What the hack! This week, I learned that spammers can add events to your Google calendar without your permission. Then you'll get a notification about an upcoming "meeting" that's actually an unsolicited marketing message. Let me tell you how it happened to me and what you can do to prevent it.
I was working on a recent Friday afternoon when I heard my phone make the chime it uses to remind me that I have a meeting starting in 10 minutes. However, it was 2:50 pm and I didn't recall having a meeting scheduled for 3 pm.
So I went to check my Google Calendar, only to see a listing for a meeting with "Reign Supreme ??" coming up. "Could this be a meeting I agreed to but forgot about," I asked myself. The location was listed as "Austin, TX" which is thousands of miles away, but maybe I was supposed to talk to a company based out of there. The event was listed on my work calendar, which is part of Google's Workspace.
Then I opened up the calendar entry to see who it was from and saw that the text said "Hi Do you want more clients and customers? We will help you by putting you on the 1st page of Google." I get unsolicited emails with this kind of offer several times a week and I always ignore / delete them. There's no way I would have agreed to meet with the person offering this.
I then checked my Gmail inbox, but I couldn't find any email invitation from the person named in the calendar invite. I searched for the sender's name, email address and even snippets of text from the event description, but I didn't get any results. Eventually, I located the email invite in my Spam folder, where it obviously belongs (and messages marked as spam don't appear in searches).
So it seems that the spammer discovered a nasty vulnerability. They sent an email with an invitation to a fake event (or perhaps their own marketing call; I didn't attend) and included their marketing message in the event description. This is possible because, by default, Google adds events it sees in Gmail messages to your calendar, whether you RSVP to them or not.
Because the spammer's message was sent to my Spam folder, I didn't see it and have the opportunity to decline the invite. The message arrived just a few minutes before the meeting was scheduled so I didn't spot it in my calendar, until I got a notification that the event was upcoming.
Clearly, Google has left a gaping security hole in its calendar / Gmail app. But there are benefits to the default behavior. Countless times, I've missed an email invitation for a required meeting, but still saw it on my calendar and remembered to attend. Unfortunately, Google seems to be unable to distinguish spam invitations from legitimate ones and puts them all on your calendar, even if the email was spammy enough to end up in the spam folder.
The spam event appeared on my work calendar, which is part of a corporate Google Workspace account. However, since the default settings are the same, I am sure that the same problem could occur on my personal Google account.
This vulnerability has been around for many years, but I only learned about it a few days ago. So this is the only time I have been a victim of the exploit and the consequences were pretty minimal: a distracting notification and a couple of minutes of my time wasted.
How to Prevent Google Calendar Spam
If you want to prevent spammers from adding events to your Google Calendar, you can change a couple of settings. Depending on how you configure the calendar, you may have to be proactive about actually clicking "yes" on meetings you want to attend. But you won't get spam entries.
To disable automatic calendar additions:
1. Navigate to Google Calendar.
2. Click the gear icon and select Settings in the upper right part of the screen.
3. Under Event settings, change "Add invitations to my calendar" to either "Only if the sender is known" or "When I respond to the invitation email." The default setting is "From everyone," which will add any invite to your calendar.
If you choose to allow only known senders, the system will only automatically add events from senders in your contacts list / people you have interacted with before. If you choose "when I respond," it will only add invites you've clicked "yes" on. I'm changing mine to "sender is known" so it still auto adds invites from people in my company.
4. Uncheck "Show events automatically created by Gmail" if you want to prevent Gmail from adding to your calendar on its own. Keep in mind that Gmail not only adds invitations to your calendar but also other events, such as flight departures, which it sees when you receive a travel itinerary.
Having your flight departures automatically added to your calendar could be a huge convenience, but it could also be an annoyance. For example, my mother went on vacation and forwarded me her travel itinerary, so Google Calendar alerted me that I had a flight leaving soon, even when it wasn't me who was traveling.
If you change one or both of these settings, you should eliminate the possibility of Google calendar spam. However, it's lame that you should even have to do this.
Google should change the default setting so that its calendar doesn't add events from unknown senders. And the company's tools should be smart enough to know that, if an event invite belongs in the spam folder, that event shouldn't be added to your calendar without your explicit consent.
