CalPhishing Scam Warning Hits Workers and Bank Customers
CalPhishing Scam Warning is spreading as cybercriminals use fake calendar invitations and spoofed bank phone numbers to trick victims into handing over sensitive information and money.
Security experts say scammers are increasingly disguising attacks as routine workplace notifications or official bank communications. The tactics have become sophisticated enough to fool even younger professionals familiar with online scams.
According to cybersecurity firm Fortra, attackers have recently been exploiting Microsoft 365 calendar invitations in a phishing method known as “CalPhishing.”
How the CalPhishing Scam Works
Scammers first send emails containing messages such as “Domain Renewal Failed,” “Electronic Signature Required,” or “Administrator Verification Needed.” Attached to the email is a calendar invitation file, typically in .ics format.
Once opened, the file automatically creates a calendar event in email and scheduling applications such as Microsoft Outlook.
Victims then begin receiving repeated meeting notifications and reminders, making the event appear legitimate over time. In many cases, the calendar event remains active even after the original email is deleted.
When users open the event, they may see buttons labeled “Admin Portal,” “Document Review,” or “Electronic Signature.” Clicking these links directs victims to websites designed to imitate Microsoft login pages.
Rather than stealing passwords directly, attackers target “session tokens” — authentication credentials that prove a user is already logged in. Experts warn that stolen session tokens can bypass multi-factor authentication systems.
Cybersecurity specialists say attackers who gain access to these tokens may be able to read emails, access internal company files, and launch additional phishing attacks. Sensitive personal and corporate data stored on computers and email accounts may also be exposed, increasing the risk of secondary 피해.
Spoofed Bank Calls Also Rising
The CalPhishing Scam Warning comes as authorities also report an increase in “spoofing” scams involving fake caller IDs.
According to a report by Yahoo Finance, an Illinois woman recently lost $40,000 after receiving a call displaying the official customer service number of JPMorgan Chase.
The scammers allegedly impersonated both bank employees and agents from the Federal Bureau of Investigation, falsely claiming the victim needed to move funds into a “safe account.”
Security experts explain that spoofing scams manipulate caller ID systems so that incoming calls appear to come from legitimate banks or government agencies. Because the displayed number matches a trusted institution, victims are less likely to suspect fraud.
Earlier this month, an Orange County senior citizen also reportedly lost $25,000 after receiving a fraudulent call appearing to come from a local police department number.
Experts Urge Public Caution
Cybersecurity analysts say many recent scams rely on exploiting familiarity and trust. Rather than using suspicious-looking emails alone, scammers now leverage workplace calendar systems, official phone numbers, and business-related language to lower victims’ defenses.
Experts stress that banks and law enforcement agencies never demand wire transfers, password entries, or urgent money transfers over the phone.
They warn that messages pressuring victims to “move money immediately” or “act right now” are among the clearest signs of fraud.
