Usherwood Blog | Usherwood Office Technology

Meeting Invite Phishing Is the Latest Cybersecurity Scam to Watch

Written by Libby King | Feb 3, 2026 5:18:09 PM

These days it can feel like workdays revolve around a steady stream of meeting notifications; team check‑ins, project updates, surprise invites from departments you forgot about. Cybercriminals know this, too, and now they’re exploiting it.

Across industries, cyber security teams are warning about a growing threat: meeting invite phishing, a tactic where attackers send fake calendar invitations designed to steal login credentials or install malware. These invites look official and often bypass standard email defenses, so many people don’t realize they are a scam.

This blog breaks down how the scam works, how to detect it, and what you can do to protect yourself.

What Is Meeting‑Invite Phishing?

Meeting invite phishing is a social engineering method where attackers send a fake calendar invitation often as an .ics file attachment to trick people into clicking malicious links or sharing sensitive information.

Simply: It’s a phishing email disguised as a calendar meeting.

These invites are designed to look like real Zoom, Teams, Google Meet, or internal company events. Many calendars' settings default to automatically add any meeting invites without user approval, so the meeting scam can appear more trustworthy than a typical phishing email.

Why .ICS Files Are a Problem

An .ics file is a universal calendar format used by:

  • Outlook
  • Google Calendar
  • Apple Calendar
  • And more scheduling apps

Almost every platform accepts .ICS files which makes it an easy target for attackers to use to sneak malicious content through filters. Some security tools scan email bodies, but not calendar event files which makes them a perfect loophole for calendar invite scams.

Why This Scam Is Growing So Quickly

Organizations like Google, Microsoft, and cybersecurity groups have reported a increase in meeting scams because of these reasons:

1. People trust calendar invites more than emails

We’re conditioned to treat meeting requests as routine and legitimate, not suspicious.

2. Invites often bypass spam filters

Many systems automatically add events to your calendar even if the original email is flagged or soft‑deleted.

3. Remote work = more meetings

For companies that have multiple branches, are all remote, or hybrid, the amount of meetings being made increases. The more meetings we attend, the easier it is for a malicious invite to blend in.

4. Attackers can now use AI

Attackers can generate highly polished, personalized invitations that look identical to real company communications. Including mimicking a employee’s voice or email.

All these factors make meeting invite phishing one of the fastest‑growing social engineering tactics today.

How to Detect a Fake Meeting Invite

These are the signs you should watch out for every time you receive a meeting request especially unexpected one.

1. Visual Red Flags

These inconsistencies are often easy to spot:

  • Vague or generic event names
    “Security Alert Meeting,” “Important Update,” “Account Issue,” “HR Notification”
  • Odd scheduling
    Meetings at strange hours or with unfamiliar time zones.
  • Organizers you don’t recognize
    This can be from a email address you don’t recognize often seen as random numbers or letters or external senders disguised as internal departments with some error in the name.
  • Unexpected attachments
    Real invites rarely include a PDF or Word document.
  • Branding that feels slightly ‘off’
    Incorrect logos, blurry icons, odd capitalization (e.g., “TEAMS meeting”).

2. Technical Red Flags

These require a closer look:

  • Links that don’t match your meeting platform
    Hover over “Join Teams Meeting,” does it actually lead to Microsoft?
  • External organizers posing as internal contacts
    Example: “it-support@secure‑help‑365.com”
  • Mismatching fields
    The organizer email doesn’t match the sender email.

3. Behavioral Red Flags

These focus on how the invite makes you feel:

  • Urgency or pressure
    Phrases like; “Mandatory immediately,” “Must attend to avoid account suspension”
  • Authority impersonation
    Appears to come from HR, legal, IT, or even your boss.
  • Surprise meetings
    No context, no prior conversation, no attached agenda.

If anything feels rushed, odd, or out of character, trust your instincts.

How Meeting‑Invite Phishing Works

Most attacks follow a predictable pattern:

  1. You receive an email containing an .ics file or a calendar event link.
  2. The event includes a malicious link, attachment, or phone number.
  3. Depending on your settings, the invite may auto‑appear on your calendar even if you delete the email.
  4. You click “Join Meeting” → a fake login page loads.
  5. You enter your credentials → attackers gain access.
  6. Your compromised account is then used to send internal phishing messages, appearing more legitimate.

