With the proliferation of online meetings in the past few years thanks to a certain global event, we’ve seen the rise of scheduling apps that aim to help users figure out just how they’re going to get eight different people’s daily schedules to line up. Sure, Outlook might already do that, but Outlook is so last decade, so some users have taken to using online calendar apps like Calendly to send out invites instead.

But like with any suddenly-popular app, Calendly has also become the target of several phishing campaigns. Most recently, criminals have taken to sending fake login pages attached to their invites. These pages will pretend to be an online viewer for a document or presentation, prompting the user to log in with their credentials to view the file.

An example of the fake Microsoft log-in page. Source: INKY

If your alarm bells don’t go off based on the sketchy URL (it’s not an official Microsoft domain!) and you enter your credentials, the fake login page will be extra nefarious and pretend like you made a mistake, just to prompt you to enter your password a second time. This helps criminals ensure they’re not getting typos in their passwords, or, if you’re the type to cycle through a handful of passwords for every site and you just try a different one, now the criminal has two passwords they can use to try and hack your other accounts with (pro tip: don’t re-use your passwords.).

The worst part about this particular campaign — after harvesting all your login information, the site will forward you back to the email’s domain, which might trick victims into believing the login was legit. It’s altogether a very professional-looking scam.

Here’s what you can do to avoid falling for phishing attacks like these:

  • Be wary of unexpected links or attachments. These emails are usually sent spontaneously with no previous contact. If you weren’t expecting an invite or file, be very cautious of opening it. Criminals have no manners and will just rudely send it to your inbox, so you don’t have to feel bad about ignoring and deleting.
  • Keep an eye on addresses. The link included in the calendar booking page does not lead to a site on the company domain, nor an official Google or Microsoft domain. If the link doesn’t look right, don’t click it.
  • Check the sender. Is it someone you know? Were you expecting this? And, especially for those of us on-campus, is it someone from within the University? All official University employees, students, and faculty will have an @pugetsound.edu address for their emails.
  • Use a password manager. Sometimes the link will look legit, and the fake site is really well designed. We get it. Criminals are really, really good at this. You can’t be a cyber-criminal expert all the time — but a password manager can. If you have your credentials saved on the legitimate website, it will auto-populate when you’re on the real website. If it doesn’t give you your password automatically, that’s a good sign you’re not on the real site. Plus, password managers can help you use unique passwords for every site — that’s extremely important to make sure getting compromised on one site won’t spill over into other accounts!

For further reading, be sure to check out INKY’s release here, or Bleeping Computer’s excellent write-up.