Google Calendar being exploited by spammers

Experts at Kaspersky have identified multiple cases of a scam targeting users through unsolicited Google Calendar notifications.

Google’s anti-spam module avoids flagging notifications from its own services as spam, but spammers are abusing this to bypass the spam filter and deliver emails to inboxes by exploiting the default feature on Google calendar that automatically adds calendar invitations and notifications.

May saw numerous unsolicited pop-up calendar notifications appearing for Gmail users, due to a vast amount of sophisticated spam emails being sent by scammers.

Dubbed as the “calendar scam”, the perpetrators send an unsolicited calendar invitation with a malicious link to a phishing URL. A pop-up notification of the invitation appears which when clicked redirects the user to a website that hosts a simple questionnaire offering money for its completion.

In order to receive the prize, the user has to enter their credit card details and some personal information including their name, phone number and address – however rather than receiving a prize the information goes straight to scammers.

Maria Vergelis, security researcher at Kaspersky said in a press release:

“The ‘calendar scam’ is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps.

“But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it. So far, the sample we’ve seen contains text displaying an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time. The good news is that it’s fairly easy to avoid such a scam – the feature that enables it can be easily turned off in the calendar settings.”

Researchers at Kaspersky have advised users to turn off the automatic adding of invitations to their calendar.

As well as exploiting Google Calendar, It was also identified that scammers have been leveraging Google Photos by sharing photographs “that include comments about sudden large remittances that can be had by replying to the e-mail address supplied in the message”.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.