Google Calendar Phishing: The Scam That Bypasses Your Spam Filter

Google Calendar Phishing: The Scam That Bypasses Your Spam Filter

You get a Google Calendar notification. Your Amazon subscription is about to renew. Or there's a delivery exception on a package. Or a vague "security alert" needs your immediate attention. There's a link. You click it.

You clicked it because it was in your calendar. That's not where phishing lives — phishing is an email thing, right? Gmail catches phishing. Your calendar is where you keep dentist appointments and Zoom links.

Scammers figured this out. That's the whole point.

How Calendar Phishing Works — And Why Your Spam Filter Is Helpless

Traditional phishing arrives by email: a message pretending to be your bank, with a link to a fake login page. Gmail catches a lot of this. It flags suspicious senders, known malicious domains, and mismatched headers. The message lands in the junk folder. You never see it.

Calendar phishing sidesteps that process entirely because it doesn't go through your inbox.

Here's the mechanic: a scammer creates a Google Calendar event and adds your email address as an attendee. Google Calendar — the real one, operated by Google — sends you a notification. The event description contains a malicious link. When you open that notification, the link is sitting right there, embedded in what looks like a standard calendar entry.

Your spam filter didn't miss it. It can't catch it. The notification came from Google's own servers, through Google's own calendar system. From a spam-detection standpoint, it's indistinguishable from a coworker sending you a meeting invite.

Check Point Research documented this: attackers use Google Calendar's notification system specifically because it has a trusted delivery path that bypasses the security policies organizations apply to email. Google's own June 2026 fraud and scams advisory flagged calendar invite abuse as an active, evolving threat alongside other phishing techniques that are increasingly hard to catch at the infrastructure level.

The event titles sound urgent: "URGENT: Your subscription renews today — confirm payment." "Package #74938 — delivery exception, click to reschedule." "Security Alert." The content doesn't need to be elaborate. Urgency plus a familiar platform is enough.

There's also a second variant, documented by Malwarebytes: a dormant malicious payload embedded inside an otherwise normal-looking calendar invite — one that can expose private data without requiring any action on your part beyond accepting the invite. Most people accept calendar invitations without a second thought.

The MFA Problem Nobody Talks About Enough

Let's say you clicked the link in that calendar event and ended up on what looks like a Google sign-in page. You've been careful about security — you have two-factor authentication enabled. You enter your password. Then your 2FA code. Surely that protects you?

Not against what's called an Adversary-in-the-Middle (AITM) attack.

Here's the thing about MFA: it verifies you at the moment of login. It does not protect the session token your browser stores after login — the token that keeps you from having to enter your password every time you open Gmail. Steal that token, and you don't need the password or the 2FA code. You just skip login entirely and walk into an authenticated session.

AITM phishing works by placing a real-time relay between you and the real website. When you type your password and then your 2FA code into the fake sign-in page, the relay passes both to the real Google in real time — completing a genuine login. Google thinks it's you. Meanwhile, the relay captures your session cookie and hands it to whoever is running the attack. You're logged in. So are they.

Google's June 2026 advisory specifically called out AITM toolkits as a primary threat. Even after Barracuda disrupted the Tycoon 2FA phishing-as-a-service platform in April 2026, phishing volumes using these techniques remained high. The tools exist, they're accessible, and they work on people who have done everything right — including enabling 2FA.

Google's response is something called Device Bound Session Credentials (DBSC), which ties session tokens to your specific device so stolen cookies don't work elsewhere. That rollout is ongoing. Until it's universal, the attack remains viable.

Why This One Is Harder to Spot

Two things make calendar phishing especially effective against people who would normally catch a phishing email.

The delivery channel reads as safe. When something appears in your Google Calendar, your brain processes it differently than your inbox. The calendar has less noise, and — critically — it has a higher assumed signal-to-noise ratio. Every entry was either created by you or accepted from a known person. Scammers are counting on that trust.

The link itself often looks legitimate. Many of these attacks host malicious content on real Google infrastructure — Drive links, Docs redirects, or other services with recognizable domains. Your browser shows something starting with docs.google.com and your threat radar says "that's Google." The redirect to the actual phishing page happens after you click. By then, you're on a fake login page that looks exactly right.

Red Flags, One by One

These are specific — not just "be careful."

1. You didn't create this event or accept it from someone you know. Google Calendar should not have events you didn't agree to. If an entry appears and you have no memory of it, that's your first signal.

2. The event description is built around a link. Legitimate calendar events for meetings contain video call links (Zoom, Teams, Google Meet). Events for appointments have addresses. A calendar event whose entire content is an urgent message and a link — "your account is at risk, verify now" — is not a calendar event. It's a delivery mechanism.

3. The urgency is the whole point. Real calendar reminders are about things you scheduled. Scam calendar events are built entirely from manufactured pressure: your package is stuck, your subscription failed, your account was flagged. If the calendar notification is the urgency rather than a reminder about something you already know, treat it as suspicious.

