When COVID-19 struck, calendar software and videoconferencing became a viable, popular means of doing business. Unfortunately, cybercriminals got the memo and have begun pursuing a new and particularly dangerous line of attack.
Email attacks have long been the hacker’s preferred modus operandi, and remain so even today. But most people have become rightly more suspicious of emails, so today’s hackers, like the savvy businesspeople they are, are casting wider nets and chasing multiple revenue opportunities.
Calendar fraud attacks started appearing a few years ago, but particularly since the pandemic started, these efforts to infiltrate platforms such as Zoom, Microsoft Teams, WebEx, and Google Calendar are wreaking havoc on unwitting victims.
“We’re on these [videoconferences] a lot more than we used to be, and if something’s on our calendar, we just kind of trust that we put it there or that someone in our office or someone else who had access put it there,” said Patrick Brown, vice president of Enterprise and Operational Risk Management at Lawyers Mutual of North Carolina.
Unfortunately, that may not always be the case.
Since 2020, Brown has incorporated information on calendar fraud into cybersecurity presentations, though he admits that it may only be one small part of a comprehensive discussion covering smishing (SMS/text phishing), vishing (voice phishing), and other -ishings. But Brown said that while calendar scams might go by a different name, it’s the same game.
“Basically, it’s a form of phishing that takes advantage of the user-friendly features in calendars where an appointment is automatically added to your calendar even before you accept it,” Brown said.
Calendar fraud can be particularly effective because these very high-risk entries, notifications, and invitations reside within trusted web applications, said attorney Jack Pringle of Adams & Reese in Columbia, South Carolina.
“A lot of people don’t give thought that one’s calendar might be an attack vector,” Pringle said. “But as with anything else, it’s important to understand that it’s not magic if someone manages to put something on your calendar if they know your email address and if settings allow them to put things on your calendar without approval.”
A study conducted by cybersecurity and antivirus provider Kaspersky Lab, focusing mainly on Google Calendar, found that users are less likely to ignore calendar invitations and events and more likely to open links on the fly that they assume to be sound.
These conference links act like a legitimate meeting app, Brown said, but lead the recipient to an empty room. And by the time they realize what they’ve waded into, it’s too late.
“No one else shows up for the meeting but, in the background, something has happened,” Brown said. “Maybe it’s downloaded malware or ransomware or keylogger [software that records the strokes the user makes on their keyboard] or some sort of command-and-control software.”
Brown recommends quarterly, if not monthly, security awareness training. He likens it to regular CPR training for lifeguards, except it provides “muscle memory” for hacker defense.
“It keeps us all safer and keeps everyone thinking about it,” Brown said. “If you see something suspicious, anything that you don’t remember putting there, report it.”
Most experts agree that protecting everything, all the time, from experienced, motivated bad actors is likely impossible. In addition to being computer whizzes, scammers are notoriously persistent, sometimes setting reminders to send messages until the invitation is deleted or the recipient enters the room.
To help counteract that persistence, as with other cyber scams, experts recommend a healthy dose of skepticism and common sense. In a world where information from family schedules to financial information is synced and responses are often instantaneous, Brown said that the motto should be “don’t trust anything.”