rules. A common move is to set a hidden rule that forwards a copy of your mail to the attacker or that auto-deletes security alerts. In Gmail and Outlook, review forwarding addresses and filters and delete anything you did not create.
- Sign out of all other sessions. Both Google and Microsoft let you see active sessions and devices and sign them all out. Do this so any session the attacker opened is killed.
- Reset passwords on accounts that use this email. Anything where the same email is your login or your password-reset address (banking, social media, shopping) should get a fresh, unique password.
- Warn your contacts. If the attacker sent the fake invite onward from your account, tell the people in your address book not to click it.
How to report it
- Report to the FTC at reportfraud.ftc.gov. This feeds the same consumer-protection data behind the May 26 alert.
- Forward the phishing message to the real brand. Send it to Evite, Paperless Post or Punchbowl support so their teams can pursue takedowns of the impersonating pages.
- In the US, report to the FBI Internet Crime Complaint Center at ic3.gov if you lost money or had an account taken over.
- Report the spoofed login page to Google or Microsoft. Both run phishing-report channels, and a flagged page gets pushed to Safe Browsing and SmartScreen blocklists faster.
How SafeBrowz blocks this threat
SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.
- Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database (Evite, Paperless Post, Punchbowl, Google and Microsoft included) plus homograph and Punycode checks, all running inside the extension before the page renders. It catches lookalike-domain invites and brand-impersonation cases where a non-Google, non-Microsoft domain renders a Sign in with Google or Sign in with Microsoft login form.
- Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam TLD lists to flag domains already known to be malicious, which covers many of the campaign domains registered since December 2025.
- Layer 3 - AI deep scan (Premium): 100+ language content analysis catches brand-new lookalike pages in seconds, including a fake login screen that copies Google or Microsoft styling but sits on the wrong domain.
Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.
Where browser-layer defense fits
Email and text filters cannot stop everything. Many of these invites arrive from accounts and numbers that pass basic checks, and the fake login page is what actually does the damage. Browser-layer scanning catches that next step. When a Sign in with Google or Sign in with Microsoft page renders on a domain that is not accounts.google.com or login.microsoftonline.com, a brand-aware scanner flags the impersonation before any form loads. SafeBrowz is a free extension for Chrome, Firefox and Edge (Safari coming soon) that checks every URL before it renders against a 550+ brand database. Install SafeBrowz and pair it with the one rule that beats this whole campaign: a party invite should never ask for your email password.
Install SafeBrowz free
Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever, with optional Premium AI deep scan at $14.99 per year.
Add to Chrome
Add to Firefox
Add to EdgeFrequently asked questions
Does a real Evite or Paperless Post invitation ever ask for my email password?
No. Evite, Paperless Post and Punchbowl invitations open in your browser without asking for your email account password and without a Sign in with Google or Sign in with Microsoft wall just to view them. If an invite demands your email password before you can see it, it is phishing. That is the core of the FTC's May 26, 2026 alert.
I entered my password into a fake invite page. What do I do first?
Change that email password immediately by going directly to your provider (accounts.google.com for Gmail, account.microsoft.com for Outlook), not through any link in the invite. Then turn on 2-step verification, check your account recovery settings and email forwarding rules for anything you did not add, and sign out of all other sessions. Reset passwords on any account that uses that email for login or recovery.
How do I tell a fake invitation link from a real one?
Look at the domain. Real invitations live on evite.com, paperlesspost.com or punchbowl.com. A link to a lookalike like evite-rsvp-secure followed by a different domain is fake. Also check the sign-in page: a real Google login is on accounts.google.com and a real Microsoft login is on login.microsoftonline.com. If the address bar shows anything else, the password box is fake.
Why does a party invite want my Google or Microsoft login?
It does not, if it is real. The attacker spoofs the Sign in with Google and Sign in with Microsoft screens because your email account password is the master key to your digital life. With it they can read your mail and reset passwords on your other accounts using the recovery links those services email you. The campaign targets your email login, not your party plans.
How do I report a fake party invitation scam?
Report it to the FTC at reportfraud.ftc.gov, forward the message to the real brand (Evite, Paperless Post or Punchbowl support) so they can pursue takedowns, and in the US file a report with the FBI at ic3.gov if you lost money or had an account taken over. You can also report the spoofed login page to Google or Microsoft.
Why are these fake invites showing up so much in May and June?
Graduation season and the start of summer are the busiest weeks of the year for digital invitations, so a fake invite blends in. Researchers tracking the campaign report roughly 80 phishing domains registered since December 2025 to support it, timed to launch when people expect grad-party and summer-event invites. The FTC issued its alert on May 26, 2026 to get ahead of the wave.
Related SafeBrowz coverage
- Google Calendar invite phishing scam: how fake event invites steal logins
- Microsoft phishing email: how to spot a fake in 2026
- How to verify an email is real in 2026
- AI-generated phishing emails: why they pass the old sniff tests
- DocuSign phishing scam: how fake signature requests steal credentials
- Fake Microsoft popup tech-support scam: the DOJ 2026 takedown
- Netflix account on hold email scam: spotting the fake
- Search engine phishing: when Google Ads lead to fake login pages
- PayPal account verification scam email: the lookalike login trap
- FBI Kali365 Microsoft 365 phishing warning (2026)
Bottom line: A party invite is supposed to be fun, not a login test. If a graduation, barbecue or reunion invitation asks you to enter your email password or to sign in with Google or Microsoft just to view it, it is a scam. Verify the domain, never type your email password into an invite, and put SafeBrowz on your browser so the fake login page never loads in the first place.