Many spam trends are cyclical: Spammers tend to switch tactics when one method of hijacking your time and attention stops working. But periodically they circle back to old tricks, and few spam trends are as perennial as calendar spam, in which invitations to click on dodgy links show up unbidden in your digital calendar application from Apple, Google and Microsoft. Here’s a brief primer on what you can do about it.
Over the past few weeks, a good number of readers have written in to say they feared their calendar app or email account was hacked after noticing a spammy event had been added to their calendars.
The truth is, all that a spammer needs to add an unwelcome appointment to your calendar is the email address tied to your calendar account. That’s because the calendar applications from Apple, Google and Microsoft are set by default to accept calendar invites from anyone.
Calendar invites from spammers run the gamut from ads for porn or pharmacy sites, to claims of an unexpected financial windfall or “free” items of value, to outright phishing attacks and malware lures. The important thing is that you don’t click on any links embedded in these appointments. And resist the temptation to respond to such invitations by selecting “yes,” “no,” or “maybe,” as doing so may only serve to guarantee you more calendar spam.
Fortunately, the are a few simple steps you can take that should help minimize this nuisance. To stop events from being automatically added to your Google calendar:
-Open the Calendar application, and click the gear icon to get to the Calendar Settings page.
-Under “Event Settings,” change the default setting to “No, only show invitations to which I have responded.”
To prevent events from automatically being added to your Microsoft Outlook calendar, click the gear icon in the upper right corner of Outlook to open the settings menu, and then scroll down and select “View all Outlook settings.” From there:
-Click “Calendar,” then “Events from email.”
-Change the default setting for each type of reservation settings to “Only show event summaries in email.”
For Apple calendar users, log in to your iCloud.com account, and select Calendar.
-Click the gear icon in the lower left corner of the Calendar application, and select “Preferences.”
-Click the “Advanced” tab at the top of the box that appears.
-Change the default setting to “Email to [your email here].”
Making these changes will mean that any events your email provider previously added to your calendar automatically by scanning your inbox for certain types of messages from common events — such as making hotel, dining, plane or train reservations, or paying recurring bills — may no longer be added for you. Spammy calendar invitations may still show up via email; in the event they do, make sure to mark the missives as spam.
Have you experienced a spike in calendar spam of late? Or maybe you have another suggestion for blocking it? If so, sound off in the comments below.
You should add that that setting in Google Calendar is only available on desktop.
I spent a while the other day after getting one of these trying to find the setting on my phone. It’s not there. The setting affects your phone too, just have to use your desktop to change it.
Thanks Larry, I did the same thing.
Wow, are you serious. Those three big name companies didn’t think it through that allowing anyone to put an invite into anyone else’s calendar may be abused. No way!?
[face palm]
It’s actually a feature. And that’s not sarcasm, it’s a real useful feature in a corporate office.
If someone in the office invites you to a meeting and you haven’t noticed it in your email yet to accept, it will show up on your calendar anyway, probably with a visual difference from accepted invitations (in Google, it shows an unfilled outline for unaccepted events).
The problem is when people from outside the office decide to invite you to stuff and you’re not set up to only allow it from internal people. Like so many web technologies, it’s a great idea and very useful if everyone is well behaved and uses it as intended, but basically falls down flat when abused.
A very timely article, as the other day I received the same spam invite that you showed in your article, I wasn’t sure how that had gotten on my calendar….
You should add that that setting in Google Calendar is only available on desktop.
I spent a while the other day after getting one of these trying to find the setting on my phone. It’s not there. The setting affects your phone too, just have to use your desktop to change it.
Helena
I don’t have a desktop
I opened my calendar in a browser and switched to desktop mode. The event settings option appeared there.
I don’t use cloud services any more than I use Windoze…
Making a real contribution to the conversation there, well done.
Here’s the same guide with screenshots for every step and less than 50 words of text in total: https://flowshare.io/flow/how-to-block-spam-invitations-from-your-google-calendar
Thank you, flowshare. Very helpful.
