If you're like a lot of business owners in the U.S., you probably use web-based calendars, like Google calendars.

Now, they're under threat.

I learned this firsthand recently when I opened one of the Google calendars I've been using -- fortunately, not my main work one -- and found that a bizarre recurring event had been added to my schedule for five full days in a row: "iPhone Xs delivery."

More specifically, "Free iPhoneX is yours, fill out delivery address."

This seemed odd for about 30 reasons. For one, I already have an iPhone that I'm more or less happy with.

Second, I had no recollection of signing up for or agreeing to do any of this.

Oh, and third, there was the fact that the meeting time was scheduled for Moscow Standard Time.

The plot thickens. And the explanation beckons.

After clogging our phones with spam calls and filling our email in-boxes with the same -- and after giving text message spam the ol' college try -- it turns out that the same kinds of people are now targeting calendars.

Whitson Gordon, who was formerly the editor in chief of Lifehacker and How-to Geek, tackled this development recently on OneZero. Here's his explanation:

It works like this: A spammer sends you an invite to a "meeting" using the collaborative tools built into Google Calendar, iCloud, or other online scheduling tools. By default, these services add the event to your calendar whether you've accepted or not -- meaning that spammer's event proclaiming "hot singles in your area" is now on your agenda, with no intervention from you. 

In fact, there's a good chance you won't see the invite at all: Gmail, for example, may automatically place the invite in your spam folder, but Google Calendar will still process the invite, perhaps leading to a mysterious notification on your phone down the line.

ZDNet wrote about it back in June, as well, citing a report by the Russian security firm Kaspersky.

By all indications, these are phishing efforts, and not especially sophisticated ones at that.

I didn't acknowledge the calendar invitation (or decline it), and I certainly wasn't going to click on the link contained in it. However, Kaspersky's account suggests that at least in some cases, clicking through simply brings you to a site that features a questionnaire and offers prize money for completing it.

To receive the prize money, users are ultimately asked for more information (name, phone number, address) and even a credit card number.

Fortunately, it appears there's also a way to defend against these kinds of spam attacks. As Gordon spells it out:  

  1. Open Google Calendar
  2. Go to "Settings"
  3. Go to "Event Settings"
  4. Where it says, "Automatically add invitations," pick "No, only show invitations to which I've responded."

The downside to this, from my perspective, is that I actually find it useful for people to be able to add invitations to my calendar before I've accepted them -- assuming they're from people I know and trust. 

But I guess this is the world we live in. 

Just when it seems like governments are finally doing something that might be effective to defeat robocalls, and just as many of us are learning to live with email spam, the criminals out there have found another opening. At least this one comes with a solution.
 

Published on: Aug 28, 2019
Like this column? Sign up to subscribe to email alerts and you'll never miss a post.
The opinions expressed here by Inc.com columnists are their own, not those of Inc.com.