Fake subscription renewal notices are showing up inside Google Calendar entries, bypassing email spam filters and landing where users least expect fraud. The tactic borrows directly from a well-documented tech-support scam playbook: display a convincing charge, attach a phone number, and pressure the target to call before verifying anything. A recent academic paper examining Gemini-powered assistants found that calendar invitations can carry hidden instructions that AI tools process automatically, raising the prospect that the same channel scammers already exploit could become even more dangerous as automated assistants gain deeper access to scheduling data.
How renewal-themed calendar scams exploit trust and automation
The core trick is simple. A scammer sends a calendar invitation that looks like a billing reminder, often mimicking well-known software brands with subject lines such as “Your annual plan renews today” or “Payment of $399.99 confirmed.” Because many calendar apps auto-accept invitations by default, the fake event appears on a user’s schedule without any deliberate action. The entry typically includes a phone number and a short deadline, pushing the recipient to call and “cancel” a charge that never existed.
This approach maps directly onto the subscription renewal hook that the U.S. Federal Trade Commission has flagged in its consumer guidance on tech-support scams. According to that guidance, scammers use unexpected contact and pressure tactics to convince people they owe money for a product or service. The calendar variant simply swaps the delivery method from a pop-up alert or email to a scheduled event, which many people treat as inherently trustworthy because they associate their own calendar with appointments they created or accepted intentionally.
The shift matters because calendar entries sit outside the usual defenses. Email providers have spent years training filters to catch phishing messages, but calendar platforms were designed for scheduling, not security screening. A fraudulent event that slips through looks identical to a legitimate reminder, and it triggers native notifications on phones, desktops, and smartwatches at the exact time the scammer chooses.
Promptware research reveals a second layer of risk in AI-powered calendars
A separate and more technical concern is emerging from academic research. A paper titled “Invitation Is All You Need!” published on arXiv examines how calendar invitations can carry malicious instructions that Gemini-powered assistants process when summarizing or acting on event details. The researchers describe a class of attack they call “promptware,” in which hidden text embedded in an invitation manipulates an AI assistant into performing actions the user never requested.
The mechanism works because large-language-model assistants often read the full text of a calendar event, including description fields and metadata, before generating a summary or suggested action. If that text contains carefully crafted instructions, the assistant may follow them. In a renewal-scam context, this could mean an AI assistant not only displays the fake charge but also drafts a reply, initiates a call, or presents the fraudulent phone number as a recommended next step, all before the user has a chance to read the raw event data.
This dynamic represents a practical expansion of the attack surface. Traditional calendar scams rely on the user reading the event and choosing to act. Promptware attacks short-circuit that decision by inserting a layer of automated processing between the malicious content and the human target. The AI assistant becomes an unwitting accomplice, lending its interface credibility to a fraudulent message. The arXiv paper’s focus on Gemini-powered assistants suggests the risk is not theoretical; it applies to products already integrated with consumer calendars used by millions of people.
The FTC’s business guidance on tech-support scams recommends verifying charges through official channels and reporting fraud. That advice still holds, but it assumes the user encounters the scam directly. When an AI assistant mediates the interaction, the window for human judgment narrows. A user who trusts an assistant’s summary of upcoming charges may never open the underlying event to spot the signs of fraud.
Missing data on calendar-specific fraud and platform responses
Several gaps in the public record limit how precisely anyone can measure this threat. The FTC’s published guidance addresses tech-support and renewal scams broadly but does not break out complaint data specific to calendar-invite delivery. Without that breakdown, it is difficult to know how many people have already been targeted through this channel versus traditional email or browser pop-ups.
Google and other calendar providers have not released public statements detailing how they detect or block malicious invitations. Calendar platforms do offer settings to prevent automatic addition of events from unknown senders, but those controls are often buried in account preferences and disabled by default. The absence of transparent reporting from providers leaves users without a clear picture of whether platform-level protections are keeping pace with the tactic.
The arXiv paper on promptware attacks provides a research framework for understanding AI-mediated risk, but it is a preprint, not a peer-reviewed study with large-scale empirical data on real-world exploitation rates. The research demonstrates that the attack vector is practical and functional against production-grade assistants, yet the frequency with which scammers are already combining renewal lures with prompt injection in the wild is not documented in any public dataset.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
