Important Security Update: Google Calendar Invitation Settings Change

Brown's Office of Information Technology (OIT) is making a change to the default Google Calendaring behavior for incoming invitations, as a result of a global increase in "calendar phishing" security incidents. This will especially impact supporting roles who manage other people's calendars, and people who often schedule with contacts outside Brown, and may have less of an obvious effect for others who do not. 

Scammers, ad attackers, and unsolicited vendors have increased their usage of “spam invitations” in a way that poses risk to the recipient of the message. Unauthorized invitations are showing up on calendars, in ways that are bypassing OIT’s security and antiphishing services.

OIT is activating the setting for everyone, and individuals will be able to turn it off for themselves if it is too disruptive to their normal routine. We strongly recommend most people to leave it on and try to work with it. Sections in the article below tell you more about the new setting, and how you can manage it.

What the New Setting Does

The new default setting, "Only if the sender is known," changes how incoming calendar events are handled.

• Known Senders: Invitations from senders who are in your Google Contacts, part of our university domain (e.g., @brown.edu), or with whom you have previously interacted will continue to be added to your calendar automatically.

• Unknown Senders: Invitations from external senders you have not previously interacted with will not be automatically added to your calendar. Instead, you will receive the invitation as an email. The event will only appear on your calendar after you open the email and affirmatively approve the invitation.

Why We're Making This Change

The previous default setting, "From everyone," posed a high security risk:

• It allowed scammers, ad attackers, and unsolicited vendors  to automatically insert fake, malicious events directly onto your calendar, often without an accompanying email (or by bypassing our email security filters).

• Threat actors commonly use these unauthorized events to redirect targets to phishing landing pages via malicious URLs embedded in the event description. The goal is to harvest your credentials or infect your device with malware.

• This calendar-based spam is a widespread security problem that bypasses standard anti-phishing services.

The "Only if the sender is known" setting is a critical security measure that prevents these unauthorized events from cluttering your schedule and exposing you to risk.

Creating an Email Filter to Highlight Invitations

If you rely on seeing every incoming invitation immediately (especially if you work with a scheduling delegate or frequently collaborate with new external partners), you can create a Gmail filter that isolates all invitation emails into a special, highly visible folder (a "label").

This method ensures you see every invitation email and can review it manually, even if the event isn't automatically added to your calendar.

1. In your Gmail inbox, click the Settings gear icon ⚙ in the upper right corner, then click "See all settings".

2. Go to the "Filters and Blocked Addresses" tab and click "Create a new filter".

3. In the filter window, enter the following query in the "Has the words" field. This targets the technical file attachments that all calendar invitations contain:

   filename:.ics OR "calendar invitation"


4. Set the From field to the following to exlcude invitations from Brown accounts by

   -brown.edu


5. Click "Create filter," and on the next screen, select the following actions to make the emails "pop out":

   • Apply the label: Check this box. Click "New label..." and create a name like EXTERNAL INVITES to make it stand out.

   • Star it: Check this box. This adds an extra visual cue that the email requires attention within the label.

6. Click "Create filter." 

Reverting the Setting

If you find that the new default setting is interfering with your essential business processes and you are willing to accept the increased risk, you can manually revert your personal Google Calendar setting.

Steps to Revert the Setting:

1. Open Google Calendar.

2. In the top-right corner, click the Settings gear icon ⚙ and select "Settings".

3. On the left-hand menu, under "General," click "Event settings".

4. Find the dropdown menu labeled "Add invitations to my calendar".

5. Change the selection from "Only if the sender is known" back to "From everyone".

How to Report Suspect Calendar Events as Spam

If you discover an unauthorized or suspect event on your calendar, you must report it as spam to remove it from your calendar and help Google's security systems.

Important: Do NOT click any links within the event description or event title before reporting it.

1. Open the suspicious event in Google Calendar.

2. At the top right of the event details pop-up, click the More actions menu (three vertical dots ⋮).

3. Select "Report as spam".

4. Confirm the action when prompted. The event will be removed from your calendar, and the sender will be flagged.