Fake Invitation Email Scam: How It Spreads

Fake Invitation Email Scam: How It Spreads

An email arrives from your colleague's address. She's hosting a birthday party this Saturday — you're invited. The link looks legitimate. You click it, see a familiar "Sign in with Google" button, and enter your password without a second thought. Within hours, everyone in your address book gets the same invitation — this time, appearing to come from you.

This is the fake invitation email scam, and it's spreading fast. On May 11, 2026, Pennsylvania Attorney General Dave Sunday issued an urgent public warning after a surge in reports from residents whose accounts were hijacked through exactly this technique. The scam isn't limited to Pennsylvania — it's active across the country, spreading virally through real contact networks.

What Is the Fake Invitation Email Scam?

The fake invitation email scam is a phishing attack disguised as a digital event invitation — a birthday party, a work conference, a charity fundraiser, or a neighborhood gathering. What makes it unusually dangerous is where it comes from: a genuine, already-compromised email account belonging to someone you know.

Unlike traditional phishing emails that arrive from suspicious-looking addresses impersonating banks or government agencies, this attack begins with a real email from a real contact in your inbox. The sender's name and email address are authentic because the message was sent from their actual account — one the scammer has already taken over.

The primary goal is credential theft. Scammers want your Google, Apple, or Microsoft login so they can seize your email account and keep the cycle going.

How the Scam Works

Step 1: A compromised account sends the bait. A scammer has already hijacked someone in your contact list — perhaps through this same scam. Using that person's real account, they send invitations to the victim's contact list. The email appears genuine because it is: it originates from a legitimate address.

Step 2: The email invites you to an event. The message is friendly and just specific enough to seem personal. It asks you to click a link to view the invitation details and RSVP.

Step 3: You land on a convincing invitation page. The linked page copies the visual design of a well-known digital invitation platform — think Evite or Paperless Post. The event title, date, and layout all look polished.

Step 4: A login wall blocks your RSVP. Before you can respond, the page asks you to sign in using your Google, Apple, or Microsoft account — framing this as an identity check for guest access.

Step 5: Your credentials are captured. The sign-in prompt is a fake. The page records whatever credentials you enter and transmits them to the scammer instantly. Some variants skip the fake login entirely and instead trigger a malware download the moment you click the initial link.

Step 6: Your account becomes the next weapon. With access to your email, the scammer immediately sends the same invitation to everyone in your contact list. Your name and address now lend the scam credibility for the next wave of victims.

The full cycle — from clicking a link to your account being used against your contacts — can happen in minutes.

Red Flags to Watch For

• No prior conversation about this event. Real invitations follow context: a shared connection, a previous mention, a logical reason you'd be invited. An invitation appearing from nowhere is a major warning sign.
• The RSVP page asks you to sign in. Legitimate invitation platforms do not require a Google, Apple, or Microsoft login just to view a guest invitation. If you hit a sign-in wall before seeing any event details, close the tab immediately.
• The sign-in URL isn't the real service. A genuine Google sign-in happens at accounts.google.com. Apple sign-ins happen at appleid.apple.com. Microsoft sign-ins happen at login.microsoftonline.com. Any other domain — even one that looks similar — is a phishing page.
• The invitation is vague on specifics. Real party invites include a location, a time, and a personal note. Fake ones are deliberately thin on detail so they read as plausible to anyone in the sender's contact list.
• You didn't expect to hear from this person. An acquaintance you haven't spoken to in months, or a coworker you barely know, sending you a social invitation warrants a quick verification call.
• The email was sent to a large group at once. Check the "To" or "CC" field. A mass-distribution invitation rather than a personal note is a red flag.
• Hovering reveals a suspicious URL. Before clicking, hover your mouse over the link to preview its destination. If the domain isn't what you'd expect, don't click.

What to Do If You've Been Targeted

If you received the email but haven't clicked:

1. Contact the sender directly by phone or text to confirm they sent an invitation.
2. Mark the email as phishing in your email client and delete it.
3. Report it to the FTC at ReportFraud.ftc.gov.

If you clicked a link but didn't enter credentials:

1. Run a full malware scan immediately using updated antivirus software.
2. Review recently installed apps or browser extensions for anything unfamiliar.
3. Monitor your accounts for unusual login activity for the next 72 hours.
4. See our full checklist for what to do after clicking a scam link.

If you entered your login credentials:

1. Change the password for the compromised account right now — every minute of delay matters.
2. Enable two-factor authentication if it isn't already active.
3. Check your account's recent activity log for any unauthorized sign-ins or sent messages.
4. Look through your "Sent" folder for emails you didn't write.
5. Alert your contacts immediately: tell them your email was compromised and they should not click any recent invitations from your address.
6. Change your password on any other account that shares the same password.
7. Follow our complete guide on how to stop and recover from an account takeover.
8. File a report with the FTC at ReportFraud.ftc.gov and with the FBI's IC3 at ic3.gov.

How to Protect Yourself

Turn on two-factor authentication for every important account. Even if a scammer captures your password, 2FA stops them from completing a sign-in. Start with your primary email, then Google, Apple ID, and Microsoft. This single step makes a stolen password nearly useless.

Know the real sign-in domains for services you use. Before entering credentials anywhere, verify the URL. If it's not the exact, official domain for that service, close the window.

Use a password manager. A reputable password manager autofills credentials only on the domain it recognizes. It will not enter your Google password on a lookalike phishing page — providing an automatic, passive safety check that catches what your eyes might miss.

Verify unexpected invitations before clicking anything. A ten-second text to the sender — "Hey, did you send me an invite to something?" — is the simplest, most reliable defense against this scam.

Don't rely on the sender's address as proof of legitimacy. In this scam, the sender address is real. Train yourself to ask: Does this invitation make sense given what I know about this person and our relationship?

Learn to recognize phishing more broadly. This invitation attack is one variant of a much wider category of email threats. Our guide to checking any email for phishing signs covers the full range of techniques and red flags across all types of phishing attempts.

FAQ

Q: Can this scam really come from a real friend's email address — not a spoofed one? Yes. This is exactly what makes it so effective and so dangerous. The sender's account has already been compromised through the same scam, and the invitation is genuinely sent from their address, not faked. The best defense is to verify unexpected invitations directly, through a phone call or text, before clicking any link.

Q: Which invitation platforms do scammers imitate? Scammers copy the visual style of well-known platforms like Evite, Paperless Post, and similar services to make the landing page look familiar. The credential capture happens on a fake Google, Apple, or Microsoft sign-in page that appears when you try to RSVP. No legitimate invitation platform requires you to authenticate with a major account just to view an invitation as a guest.

Q: How quickly do I need to act if I entered my credentials? Immediately. Scammers typically test and use stolen credentials within minutes of receiving them, and automated systems can begin sending from your account just as fast. Change your password the moment you realize what happened — before they lock you out.

Q: Is this scam limited to Pennsylvania? No. The Pennsylvania Attorney General's May 11, 2026 alert was the most prominent recent official warning, but this phishing technique is active nationwide. Any email user is a potential target regardless of location.

Q: How do I know if my account was already used to send these scam invitations? Check your "Sent" folder for messages you didn't write. Also review your account's sign-in activity log — available in the security settings of Gmail, Outlook, Apple Mail, and most major email providers — for any unfamiliar devices or locations. Unauthorized activity means you need to change your password and enable 2FA immediately.

Q: How do I report a fake invitation email? Use your email client's built-in "Report phishing" option (available in Gmail, Outlook, and Apple Mail). You can also file a report with the FTC at ReportFraud.ftc.gov and with the FBI's Internet Crime Complaint Center at ic3.gov.