“⚠️ Final WARNING: All your photos will be removed.”
A post recently appeared in a local Facebook group showing unusual events on an iPhone calendar.
The events repeated across several days, were marked as all-day notifications, and included warning symbols and strange invite addresses. The author asked, “Has anyone else seen this?” At first, it may seem like a minor software glitch or possibly a legitimate Apple alert. However, this was a phishing scam affecting multiple platforms. Reports now confirm Android devices, Google Calendar accounts, and Outlook calendars are also targeted by identical events, highlighting the global nature of this threat.
🕵️ How The Scam Works
The Calendar Phishing scam relies on tricking users into subscribing to a malicious calendar. Once subscribed, the calendar silently pushes repeated fake events to the device. Each event often contains a phishing prompt designed to steal credentials for iCloud, Google, or Outlook accounts. Attackers exploit the trusted nature of calendar apps and the built-in synchronization between devices to spread the scam quickly and efficiently.
The psychological component is critical to its success. The term “Final Warning” is deliberately chosen to provoke fear and urgency. Victims are led to believe their photos, emails, or other important files are at risk of deletion, prompting them to act without thinking. Once a link is clicked, it directs the user to a fake login page closely mimicking official Apple, Google, or Microsoft portals. Entering credentials on these pages grants attackers immediate access to sensitive data including emails, cloud storage, photos, and even calendar information.
🛠 Technical Methods Used
🎣 Phishing Emails and Messages - Scammers send convincing emails claiming to be from Apple, Google, or Microsoft with links or instructions to subscribe to a calendar, perhaps even a seemingly benign public event.
🎣 Hacked Event Organizer Accounts - Scammers have also been known to use the hacked accounts of event organizers in order to take over subscribed events
🤥 Deceptive Websites - Fake popups and websites are used to trick users into subscribing to a malicious calendar.
🔁 Cross-Platform Synchronization - Once subscribed, the events appear on all connected devices: iPhones, iPads, Android phones and tablets, Google Calendar accounts, and Outlook / Microsoft 365 calendars.
👨💻 Fake Login Pages - Links inside calendar events often lead to cloned official login screens, prompting users to input credentials.
↩️ Obfuscation and Redirects - Scammers use encoded links and redirect systems to bypass spam filters and make phishing pages appear legitimate.
🌍 Global Server Hosting - Investigators have traced some phishing servers to regions including Eastern Europe and Southeast Asia, indicating coordinated international activity.
🔄 Persistent Calendar Entries - Even after deleting a single event, the subscribed calendar continues to push new fake alerts until the calendar is fully removed.
🤯 Psychological Tactics
The scam is designed to manipulate users in several ways:
⏳ Urgency and Fear - “Final Warning” language pressures victims into quick action.
👀 Visual Cues - Warning icons, bold text, and repeated all-day events increase perceived legitimacy.
🎭 Authority Mimicry - Fake pages replicate official Apple, Google, or Microsoft branding, creating trust.
🔁 Repeated Exposure - Continuous notifications across devices reinforce the illusion of an immediate threat.
⚠️ How To Protect Yourself
What Not To Do:
🗓️ Do not click links in suspicious calendar events.
🔏 Do not enter login credentials on any page that appears unexpectedly in a calendar event.
⛔ Do not ignore repeated events, as they may continue to compromise your data. Delete the event as well as the calendar subscription
What To Do:
❌ Delete Suspicious Calendars
- Apple / iOS: Calendar app → Calendars → Tap ⓘ → Delete Calendar
- Android / Google Calendar: Settings → Subscribed Calendars → Remove Unknown
- Outlook / Microsoft 365: Settings → Calendar → Subscribed Calendars → Remove Unknown
🔐 Change Passwords immediately if credentials were entered.
🔑🔑 Enable Two-Factor Authentication to add an extra layer of security.
🗓️ Review Subscribed Calendars Regularly to ensure only known calendars remain. Also check your default settings to ensure your events settings are set to NOT show "declined events"
📣 Report Suspicious Events to Apple, Google, or Microsoft so authorities can track and block malicious sources
📖 Educate Yourself and Others about the scam to prevent further spread.
The Calendar Phishing scam highlights how trusted features like calendars can be weaponized by cybercriminals. It combines psychological manipulation with technical trickery, turning ordinary calendar notifications into phishing attacks. Users must remain vigilant: a calendar warning claiming all your photos will be removed is almost certainly a scam. Careful review, immediate action, and strong account security practices are essential to protect personal data across all devices and platforms.
- Log in to post comments