Search Information Security site

 

Main menu

What's on your calendar?

 

You may have a date with a hacker without even knowing it.

Of course, we’re not talking about the kind of date where you sit down for a candlelit dinner (although, we suppose this could also be the case if the person you’re dating spends all their time in a secret computer lab). Instead, we’re referring to your online calendar -- a tool most people use to keep their busy lives as organized as possible. 

Scammers have adopted ways to steal your information by gaining access to your online calendar. In one scenario, hackers send you an invitation to a fake event that includes a link to a survey offering free money for completion, and then steal your data when you enter your information into that survey. In another case, employees received a Microsoft Teams invite from the company CEO, and when they clicked the link they were taken to a phishing site designed to look like a Teams chat box where they were asked to enter private information. Scams like these have been reported on many online calendar platforms, including highly reliable and well known software providers Google and Microsoft. 

Calendar scams are pretty effective, because people have generally learned to recognize or have become used to receiving spam notifications in their emails or via phone calls, but don’t expect to be hacked via calendar invite. Fortunately, there are a few simple ways to avoid falling prey to such scams: 

  1. Change your calendar settings. In google calendar, the default setting automatically adds events from your gmail. WIth this setting left as is, hackers only need your email address to put an event on your calendar. To change the setting, uncheck the box next to "Events from Gmail / Add automatically." 

  2. Use your instinct and ask common sense questions before giving away sensitive information. For example, would President Jim Ryan or Executive Vice President and COO J.J. Davis be likely to invite you and a few other team members to a private meeting? And why would President Jim Ryan or Executive Vice President and Provost Liz Magill need personal information from you?

  3. Would a survey really be giving away free money? Who’s behind the survey, and are they a reliable company?

The danger of allowing anyone on the internet to access and edit your calendar extends beyond information theft -- it can endanger your physical property too. Therefore, perhaps the most important takeaway setting your google or other non-UVA calendar to private (internal viewership only). Many online calendar users have their calendar settings arranged so that anyone with their email address can view their schedule, which allows criminals to access information about when property is likely to be vulnerable for theft (such as when you're on vacation). Similarly, posting on social media that you are going on vacation is unwise, since thieves can access that information and rob your property while you’re away. 

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form