A sophisticated new scam is targeting Gmail users by disguising itself as harmless e-invitations sent from people victims know and trust.
One Gmail user told the Daily Mail she nearly lost access to her Google account after receiving what appeared to be a legitimate invitation from a friend.
The email prompted her to click a ‘View & RSVP’ button, which redirected her to a convincing login page asking for her Google credentials.
‘The two signs that immediately made me suspicious were that the bottom of the email showed my friend’s name in large font, but then randomly said “event by Robin Carter,” someone I had never heard of,’ she said.
‘The second red flag was when I clicked the link and realized the sign-in page wasn’t hosted on a Google domain.
‘That’s when I knew something was wrong. But the scary part is that the email really did come from my friend’s address because hackers had already gotten into her account.
Rachel Tobac, CEO of cybersecurity company SocialProof Security, warned that password reset links for banking apps, healthcare portals, social media accounts and streaming services are typically sent directly to email inboxes, meaning hackers who gain access can potentially seize control of nearly every connected account.
‘They can take over your bank account, change your health insurance,’ she said.
One Gmail user told the Daily Mail she nearly lost access to her Google account after receiving what appeared to be a legitimate invitation from a friend
The phishing emails are crafted to mimic legitimate digital invitations sent through popular event platforms like Paperless Post, Evite and Punchbowl.
Tobac warned that the scam typically works in one of two dangerous ways.
The first method involves malware, Tobac said in a LinkedIn post, adding that after a victim clicks the invitation link, malicious software can quietly download onto the device without triggering obvious warning signs.
The malware, often referred to as an ‘infostealer,’ then runs silently in the background, capturing passwords, security codes and sensitive information as the victim types.
That stolen data is then transmitted back to the scammer, who can use it to drain bank accounts, hijack online profiles and target other people connected to the victim through email and messaging apps.
Tobac said the second method is known as credential harvesting, which is when victims click the invitation link and are redirected to what appears to be a legitimate login page asking them to sign in to ‘view’ the invitation.
Once the victim enters their email password, hackers can immediately gain access to the account, impersonate the user, scam friends and family members and even reset passwords for other linked accounts.
Tobac said email accounts are especially valuable targets because they effectively function as the center of a person’s digital life.
Tech experts said that to avoid falling victim, check the sender’s email address carefully. While it may appear to be from a friend, hackers could be using a compromised account to send out invitations
Tobac recommended verifying invitations through another form of communication before clicking any links, such as texting or calling the person who supposedly sent the invite.
She also warned against reusing passwords across multiple accounts, noting that stolen credentials are often tested against banking and financial platforms within minutes.
