UPDATED with comment from Google and revised instructions for removing calendar spam. This story was originally published on May 11, 2018.
Nestled on your calendar between a 1:30 p.m. lunch and a 2:30 p.m. phone call sits an appointment you weren’t expecting. You didn’t create it, and you certainly didn’t accept an invitation for it, but there it is: “$$$ Playmate Wanted $$$.”
Congratulations, you’ve been hit with Calendar spam.
Calendar services from Google, Microsoft, and Apple are susceptible by default to having appointments placed on them without user permission, says security expert Bryan Seely. He cautions users who encounter calendar spam against clicking on any of the links embedded in the appointment notice or invitation.
“Calendar spam is trying to trick you to click on something stupid. I haven’t heard of many of them resulting in ransomware, but it could happen. It’s just trying to cast the biggest net to get the biggest number of email addresses, and hope that some of them click,” he says. “It’s literally a phishing expedition.”
In a statement to The Parallax in August 2019, a Google representative said the company is “investing in new ways for users to identify and block spammers,” with changes expected to reach consumers in “the coming months.”
Microsoft declined to comment for this story. Apple did not return requests for comment. But fortunately, you can take steps to flag calendar spam—and prevent it from automatically popping up in your calendar again.
Google provides tools to remove calendar spam, but in a limited manner that works only from a Web browser. From Google Calendar, double-click on the Spam event. Be careful not to reply to it, and not to click on any of the links within it. Click the More Actions drop-down menu. If the event was created by another user, you’ll see the “Report spam” option. The event, along with all others from that organizer, will be removed from your calendar.
If the event was created by an email sent to you, even if the email was flagged by Gmail as spam, the event will be added to your calendar. To remove an event from your calendar, single-click on it, and select the garbage can icon to remove it.
READ MORE ON SPAM
To prevent more spam from automatically showing up on your Google Calendar in the future, click the Gear icon in the upper-right corner, and go to Settings. Scroll down to Event Settings, and change Automatically Add Invitations to, “No, only show invitations to which I have responded.”
Google did not respond directly to multiple questions about why events created by emails flagged as Spam in Gmail were able to add events to Google Calendar.
Outlook Calendar: Similar to stopping spam in Google Calendar, open your Outlook Calendar in a Web browser, and click the Gear icon in the upper-right corner. Then click View Full Settings and, from the left pane, Calendar. From the right pane, click Calendar in Email.
Under “Events from email,” uncheck “Automatically add events to my calendar from email,” then click the Save button. This will prevent useful events like flights or concerts from being automatically added to your calendar, but it will also stop spam from showing up. At the time of writing, Microsoft did not appear to have a spam-reporting option in Outlook Calendar.
iCloud Calendar: Apple added a spam event-reporting feature to Calendar invitations at the end of 2016, following a bad spate of spam. To use it, open Calendar in iCloud.com, click on the spammy event, and click Report Junk. Then click OK to remove the event from all your iCloud-synced devices.