In the digital age, email and calendar management tools like Gmail and Google Calendar are essential to business operations. However, with their widespread use comes an increased risk of cyber threats. Google’s applications, particularly Gmail and Calendar, are prime targets for cybercriminals due to their popularity and ease of access. As businesses rely more on these platforms, it’s critical to stay informed about the latest security threats and how to mitigate them.

A recent alert from Stu Sjouwerman, CEO and founder of KnowBe4, a human risk management firm, shed light on an emerging attack campaign targeting Google users through Google Calendar invites. According to Sjouwerman, attackers need only a user’s Gmail address to send out a calendar invite, and once received, the event is automatically placed in the user’s calendar by default. This method of attack has been around for some time but remains effective due to its simplicity and the ease with which it can be exploited.

The issue lies in the default settings of Google Calendar, which automatically adds events sent via Gmail. Cybercriminals often use this feature to flood users with spam or phishing invitations, which can lead to a range of security issues, including the spread of malware or the theft of personal data.

Mitigating the Risk: Simple Changes to Enhance Security

Fortunately, protecting your business from these types of attacks is relatively straightforward. Stu Sjouwerman recommends a few key settings changes that can drastically reduce the likelihood of falling victim to such attacks.

Step 1: Adjust Google Calendar Event Settings

The first step to enhancing security is adjusting the event settings in Google Calendar. By default, Google Calendar automatically adds all invitations to your calendar, even if you haven’t responded to them. Sjouwerman suggests turning this feature off. Navigate to your Google Calendar settings and change the “Automatically add invitations” option to “Only show invitations to which I have responded.” This simple change ensures that only events you’ve explicitly accepted will appear in your calendar.

Step 2: Disable Gmail’s Automatic Event Addition

Another critical step is to disable the “Automatically add events from Gmail to my calendar” option. By unchecking this, you can prevent Gmail from adding events from emails directly to your calendar. However, it’s important to note that while this adds an additional layer of security, it may impact functionality. Genuine automatic invites from services or colleagues will also be disabled. It’s a decision between prioritizing security or usability, and businesses will need to consider which is more important for their operations.

Step 3: Implement Email Verification for Appointments

For businesses using Google Workspace, there’s an added layer of protection that can help mitigate unwanted appointments and calendar invites. Google offers email verification for appointment scheduling, which asks guests to verify their email addresses before they can schedule an appointment. This feature only applies to users who are not signed in to a Google Account, providing an extra layer of authentication that prevents unauthorized access to your calendar.

While the calendar spam in these attacks may seem like an annoyance at first glance, it’s essential to recognize the potential dangers they pose. Although the recent phishing campaigns may appear generic, they can easily be adapted for more targeted and sophisticated attacks. For example, attackers could use this method to impersonate trusted contacts or colleagues, leading users to unwittingly disclose sensitive information or click on malicious links.

By addressing these vulnerabilities and following the recommended security practices, businesses can greatly reduce their exposure to these types of threats.

For more information on how to adjust your Google Calendar privacy settings, visit Google’s official support page, which provides a comprehensive guide to managing privacy and security options for your account. By staying informed and proactive, businesses can ensure that their data remains secure against evolving cyber threats.