There are 1.5 billion people using Google's Gmail and Calendar services. And now, they're all at risk at falling victim to a new scam, one security researcher says.

In a statement this week, Kaspersky said that it has analyzed both Google Calendar and Gmail and found that users are receiving unsolicited notifications that include a link to a phishing URL. Those who click on the link are brought to a malicious site, where their credit card credentials could be stolen if they input them into the site.

According to Kaspersky, the problem centers on a feature in Google Calendar and Gmail that allows malicious hackers to create a calendar event and then have users automatically receive a notification about it.

But what's most interesting about the maneuver, according to the report, is that the malicious hackers aren't using traditional email to make it happen.

"The 'calendar scam' is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps," Maria Vergelis, security researcher at Kaspersky, said in a statement. "But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it."

Vergelis went on to say that the attacks Kaspersky has seen this year have "an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time."

In most cases, users who clicked on the link saw an opportunity to win a "prize" if they input their payment information into the page. When that happened, the only "prize" was a stolen credit card number.

What Can You Do?

Luckily, the flaw doesn't appear to be one that you will have difficulty sidestepping. But it's still a good idea to be cautious and inform your employees of the flaw as soon as possible.

First things first. Keep in mind that you shouldn't click on links that are sent to you from an unknown party or anyone that creates an invite in your calendar without your knowledge. Being skeptical about the threats you face is always a good idea.

Second, be sure to never share your personal information in a site unless you know what it is and you can verify it's real. Although you can't always be 100 percent sure, do your best to stay away from entering data into seemingly malicious sites.

Finally, and perhaps most important, turn off the feature that automatically adds calendar invitations to your Google Calendar. That will immediately stop malicious hackers from being able to target you.

To do that, go to your Calendar and choose the Gear Icon on the top. Next, choose Event Settings and click "No, only show invitations to which I've responded" under the drop-down menu.

Ultimately, Kaspersky said that the scam, while concerning, is easy to avoid, thanks to Google's settings.

So, first things first--turn off that auto-adding feature. Then be sure to give your employees a refresher on security.

Published on: Jun 11, 2019
The opinions expressed here by Inc.com columnists are their own, not those of Inc.com.