A sophisticated new scam is targeting Gmail users by disguising itself as harmless e-invitations sent from people victims know and trust. One Gmail user told the Daily Mail she nearly lost access to her Google account after receiving what appeared to be a legitimate invitation from a friend.
How the Scam Works
The email prompted her to click a 'View & RSVP' button, which redirected her to a convincing login page asking for her Google credentials. Moments after entering her information, the woman, who asked to remain anonymous, received a security alert warning that someone in another state was attempting to access her account.
'The two signs that immediately made me suspicious were that the bottom of the email showed my friend’s name in large font, but then randomly said “event by Robin Carter,” someone I had never heard of,' she said. 'The second red flag was when I clicked the link and realized the sign-in page wasn’t hosted on a Google domain. That’s when I knew something was wrong. But the scary part is the email really did come from my friend’s address because hackers had already gotten into her account.'
Two Methods of Attack
Rachel Tobac, CEO of cybersecurity company SocialProof Security, warned that the scam typically works in one of two dangerous ways. In some cases, victims repeatedly click a broken-looking link, unaware that the action silently installs malware capable of stealing passwords, banking information and other sensitive personal data. Other attacks redirect users to a convincing sign-in page designed to mimic a legitimate Google login screen. Once victims enter their credentials, hackers can immediately gain access to their accounts.
'They can take over your bank account, change your health insurance,' Tobac warned in a LinkedIn post.
Phishing Emails Mimic Event Platforms
The phishing emails are crafted to mimic legitimate digital invitations sent through popular event platforms like Paperless Post, Evite and Punchbowl. Tobac said the first method involves malware, often referred to as an 'infostealer,' which runs silently in the background, capturing passwords, security codes and sensitive information as the victim types. That stolen data is then transmitted back to the scammer, who can use it to drain bank accounts, hijack online profiles and target other people connected to the victim through email and messaging apps.
The second method is known as credential harvesting, where victims click the invitation link and are redirected to what appears to be a legitimate login page. Once the victim enters their email password, hackers can immediately gain access to the account, impersonate the user, scam friends and family members and even reset passwords for other linked accounts.
Protecting Yourself
Tech experts said that to avoid falling victim, check the sender's email address carefully. While it may appear to be from a friend, hackers could be using a compromised account to send out invitations. Tobac recommended verifying invitations through another form of communication before clicking any links, such as texting or calling the person who supposedly sent the invite. She also warned against reusing passwords across multiple accounts, noting that stolen credentials are often tested against banking and financial platforms within minutes.
Email accounts are especially valuable targets because they effectively function as the center of a person's digital life. Password reset links for banking apps, healthcare portals, social media accounts and streaming services are typically sent directly to email inboxes, meaning hackers who gain access can potentially seize control of nearly every connected account.
