By REBECCA RUTHERFORD
Los Alamos
For the Los Alamos Daily Post
Wedding season is here. Graduation parties, summer barbecues, birthday dinners. Your inbox is about to fill up with invitations—and scammers have noticed.
Pennsylvania Attorney General Dave Sunday is warning consumers about a phishing scam that is genuinely clever in the worst possible way. Attackers are sending fake digital invitations that look like they came from someone you actually know. A friend. A coworker. Your cousin. Great Aunt Mildred (how did she even get on the computer??).
The email looks like a real Evite or event invitation, complete with an RSVP link. You click it, because of course you do—it’s from someone you trust. Then the link asks you to sign in with your Google, Apple, or Microsoft account to view the invitation. You type in your credentials. And that’s it. Your email account is compromised, or malware is quietly installing itself on your device. Yikes!
Here’s the part that makes this one particularly nasty. The invitation emails are often sent from real, compromised accounts belonging to people you actually know. Your Great Aunt Mildred did not send you that invitation. Their hacked email account did. The message looks legitimate because it came from a real person’s address. That is not an accident – that is the whole point of this scam.
A few things to know before you RSVP to anything this summer.
Legitimate invitation platforms generally do not require you to log in just to view an invitation. If a link is asking for your Google or Apple credentials before it will show you a party invite, stop.
That’s just not how it works.
Before you click anything, preview or hover over the link and look at where it actually goes. If the URL looks strange or does not match the platform the invitation supposedly came from, do not click it – it’s a scam.
When in doubt, reach out to the sender directly – by text or phone, not by replying to the email – and ask if they actually sent you something. This takes thirty seconds and will save you a compromised email account.
Make sure two-factor authentication is turned on for all email accounts that allow it. If your account gets compromised and you do not have it enabled, the attacker can lock you out before you even know what happened. Once they have control of your email you are pretty much out of luck.
Los Alamos is a tight-knit community and we trust each other. That trust is exactly what this scam is designed to exploit. Think before you RSVP, look twice at the invitation, and try to verify it’s legitimate before you click anything.
Stay skeptical out there, and stay safe online.
Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.
Star Wars meme. Courtesy photo