That’s hilarious. What a way to mess with people.
Might add new calendar events for my boss every 15-30 days for the next 200 years. It’ll drive him nuts!
Just yesterday my calendar had a new event. Samsung had added “Your new Samsung is ready to be picked up”. The app would not allow me to alter or cancel the “event”.
I deleted the app.
You mean you did not want a new Samsung??
Thank you so much. I’ve been fighting this spam for 2 months now.
I got into it with the google calendar ‘support’ folks on Twitter cuz for all their laudable anti-spam efforts, this seems like one of the dumbest problems to have.
Ok, so their spam filters belatedly purge an e-mail that got through on the first pass, and triggered an auto-add to the calendar. How is their no fricking IFTTT type logic to purge all chained events based on the predecessor trigger? Like….. they are smarter than this, it’s just not a priority? Cool, I’ll “report instances of spam” per their poor low-level twitter drones and their scripted guidance.
Thanks for the workaround Krebs!
Except if you have shared your calendar with anyone then the spam appears for those people even if you’ve hidden it for you.
I’ve been manually deleting these stupid spam events for weeks now!
Hope this setting works.
Thanks to the guys above for mentioning that you can only change the setting via desktop for Gmail, as I spent ages trying on my phone to find it!
create a filter with this email, delete, fixed!
Apple and Google have been adding phony holidays to my US calendars for years, like Eid, Labor, and MLK days. Nothing new here.
Related: what kind of idiot leaves their calendar open to public viewing and event invitations? When I first heard of this spam, my only thought is that these people deserve it.
Labor Day is a “phoney” holiday? MLK day phoney? Both are official USA govt holidays, observed by banks, the post office and many major businesses in the States. EiD is a legit religious holiday and if they list Christmas, Easter, Yom Kippur, etc, why shouldn’t they list this?
Your point about people deserving to get their accounts spamed is simply to moronic to address. It’s the last resort excuse of a criminal.
Maybe the same people, that share their private lives (and parts…) in e.g. Instagram etc.
Koo.jii
I guess so. They over share.
I deleted both calendar scam emails but the scam event showed up on my phone calendar anyway. it didn’t show up on my desktop google calendar, How can i delete it? I don’t want to open it and I can’t find a way to delete it
People who didn’t KNOW that it was even an option for other people to add events t their calendars. Not everyone grew up with phones and computers attached to their hips. I am constantly amazed that the default for most of this crap is that anyone can see or do anything and you have to make it private. I’m learning!
Makes me especially glad I use Outlook (not Outlook.com) to do my calendaring. Been using it for over 20 years–I started in 1998. I sync it to my phone using–OMG!!!–a wire.
I looked at my settings on Windows 10 and my outlook app for iOS, I don’t have anything that says “Accept invites my default”. Either I’m missing something or I don’t have the ability to set that. Hopefully that’s not the default
And for all you security vendors out there who think it’s cool to set an unsolicited calendar invite for a product demo, I will never do business with you or your company, and will do my best to spread the word of your practices to others in my network.
Very timely…I got a bunch of those the other day. And since I use Apple’s calendar app on my phone to sync to my Google account, I had to delete them in both places.
The one big thing that I hate about all of these spams is owning multiple email accounts(one is for spammy websites and another is for important stuff). Google shows the calendar invite directly on the screen of my Pixel without any interaction which gets annoying especially since I thought I got rid of them. Buzz off, scumbags!
Very timely article. I have been getting spam invites telling me my new iPhone is ready.