4. Clicking leads to a sign-in prompt. You should not need to authenticate with Google to view something delivered through your Google Calendar. If a page immediately asks for your Google, Apple, or Microsoft credentials before showing you anything useful, close it.

5. The sign-in URL isn't exact. Before entering credentials anywhere, check the URL bar. Legitimate Google authentication happens at accounts.google.com. Not accounts-google.verifications-secure.com. Not google.accounts-login.net. The calendar notification came from Google; the linked page doesn't have to. Check the domain before you type anything.

6. Your calendar is set to add events automatically. By default, Google Calendar can import events from Gmail — meaning a scam "order confirmation" email can trigger a calendar entry without you accepting it. Most people never change this setting. Scammers know that.

If You Already Clicked That Link

Stay calm. The specifics matter.

If you clicked but landed on a suspicious page and closed it without entering anything: You're probably fine. Clear your browser cache, check your recently installed browser extensions for anything you don't recognize, and review your Google account's active sessions at myaccount.google.com/security. Full checklist in our guide on what to do after clicking a scam link.

If you entered your Google password but stopped before completing the 2FA step: Change your Google password immediately at myaccount.google.com. Your active session is likely still safe, but the password is compromised. Enable two-factor authentication if you haven't already, and audit active sign-ins for anything unfamiliar.

If you completed the full login flow on the phishing page: This is the AITM scenario — your session may already be stolen. Go directly to myaccount.google.com/security and review active sessions. Sign out of everything except your current session. Change your password and your account recovery email. If your account supports it, set up a passkey — passkeys are device-bound and phishing-resistant in a way that passwords and session cookies aren't. Then work through our guides on recovering from an account takeover and what to do after clicking a scam link.

Report the event: in Google Calendar, open the suspicious event and look for the three-dot menu — there's a "Report" option that sends the event to Google for review.

Two Settings to Change Right Now

You don't have to wait to get targeted.

1. Turn off automatic event creation from Gmail. In Google Calendar: Settings (the gear icon) → Events from Gmail → toggle off "Show events automatically created by Gmail." This closes the back door that lets a phishing email auto-populate your calendar without you explicitly accepting it.

2. Stop accepting calendar invites from strangers. In Google Calendar: Settings → Event Settings → change "Automatically add invitations" from "Yes, all invitations" to "No, only show invitations to which I have responded." This means calendar events from unknown senders require you to actively accept them before they appear.

Both take under two minutes. Neither breaks anything about how you use Calendar with people you actually know.

For the broader picture of how phishing has evolved — what changed, what the new techniques look like across email and other channels — our guide on spotting phishing emails covers the full landscape. Calendar phishing uses the same psychological levers as email phishing (urgency, trusted branding, familiar-looking login pages). The delivery route changed. The manipulation script didn't.

FAQ

Is Google Calendar phishing the same as the fake invitation email scam?

Related but different. The fake invitation email scam involves phishing messages sent as emails, often from a compromised contact's account — it targets your inbox. Calendar phishing uses Google Calendar's notification system directly, delivering the malicious link inside a calendar event rather than an email. Because it bypasses your email inbox entirely, your spam filter never sees it. Different delivery route, same credential-theft goal.

I have two-factor authentication. Doesn't that protect me?

For standard phishing — a fake login page that collects your password — yes, 2FA is a strong defense. For Adversary-in-the-Middle attacks, it's not complete protection. AITM toolkits relay your credentials and your 2FA code to the real Google in real time, completing a legitimate login and capturing your session token in the process. They don't need to steal your password — they steal the already-authenticated session. Google is rolling out countermeasures (Device Bound Session Credentials), but AITM attacks remain active.

How did a calendar event appear that I never accepted?

If your Google Calendar settings are configured to automatically add events from Gmail (the default for many accounts), a scammer who sends you a fake "order confirmation" or "shipping alert" email can trigger a calendar entry without you ever clicking "Accept." Disabling automatic event creation from Gmail in Calendar Settings closes this path.

The link in the calendar event starts with docs.google.com. Doesn't that mean it's safe?

Not necessarily. Attackers specifically host initial links on Google's own infrastructure — Drive, Docs, Sites — because those URLs look trustworthy. The real Google URL acts as a redirect to the actual phishing page. What's in your browser bar at the moment you clicked is not the same as what you'll see when the page loads. Always check the URL on the page where you're being asked to enter credentials, not the URL in the calendar event.

What's the single most useful thing I can do right now?

Go into Google Calendar Settings and disable automatic event creation from Gmail. That one change prevents the most common delivery path for calendar phishing — fake shipping and subscription emails that auto-populate your calendar without you accepting anything. It takes about 90 seconds.

---

Sources: Google June 2026 Fraud and Scams Advisory; Check Point Research — Google Calendar Notifications Bypassing Email Security Policies; Malwarebytes — Malicious Google Calendar Invites, January 2026; Hoxhunt — The Rise of Calendar-Invite Phishing.