AI-related scams via Google Calendar

Whose calendar is it, anyway? A cautionary tale

A while ago I noticed an odd "Paypal to BTC" calendar item that I didn't recognise, so I clicked on it and saw this.

"Interesting," I thought, "where on Earth did this come from?" You'll notice that only my identity is listed, as whoever created it has concealed their own identity by withholding the full guest list.

Intrigued, I clicked on the edit button to get a full view, and found this.

I don't know about you, but I very much doubt the fundacjawidzialnedzieki.org domain exists, let alone represents any kind of legitimate organisation. Further investigation revealed several similar entries scattered around my calendar, some containing specific instructions to transfer funds. An AI, however, might not "understand" (I use apostrophes because thinking and understanding are beyond the capabilities of the current chatbots) that this indicates a scam.

Being the cautious techie that I am I have not and do not intend to use automation to take unsupervised actions as a result of unsolicited input from Internet randos. To me, therefore, this represents a nuisance rather than a threat. As you will imagine, I have cleaned up my calendar and closed the loophole that allowed those events on to my calendar—see "Protecting yourself" below.

I can well imagine, however, that less conservative business people will be thrilled to avail themselves of the advantages of technology that helps them to set up appointments and keep on top of regular tasks, including settlement of outstanding accounts. Until their ever-helpful digital robot acts on an instruction injected by a third party in a similar manner to this. Who will be responsible for those losses?

Protecting yourself

It can happen to you. Check that arbitrary senders can't add events to your calendars by opening the calendar, bringing up the settings, then under "Events" make sure that the "Add invitations to my calendar" selector is set to "When I respond to the invitation in email."

This Google support page says it's not a new issue—in  fact the issue is so old the solutions refer to a setting that's no longer available). Here's what my settings page looked like.

The process is fully documented in this support page.

Further thoughts

A current search implies it's still an issue.

Top four "people also ask" selections from a Google
search for "google calendar unrecognised events:"

Be very careful about automating any processes which could cost you money if they don't do what you expect. Until recently, automation was predictable. Once "AI" enters the picture, predictability becomes problematic. In a carefully designed system, most of the time nothing will go wrong. What you have to do is to limit the downside when it does, as it inevitably will (ironically just like systems with humans in the loop, while totally lacking in empathy or creativity). The more automation the greater the risk.

Understand that vendors don't always provide systems that are secure by default. Google made two mistakes here: the first was allow external users to make entries in your calendar; the second was to allow those who do make such entries to hide their identity. Neither shows much concern or respect for the people who use their products. At least the former can be switched off, so why isn't it switched off by default? I can't imagine in my long use of Google's products I would have ever selected such an option voluntarily.

In the past we have mostly had human adversaries to contend with. Nowadays exploits involving large networks of fictitious identities can be constructed en masse with minimal effort in industrial quantities. We can't rely on luck to avoid the attention of bad actors forever when without effective protection and sensible precautions a business can be ended overnight.