Cybercriminals are adept at finding new ways to scam us and according to researchers at Kaspersky, the crooks are using Google Calendar notifications as a means of delivering phishing links.
The crafty scam takes advantage of the Google Calendar setting that automatically pulls events and invites over from a user's Gmail account.
A seemingly legitimate pop-up notification appears on the user's smartphone and they are prompted to click on a link to complete a survey or claim a cash reward. Descriptions on the calendar invites include; ‘You’ve received a cash reward’ or ‘There’s a money transfer in your name’.
If the victim clicks on the link, they are redirected to a fake website that features a simple questionnaire. To be in with a chance of winning a prize, they are asked to submit some personal information including their name, address, phone number and bank account details.
Once the crooks have all this sensitive information, they can then use it to clean out the victim's bank account or commit identity fraud. At the current time, it appears the main aim of the scam is to harvest user details but the links could also be used to deliver malware.
The scam is particularly effective as most users will recognise Google Calendar as a trusted app and not even think twice about questioning the validity of links within calendar invites.
To avoid falling for this type of phishing attack, there are a number of steps you should take:
• Open Google calendar's setting on a desktop browser and go to Event Settings> Automatically Add Invitations. Select the option 'No’, only show invitations to which I've responded.
• Under View Options, make sure that 'show declined events'' is unchecked.
• Don't open messages from unknown senders.
• Never accept invitations from someone you don't know.
• Don’t click on links in messages you weren't expecting.
The scam is just another example of how deceptive cybercriminals are becoming in their pursuit to defraud us. As the general population becomes more knowledgeable about the classic signs of a phishing attack, the crooks have had to change tactics and try different methods to avoid detection.
Action Fraud recently announced that they’ve received over a quarter of a million reports of phishing between April 2018 and March 2019, demonstrating just how widespread the cyber threat has become.
Despite the increasing sophistication of phishing attacks, there are a number of ways you can protect yourself online. MetaPhish has been specifically designed to protect businesses from phishing and ransomware attacks and provides the first line of defence in combatting cyber-crime. Get in touch for further information on how we can help your business.