Skip to content
Method: every claim tracked, reviewed every 30–90 days, marked Holding, Partial, or Not holding. Drafted by Claude; signed off by Peter. How this works →
OPS-097pub9 Jun 2026rev9 Jun 2026read3 mininOperators

Calendar phishing and ClickFix: the June advisory, read for small teams

Google's 8 Jun advisory names two scam patterns aimed at exactly the surfaces small teams automate: calendar invites and browser pop-ups. The fixes are free and take an afternoon.

Holding·reviewed9 Jun 2026·next+21d

Bottom line. Google’s fraud advisory of 8 Jun 2026 names two active scam patterns aimed at surfaces small teams increasingly automate: calendar phishing, where the malicious link arrives as an event invite, and ClickFix, where a fake fix-it page talks you into pasting a command into your own terminal. If your team runs AI scheduling, notetakers or assistants against Google Calendar, you are the intended audience. The fixes are free and take an afternoon.

Google’s Trust and Safety team published its latest fraud and scams advisory on 8 Jun 2026. Two patterns matter for a small business. Calendar phishing puts the malicious link inside an event invite, so it lands in your agenda with a reminder attached instead of in a spam folder. ClickFix interrupts you with a counterfeit error or update page that instructs you to copy a command and run it yourself, which infects your machine while sidestepping the browser’s protections. The advisory’s framing of scale is blunt: it cites global fraud losses estimated at $580 billion for 2025.

The advisory’s most repeatable line is also its most concrete:

“Never scan a QR code from an unexpected email using your personal phone.”

— Laurie Richardson, VP, Trust and Safety, Google, in the 8 Jun 2026 advisory.

PatternThe lureThe free fix
Calendar phishingMalicious link inside an event inviteRestrict auto-add; report, do not just delete
ClickFixFake fix-it page says “paste this command”Never paste a command you did not go looking for
QR baitCode in an unexpected emailDo not scan from unknown senders

Patterns from Google’s advisory, 8 Jun 2026.

Why this lands on AI-automated teams

Both patterns exploit trust that AI tooling quietly raises. A team running scheduling links, an AI notetaker and assistant-created events has taught itself that machine-generated calendar entries are normal, which is exactly the reflex calendar phishing borrows, and the same calendar surface your meeting notetaker writes to is the one an attacker now writes to. ClickFix, meanwhile, is a counterfeit of the most familiar motion in modern tool setup: copy this, paste it in your terminal. Anyone who has wired up an automation by following paste-this instructions, the workflow the coding-CLI security read hardens, has rehearsed the exact gesture the scam needs.

That is the observation worth internalising: neither attack needs to beat your software. They borrow habits your tools created, which is the same approved-surface problem the shadow-AI capability read describes from the inside.

The afternoon of fixes

Everything that closes these two holes is free. Restrict Google Calendar’s auto-add so unknown invites need your acceptance before they appear; the options live in Google Calendar’s own settings documentation. Report phishing invites rather than deleting them, so the sender gets flagged for everyone. Adopt one team rule for ClickFix: nobody pastes a command a web page handed them; setup instructions come from vendor docs you navigated to yourself. Audit which AI tools can write to the calendar and cut the stale ones, the same scrutiny the vendor-redflags read applies before a tool gets access at all. Then brief the team with the two patterns by name, because a scam someone can name is a scam that mostly fails.

One unhedged line: if your business runs on Google Workspace and any AI touches your calendar, do the auto-add restriction today, not at the next security review. It is one setting, and it removes the entire delivery channel.

What changes this verdict

Cadence on this piece is 30 days, because active scam waves shift quickly and platform mitigations land fast. Three changes would move it: Google shipping default protections that close calendar auto-add abuse platform-wide; the advisory’s patterns being supplanted by a materially different wave aimed at the same operators; or evidence that AI-scheduling tools themselves add mitigations that make the manual settings unnecessary. We re-test on or before 9 Jul 2026; the Holding-up record for OPS-097 carries any change, dated.

ShareX / TwitterLinkedInEmail

Spotted an error? See corrections policy →

Part of the pillar

AI security for small teams

Practical agent security without an IT department — non-human identity, shadow-AI audits, kill-switches, and tool-memory hygiene for small teams. 9 other pieces in this pillar.

Related reading

OPS-LEDGER · 09 reviewed