Users seem to have a bit of a blind spot when it comes to solutions put out by Google, particularly the risks associated with Gmail. It\u2019s almost odd to say: a security threat leverages Gmail. Unfortunately, it isn\u2019t unheard of, as a phishing scam has been leveraging Gmail and its cooperation with Google Calendar for some time now.<\/p>\n
<\/p>\n
Here, we\u2019ll review the basic experiences that this scam subjects a user to as it sets the trap\u2026 and, of course, what your business can do to avoid these threats.<\/p>\n
Put yourself in the shoes of a targeted user for a moment: just like any other day, you access your Gmail account and discover what looks like a Google Calendar invite. The invite is apparently for some kind of company-wide meeting (probably to discuss the company\u2019s trajectory, policy changes, or something like that) to take place at the end of the workday. The message includes a link to the complete agenda, which can be accessed once a user confirms their credentials. You do so\u2026 and in doing so, fall for a scam.<\/p>\n
This scam can be pretty safely categorized as \u201cbrilliant in its simplicity,\u201d much like other phishing attacks can be nowadays. By using Google\u2019s own convenience-based features, a fraudulent calendar event can be automatically added to a user\u2019s Google Calendar, notifying the user. Fraudulent links send the user to a faked Google login page, where the user\u2019s credentials are stolen as they attempt to log in. Alternatively, the link just begins installing malware directly to the targeted system. This scam has also proved effective against private users – informing them of some fabulous cash prize they\u2019ve \u201cwon\u201d through these fake Calendar entries.<\/p>\n
As it turns out, the details of this scam were reported to Google by an IT security firm in 2017, but Google has not made any steps to resolve it until recently.<\/p>\n
The firm stumbled upon this discovery when a coworker\u2019s flight itinerary appeared in an employee\u2019s Google Calendar. From there, the researcher realized the implications of this accidental discovery, and quickly determined that users just don\u2019t anticipate phishing attacks to come in through their Calendar application.<\/p>\n
Now that Google has acknowledged the issue, a fix is currently being developed as of this writing. Until the point that a successful fix is deployed, you need to make sure your users are protected against this vulnerability.<\/p>\n
The first thing they need to do is ensure that no Gmail events are automatically added to their Google Calendar. Under Settings<\/strong> in the Google Calendar application, they need to access their Event settings<\/strong>. From there, they need to deselect<\/strong> the option to Automatically add events to my calendar<\/strong> from their Events from Gmail<\/strong>.<\/p>\n To disable invitations to events from automatically adding themselves to the Google Calendar, a user needs to go through the same process, this time switching the Automatically add invitations<\/strong> option to the much safer \u201cNo, only show invitations to which I have responded<\/strong>.\u201d<\/p>\n With any luck, this – combined with a little vigilance from your users – will protect your business from a phishing attack via its schedule. To learn more about how to protect your business against a variety of threats, subscribe to our blog, and give COMPANYNAME a call at PHONENUMBER.<\/p>\n","protected":false},"excerpt":{"rendered":" Users seem to have a bit of a blind spot when it comes to solutions put out by Google, particularly the risks associated with Gmail. It\u2019s almost odd to say: a security threat leverages Gmail. Unfortunately, it isn\u2019t unheard of, as a phishing scam has been leveraging Gmail and its cooperation with Google Calendar for […]<\/p>\n","protected":false},"author":1,"featured_media":6558,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":""},"categories":[12],"tags":[50,151,15],"_links":{"self":[{"href":"https:\/\/staging.datcomllc.com\/index.php\/wp-json\/wp\/v2\/posts\/6557"}],"collection":[{"href":"https:\/\/staging.datcomllc.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.datcomllc.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.datcomllc.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.datcomllc.com\/index.php\/wp-json\/wp\/v2\/comments?post=6557"}],"version-history":[{"count":0,"href":"https:\/\/staging.datcomllc.com\/index.php\/wp-json\/wp\/v2\/posts\/6557\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.datcomllc.com\/index.php\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/staging.datcomllc.com\/index.php\/wp-json\/wp\/v2\/media?parent=6557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.datcomllc.com\/index.php\/wp-json\/wp\/v2\/categories?post=6557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.datcomllc.com\/index.php\/wp-json\/wp\/v2\/tags?post=6557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}