Forget the inbox. Increasingly, spammers are trying to schedule time on your online calendar.
A flood of unsolicited calendar invites have started cluttering people’s Google calendars. After clicking on them, people see the spammer’s message and links to websites trying to sell them something, install tracking cookies, or steal personal information.
We’ve been trained not to open email attachments or click on suspicious links. But calendar invites are different.
Whether you click accept, decline, or maybe on the invite, you return a notification to the sender. It’s proof that you’re a real person at a real email address.
The result: you’ll receive even more unsolicited email.
“It feels so invasive — it’s your calendar — and if you decline it, you’re acknowledging that it’s a valid email address so you put yourself on a sucker list,” says Kevin Haley, cyber security expert at Norton LifeLock.
Even worse, calendar spam is potentially even more dangerous if those invites include malicious code. Any button selected could unleash code that steals information, provides hackers remote access to computers, or cripples your company, says Bob Cook, a cybersecurity expert at the University of Colorado in Colorado Springs.
“It could have an enormous impact across your organization,” says Cook. He recommends that companies educate employees about how to prevent these kinds of social engineering tactics, which he says make up nearly 80% of all malicious attacks.
Calendar spam isn’t new. In 2016, spammers exploited a feature in Apple’s iCal that let hackers steal credit card information from people who clicked on a calendar notification titled “Ray-Ban Black Friday Pricing.”
This current wave of calendar spam exploits a setting in Google Calendars that automatically populates invitations in calendars. The feature’s original purpose is convenience. You’re able to see an invite on the calendar and decide if the time listed works. But spammers use this default setting to their advantage.
Google officials say users can report spam and prevent events from automatically being added to their calendars by unchecking default settings that automatically add meeting invites. They also said that the company was investing in new ways for users to identify and block spammers, and that changes may be rolled out in the coming months.
Apple created its own fixes after the 2016 flood of scams. Now iOS users who receive phony iCal invites through email can report them as junk at the bottom of the message.
The trickier problem comes when iCal invites simply show up on an existing iOS calendar. Clicking decline or trying to delete it alerts spammers that they found a real, valid user.
It’s recommended that you first create a new calendar category to send “spam” calendar invites to. You can than delete that calendar and the spam messages.
To prevent future calendar spam, iCal users should change their iCloud preferences to receive calendar invitations as email rather than having them automatically appear on calendars.
In the end, Haley, from Norton, says that spammers will continue to target calendars if people continue to be fooled. “The bad guys are continually trying to find ways to make you click.”
More must-read stories from Fortune:
—Android 10’s 7 most anticipated new features
—This new app puts deepfake technology in the hands of a mainstream audience
—Google hit with a record fine by the FTC for violating children’s privacy on YouTube
—A U.K court may have made police use of facial recognition easier
—Porsche unveils its first-ever electric car
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.
