Threat Alert: How to Spot a Fake Invitation Scam

Since late last year, cybersecurity experts have been warning about fake invitations for events. They usually contain phishing links, and they look exactly like the real thing. The latest wave is particularly pernicious. Read on to see why and how you can protect yourself. 

The anatomy of a fake invitation scam

Fake invitation scams exploit three primary things: FOMO, trust, and exposed personal data. 

1. The FOMO problem

Fear of missing out gets to the best of us. When an invitation comes, sometimes in the name of a family member or a work event, we might not look all that closely at the address or the links. It’s another form of the urgency that characterizes the vast majority of social engineering attempts. 

2. The trust issue

Fake invitation scams also exploit trust. Cybercriminals pose as friends using legitimate services like Punchbowl, Paperless Post, or Evite. These ruses come by way of lookalike domains and copying the exact format of real invites. They come from relatives or friends (who’ve been hacked already). 

Not long ago, my mom received a text “from Mom” with a link for a “gift card.” It arrived right on her birthday. It came from an unfamiliar number, so my mom knew it was a scam. The current scam making the rounds works by account takeover, which allows a cybercriminal to use your actual email account to send fake invites to your contacts. The sender will appear completely legitimate, because it is, which makes the attack all the more threatening. 

Worse the hackers have begun deleted sent messages from your sent file, so you have no idea what happened when friends tell you that you’ve been hacked. Perhaps the very worst part is that the same hackers are changing forwards and other settings so you stay permanently hacked. They may even place malware on your computer.

3. Exposed personal data

Exposed personal data is the #1 factor that makes phishing threats and fake invitation scams seem legitimate. Data brokers make sure cybercriminals can find out when you might have a birthday party or wedding coming up. That makes it easier for them to develop timely and convincing campaigns. 

That text my mom received threw her off at first because even though it came from an unfamiliar number, it arrived on her birthday. She thought it wasn’t possible that the average scammer would know her phone number and birth date. 

Unfortunately, exposed personal information on data broker sites ensures cybercriminals have all they need to launch sophisticated scams. I found her birth date and phone number with a quick Google search. 

Chances are that you’re also more findable than you think, and that puts you at risk. 

Types of fake invitation scams

These kinds of scams take two primary forms, according to the most recent reports from the New York Times. 

Malware downloads

In some cases, malware runs or downloads the minute you click a link. The result? Account takeovers or remote access to your computer. 

Credential-harvesting sites

These make up the majority of fake invitation scams. You receive an email that claims to be from a legitimate source, but you have to log in to view the invitation. Often they will ask you to log in with your Google account, Microsoft account, or other provider. 

Big red flag. 

When you enter your Google account credentials, the cybercriminal harvests that information so they can log into your account and take it over. 

How fake invitation scams contribute to business risk

Businesses aren’t exempt from the risk of falling victim to fake invitation scams. Cybercriminals often target personal devices because they have fewer protections than company-provided devices while still often having access to company systems and accounts. 

That means exposed employee data directly increases your attack surface and your risk of falling victim to these kinds of scams. So does AI, which now allows cybercriminals to whip up convincing lookalike domains at a moment’s notice. 

How to protect yourself from a fake invitation scam

Phishing remains one of the top causes for breaches and account takeovers, both for companies and individuals. Fake invitation scams are just one avenue, and standard defenses apply: 

• Hover over links. Cybercriminals will often make slight changes to domain URLs for credential-stealing pages. Look for any differences. 
• Check the source. Thanks to AI and advanced domain spoofing techniques, you can’t always trust your eyes or even the email address. If possible, reach out to the sender directly via another method of communication rather than responding directly to the email. 
• Enable 2FA. Two-factor authentication is one of the best ways to protect against account takeovers. It requires a one-time passcode or biometric authentication in addition to a standard email and password. 
• Remove personal data. Data brokers and people search sites are your biggest enemy when it comes to making yourself hard to find online. You can remove yourself with our DIY guides or let DeleteMe do the heavy lifting for you. 

If you do fall for a fake invitation scam, don’t panic. Reset your passwords, enable 2FA, and watch for unexpected activity. Take it as a lesson learned for next time. 

Fake invitation scam FAQs: 

If the above didn’t answer your questions or you just want the quick version, read through our Q&A below. 

1. How can you identify a fake Punchbowl Invite? 

Punchbowl is one of several sites cybercriminals are impersonating as part of the fake invitation scam campaign.

Some of the red flags are: 

• You’re not expecting an invitation
• The language is generic
• There’s urgency and pressure
• The invite requires you to log in to accept

When in doubt, check with the supposed sender through another method of communication and don’t click links in emails. 

2. How can you identify a fake Evite email? 

The process to identify a fake Evite email is similar. Hover over links, check the address, look for a demand to log in, and never enter your Google credentials to log in through a portal you reach via email or text. 

What you can do instead is paste evite.com in your browser if you already have an account and log in to view incoming invitations. That way, you can’t be redirected to a lookalike page. 

Don’t trust your eyes! 

3. What should you do if you click on a birthday invite scam email? 

Most people have fallen for a scam at some point in their lives. Take steps to protect your accounts: 

• Reset your password
• Set up two-factor authentication/multi-factor authentication
• Freeze your credit if need be
• Report the email as a phishing attempt
• If necessary, let your friends and family know your account may have been compromised so they don’t click on links sent from that email address

4. How can you prevent fake invitation scams? 

There’s no single step that will prevent you from ever falling victim to fake invitations. However, removing your personal information online is one way to make yourself harder to find and harder to hit. 

Learn more: 

• Learn about data brokers and how they misuse your data.
• Read through our five-minute privacy tips to reduce your digital footprint. 
• Discover how to take control of your data privacy online.