An apparently huge number of iOS and macOS users received calendar invite spam starting late last week. If you began seeing an invitation to an event in your calendar listings for Ugg Boots, Ray-Ban sunglasses, and other products, it’s because spammers took advantage of a long-available feature in iCloud that extracts invites from email and presents them as notifications in calendar apps.
The ones I received were set as a repeating event, making the invitation show up on every day of my calendar. Some users
started receiving this spam weeks ago, but the distribution accelerated only around November 23 or 24. I’ve found scattered references as far back as August.
The standard iCalendar format can package an invitation in an ICS file, a format you’re probably familiar with for adding events from other calendar services or subscribing to a school or sports calendar via a website. Apple automatically examines ICS attachments sent via email to your iCloud email account, whether or not it’s from a known recipient. By default, an iCalendar invitation gets extracted and shown to you in all your linked calendars in iOS and macOS.
This spam includes a URL in the event description. Previous batches tried to trick people into visiting DHL and other sites, but the current large wave is designed to entice an unwary user into clicking it for a bargain. If you click the invite, you can respond with Accept, Decline, or Maybe. However, no matter what you click, that response is sent back to the inviter, which will surely trigger more spam, because they know your account received the request and you interacted with it. (This assumes the inviting account or server hasn’t been shut down already.)
In iOS, you can slide left and then choose Delete, which removes the invitation without providing a response. No similar option appears in macOS.
The best option, however, is to disable this automatic invitation parsing altogether. Because iCloud handles the behavior for incoming email, you have to make the change at the iCloud website:
Go to your
iCloud Calendar page via a desktop browser. (Apple doesn’t allow you to use iCloud.com via mobile Safari.)
Click the gear icon in the lower-left corner.
Click the Advanced icon.
In the Invitations section, change the option from In-App Notifications to Email to iCloud Address.
Now spam invitations will appear in your inbox—or, more likely, get automatically marked as spam and never bother you. This is slightly inconvenient if you routinely received and wanted calendar notifications for invitations sent via email—you’ll have to look for these in your inbox and click to add them to your calendar.
If you have outstanding invitations that you can’t delete after making that change, follow these steps:
Via iCloud, iOS Calendar, or any calendar app in macOS, create a “spam” calendar.
Assign the invitation to the spam calendar without clicking Accept, Decline, or Maybe.
Delete the spam calendar. Click the Delete and Don’t Notify buttons when prompted.