Thank you for the tip.
while that is helpful, at least outlook.com isnt allowing to save changes but i dont use the calendar anyway, was hoping for info on why in the past2-3 months their has been a huge spamming, been getting 20-40 a day in my spam box and i always mark them as phishing which should also block them in the future and also report them on outlook.com, doesnt seem much is working enough to make me check account activity for hacks but besides more failed auto syncs from different parts of the world regular incorrect passwords still appears my account is safe but doesnt explain the huge uptick in filling my spam folder but also getting by and entering my regular inbox
@ bigstew – set your outlook.com email account to exclusive on received emails and that might cure the problem. I didn’t get spam or junk mail in my inbox, but I set it to exclusive anyway, because of those pesky legitimate notifications from feed sites. I didn’t want to mark them as spam because they were legitimate, but out of control. I just check my junk mail occasionally when I wan’t to respond to various communications, but I never mark them as accepted contacts. Deleting any misbehaving contacts should work towards removing them from you inbox. I don’t use calendar anymore, so I can’t speak to that.
Thanks for the insight but, I hit a snag. When using the instructions for window’s 10 on two different desktops I got the same pop up stating “the preferences you have chosen cannot be changed at this time try again later”. Any advice for me and has anyone else had the same problem? Thanks in advance.
Dean, pretty sure you have to change the settings in outlook.com, not via the desktop.
Brian,
Thanks for the reply. I was logged into outlook.com I mentioned the desktop because that was the type of computer I was using. I just wanted to be clear it was not a laptop, tablet, phone or something ease. I also made an attempt with two different browsers, edge and Firefox (I am using a script blocker on Firefox) and got the same error message each time. “The preferences you have chosen cannot be changed at this time try again later.” I guess I will wait a couple of days and try again. Thanks for your help.
The Outlook.com calendar settings weren’t saving for me either. I reported the issue to their tech support staff, and today the calendar settings have started saving for me.
Thank you for this helpful article, Mr. Krebs.
I followed the directions to change google calendar settings on my macbook pro, restarted it and the invitation to pick up my iPhone X is still on my calendar. Do you have any suggestions? TIA
After you have made the changes outlined in the article, you still need to delete the bad calendar entries. In your web browser, go into your calendar, right click one of the events, choose delete and then choose All Events (and OK). This will delete all events that are in that entry. You will need to do that for each different message.
Whats with the hair
To disable auto-accept in OUTLOOK app (not Outlook.com):
File -> Options -> Calendar -> Automatic accept or decline -> click “Auto Accept/Decline” button -> UNCHECK “Automatically accept meeting requests and remove canceled meetings” -> Click Ok, click Ok.
I noticed that I received some google calendar spam from a source that never sent me an email.
I noticed that my google calendar was already set to private, and my email setting was set to “only if I respond yes or maybe” which should work because I never responded to the invite.
Turns out there’s an exploit in google calendar that allows you to send an invite to anyone without sending an email, and will ignore the “yes or maybe” setting. This was discovered in 2017 and according to google is a feature and working as designed.
https://www.blackhillsinfosec.com/google-calendar-event-injection-mailsniper/
Does this work for the default calendars on the Samsung phone? This is annoying!
What about Samsung? It adds these events to go off for an entire month even after I delete the event. How do I block these?
The suggestion It doesn’t work and Google is aware about.
Stop reproducing dummy solutions without confirm that work
This recently happened to me. Thankfully I am a paranoid security weasel and I promptly deleted the series of calendar invites. However it did give me pause as I had just started a new role, and my new company phone was due to show up that same week. Add to that the fact the email had the exact model (iPhone XR) etc.
The timing was rather coincidental or suspicious….
I see instructions like these all over but they don’t fix the problem. When I share my calendar the person it is shared with cannot suppress viewing of these SPAM calendar entries. Then I have to un-hide these on my machine so I can go in and right-click the entries and use the Google Calendar option to Remove Item. Obviously this means that the entries are added anyway, despite my wishes, and I can stop “seeing” them, but my sharees cannot. Likewise I have to look at their entries they are suppressing looking at. This situation has been going on for at least a decade and it’s pretty crazy that it has not been addressed. Even before all the recent SPAM, my wife was getting put on mailing lists by well-meaning friends, and getting calendar invites that appeared as real calendar events, indistinguishable from the ones she had added herself. She didn’t have to look at them, but I did. It’s an old annoyance that Google doesn’t seem to get.