What Happens If You Click?

The consequences vary, but they’re all serious.

1. Credential Theft

Fake login pages are designed to capture:

  • Email passwords
  • Multifactor authentication prompts
  • Corporate login details

2. Account Takeover

Once inside, attackers may:

  • Send internal phishing from your email
  • Access sensitive files and internal platforms
  • Forward copies of your messages externally
  • Reset passwords on connected accounts

3. Business‑Wide Impact

One compromised account can:

  • Trigger widespread phishing
  • Cause data exposure
  • Disrupt operations
  • Damage trust with clients and vendors

How to Protect Yourself

You don't need to be an IT expert to prevent these attacks. A few simple habits make a huge difference.

Easy Steps Anyone Can Take

  • Hover before clicking: Check the real destination of “Join Meeting” links.
  • Verify the organizer: Use Teams chat, email, or organization information hubs to confirm unusual invites.
  • Delete suspicious invites: Remove both the email and the calendar event.
  • Check your default settings:
    • In Outlook, make sure auto accept for calendar invites is disabled.
      • Under File, Options, Calendar, Auto accept/decline settings
    • In Google Calendar, enable “Only show invitations from known senders.”

What IT Teams Can Do Behind the Scenes

For readers with leadership or admin roles, here are common security measures organizations are adopting:

  • Disabling auto‑accepting calendar invites
  • Blocking unknown external senders from adding events
  • Improving .ics scanning at the gateway level
  • Training employees on this new attack pattern
  • Enforcing multi‑factor authentication
  • Running phishing simulations that include calendar‑based phish

What to Do If You Suspect a Calendar Phish

A simple 5‑step guide:

  1. Don’t click any links.
  2. Screenshot the invitation for your IT/security team.
  3. Report it using your organization’s phishing tools or email security features.
  4. Delete the email.
  5. Delete the calendar event (important because otherwise the link stays).

Slow Down, Verify, and Stay Cautious

Meeting‑invite phishing isn’t just another cybersecurity trend, it’s a sign of how social engineering continues to evolve. Attackers know that people trust calendar invites more than emails, and they’re exploiting this gap.

But with awareness, small setting changes, and a habit of verifying unexpected invites, anyone can avoid this scam. Your calendar should help organize your day, not compromise your account.

Cybercriminals are evolving fast, but so is Usherwood. Our cybersecurity specialists are on the front lines of emerging threats like meeting invite phishing, helping organizations stay a step ahead through proactive monitoring, advanced threat detection, and employee safety training. If you’re looking to strengthen your defenses fill out a tech evaluation below. 
 

FAQ: Platform‑Specific Meeting & Calendar Scam Questions

1. What is an Outlook scam email, and how does it relate to calendar invite phishing?

An Outlook scam email is a phishing message that appears to come from Microsoft Outlook but is actually designed to trick you into clicking malicious links or accepting fake calendar events. Attackers often send scam email from Outlook containing .ics files that automatically add events to your calendar, making the meeting request look legitimate. These calendar entries can contain dangerous “Join Meeting” links that lead to credential‑theft pages.

2. What is a Google Meet scam?

A Google Meet scam involves a fake meeting invitation that looks like it was scheduled through Google Meet. These Google Meet scams typically include a “Join Meeting” link that directs you to a spoofed Google login page designed to steal your Google Workspace or personal Gmail credentials. If your Google Calendar automatically accepts invites, these events can appear without you realizing they came from a suspicious sender.

3. Are there Zoom meeting scams, too?

Yes, Zoom meeting scams are increasingly common. Attackers send fake Zoom event invitations or .ics files that mimic real Zoom links. The malicious link may look like a standard “Join Zoom Meeting” URL but instead redirects to a credential‑harvesting page. Because Zoom is widely used across industries, these fake invites blend in easily.

4. How do meeting scams work across different platforms?

Whether it’s Outlook, Gmail, Teams, Google Meet, or Zoom, meeting scams work in similar ways:

  • You receive a fake meeting invitation (via email or an .ics file).
  • The event uses official-looking branding from Outlook, Google Meet, or Zoom.
  • Once accepted, the event appears on your calendar.
  • When you click the meeting link, you’re taken to a fraudulent login page.
  • Attackers capture your credentials and may use your compromised account to launch further internal phishing.
View full post