| By

Beware of Sneaky Phishing Attempts in Calendar Invites

Image: Pexels

Beware of Sneaky Phishing Attempts in Calendar Invites

By David Stidham, Operations Manager at Cenetric

As if bad actors needed a new way to try to gain access to your systems and credentials — now they’re hiding in meeting invitations. 

After all, when’s the last time any of us was expecting malware built to steal our data was coming as a calendar invite?  Those are for telling you about next week’s company outing, an investor meeting or a 1-on-1 with someone on your team, right? 

Those expectations are exactly what hackers are counting on. They send a meeting invitation, which Outlook, iCal and Google Calendar are programmed to tentatively put on your calendar. The bad actors give them intriguing subjects like “Urgent: Last Quarter’s Sales Data” and attach a file or add a link that looks like information that will help you prepare for the meeting. 

So you click. Now, whether you’ve accepted the invitation to your calendar or not, the hacker can direct you to a fake login page meant to steal your credentials or launch a program that installs malware on your systems. 

Who do these invitations come from? 

Bad actors can hack real contacts you trust and use their email to send invitations that get into your systems as well, or they can simply spoof the email address, making it appear that it’s your contact sending you an email when it really isn’t. These are both types of social engineering, meant to gain your trust and trick you into doing something you shouldn’t in order to harm or gain access to your data and systems. 

Cybersecurity researchers at Bitsight also found that calendar subscriptions can be used to send harmful files that automatically make sync requests, essentially allowing hackers regular access to your device through ongoing “calendar updates.” You think you’re subscribing to your office’s softball team schedule or your city’s trash pickup dates — but you’re actually subscribing to any terrible thing the hacker can dream up.

How should you protect your calendar?

First, remove your email address (and all your other personal data) from as many places as you can to reduce the opportunity for cyber criminals to send you malicious meeting invitations. At Cenetric, we like Optery, which removes your personal data from sketchy online databases. 

Many people overlook their contact sharing settings on social media sites, unwittingly leaving their email addresses publicly viewable. LinkedIn, for example, lets your first-degree connections see your email address by default. Unless you change it, that means everyone you’ve ever accepted a connection request from can access your email address.

If you aren’t looking for work opportunities or new clients, it’s best to set that to “Only visible to me” to prevent others from seeing your email address. If you want to make sure connections can see your email address to contact you about your SMB’s services or products, “1st degree connections” is the safest option. We recommend against “1st and 2nd degree connections” and “Anyone on LinkedIn” options. 

To update your email settings in LinkedIn, go to Settings > Visibility > Who can see or download your email address. (Might as well check and update your other privacy settings while you’re there!)

Linkedin email privacy

As you can see above, there’s also a setting that allows you to include your email address when first-degree connections download their own connection data. Since 2018, it’s been off by default, but we advise you not to turn this on. 

What should you do if you get a suspicious calendar invitation? 

Stay alert for unexpected or odd meeting requests and act accordingly:

  • If you don’t know the sender, delete it from your calendar without clicking any files or links or responding by email. If it’s a real request, they’ll find another way to reach out to you. (And wouldn’t it be a little strange for someone you don’t know to put even a legitimate meeting request on your calendar without emailing or speaking with you first anyway?)
  • If it appears to be someone you know, but it has strange wording or unusual files or links attached, contact them in a trusted way to confirm it’s real. Start a fresh email from the contact information you already have or call or text them. Replying to a hacked invite only puts you in touch with the very person who’s trying to trick you.
  • Regularly check your calendar subscriptions and evaluate whether they’re still important. You don’t really need the calendar for your son’s second-grade soccer team snack schedule now that he’s in high school, do you? Unsubscribe from outdated calendars. Bitsight’s research found that abandoned calendar subscriptions taken over by bad actors were one of the primary culprits in malicious calendar invitations, affecting an estimated 4 million devices. 

Work with an IT services provider that can help you stay safe

When you work with a managed or co-managed IT services provider like Cenetric, you can rest assured that all the proper protections are in place to keep bad actors out with regular IT risk assessments and other preventative measures. We can also train your team on this type of attack to help them spot suspicious invitations before they put your systems at risk.  

Want to protect your Kansas City business from cyberthreats? Cenetric has the experience and availability to help you prevent an attack — or respond if you’ve already been hit. Let’s set up a time to talk about cybersecurity.