Spammers have a new, creepy targetJuly 24, 2013: 5:00 AM ET
You could call them appointment bandits.
By Erika Fry, reporter
FORTUNE—Have a lunch meeting planned with the Syrian Petroleum Company?
Probably not, but don't be fooled if your Outlook calendar says you do.
Spam, long the scourge of the email inbox, has taken a creepy twist in recent months, popping up in the form of invitations and meeting requests on Outlook and Google (GOOG) calendars. It's not exactly sophisticated—calendar spam still peddles acai berry diet elixirs and exotic investment opportunities—but it sure feels invasive.
"It's a way for a spammer to stand out," says Kevin Haley, Director of Security, Technology and Response at Symantec (SYMC). "With an invite, you don't expect it to be spam. It may draw you in," he says.
Spam meeting requests at first glance appear personal and almost plausible—you have to read a bit to realize that they are promoting some kind of hare-brained scheme. One that popped up on a colleague's calendar recently began: "This is Engineer Richard Morgan a petrochemical/oil exploration engineer with the Syrian Petroleum Company located in Damascus. Myself and two other engineers Engr. B.S. Babu an Indian and engr. David Quijada Fischer from Venezuela needs your partnership to investing some funds ...." The fact that you get even that far is a win for spammers, who are hoping that just one out of the many who read their message will be a sucker.
There's nothing tricky about spotting calendar spam. A spokesperson for Microsoft (MSFT) says people should look for the same things they do in all spam, like an unfamiliar source, an inauthentic sender, or links to strange-looking sites.
It's a little harder for people to know what to do with the calendar variety, though.While it may feel natural or satisfying to 'decline' that phantom meeting with the Syrian Petroleum Company, 'declining' is actually no better than 'accepting'. Either way, you're verifying your email is a working address, which is one thing spammers are after, Haley explains. And if you just ignore the request, the effect is continued spamming, with incremental reminders and then a 15-minute countdown to your non-event. "They're really taking advantage of the technology of the invite," says Haley.
Instead, then, you should delete the spam request, and be sure that your computer is not set to automatically accept invites. And as the case with all spam, you should avoid clicking on links, images, or attachments, which may hide malware.
Google and Microsoft also encourage users to report calendar spam—either through Google's "Report Spam" button or by marking the request as "junk" in Microsoft Calendar—which helps the companies identify and block spam in the future.
Calendar spam is not in fact new, but has surfaced sporadically in recent years. Hampton says Microsoft has not seen it at an unusual level, but Chester Wisniewski, a senior security analyst with Sophos—who just last week received an acai berry-related invite on his Google calendar—thinks calendar spam may be the next frontier for spammers. "We've gotten pretty darn good at blocking spam in our email," he says, noting that email filters now screen out more than 99.5% of spam messages. "It's a cat and mouse game. Spammers are trying to figure out where our filters are less sophisticated." (It would appear some spammers have given up altogether: 69% of all email is spam, down from 93% in 2010, according to Haley.)
There are of course far more sinister threats out there than the unsolicited invitation, and if calendar spam is the next big thing, that may not be so bad. Haley says spammers are increasingly focused on an invading a space far more personal than your calendar—your phone.