Scammers and phishing actors are abusing iCloud Calendar (again). This time, their goal is to lure victims with fake PayPal phishing callback scams.
Online reports for the past week show a significant uptick in iCloud Calendar invites targeting Apple users that also include other scams. In this report, we break down what’s happening, why it’s important, and how Apple users can stay safe.
A new wave of iCloud Calendar phishing emails is being sent via Apple’s own servers
On September 7, Bleeping Computer reported that one of its readers had shared a noteworthy email revealing a new technique being used to abuse iCloud Calendar invites.
While iCloud Calendar has been plagued by spam, scams, and cyberattacks since 2016, this seems to be the first time bad actors have managed to actually send a phishing lure using Apple’s own servers.
By using Apple’s servers and Apple’s iCloud emails, scammers establish a greater fake sense of legitimacy. This enables their phishing campaigns to have higher chances of success.
By disguising the email as “purchase notifications directly from Apple’s email servers,” attackers also bypass spam filters and iCloud Calendar security features, Bleeping Computer reported.
How does the PayPal iCloud Calendar scam work?
The phishing iCloud Calendar invite, first reported by Bleeping Computer, was a callback scam.
In these types of scams, victims are urged to contact a specific number where attackers impersonate IT support for brands or organizations. Using social engineering skills, scammers convince victims over the phone to give away their credentials or install malware disguised as software that gives the attackers control over their device.
As the image below shows, the phishing Calendar invite claims to be a payment receipt for $599 charged against the recipient’s PayPal account. It also includes a phone number to “discuss the payment or make changes to it.”
The email reads, “Hello Customer, Your PayPal account has been billed $599.00. We’re confirming receipt of your recent payment.”
Users fooled by this email think their PayPal is being charged without their consent and call the fake PayPal support phone number to fix the “mistake.” On the other end of the line is a scammer who impersonates PayPal support.
According to Bleeping Computer, the scammer will claim that they need to remotely connect to the caller’s computer to do a refund. The next step is malware being downloaded onto the victim’s computer.
This is not an isolated case, and it’s far from the first time Calendar has been abused
Just one day after Bleeping Computer ran its PayPal iCloud Calendar report, 9to5Mac reported that they too have been receiving a “whole bunch” of iCloud Calendar emails in the past days. The media said most were related to crypto scams.
Users who think that declining Calendar invites solves the problem are mistaken. When a calendar invite is declined, the spammer gets notified. This encourages them to send even more spam because they now know there is an active Apple account user on the other end.
We’ll cover what really solves the problem at the end of this report.
Is the iCloud Calendar phishing scam new?
We spoke with Fergal Glynn from Mindgard to get his insight on this new technique and how novel it is.
“This kind of attack is new,” Glynn said. “Apple Calendar spam has been around for years, but using Apple’s own mail servers for phishing is only a recent shift.”
Back in 2016, users began reporting a wave of incoming spam reaching their inboxes directly via Apple Calendar invites. The situation got so bad that Apple apologized for the levels of spam abusing the company’s Calendar feature. Since then, the issue continues to reemerge from time to time with different variations of scam scripts.
Apple has come up with several attempted solutions over the years, but none of them seems to have gotten the job done. In 2021, the company even released an official video (see below) on how to deal with spam Calendar invites.
Fast-forward to September 2025, and another iCloud Calendar phishing wave is in full tilt. However, Glynn says this new scam has a sophisticated technique that should be a red flag. In essence, the problem is that it exploits Apple’s trusted mail system to get around the security system and land in users’ inboxes.
So, is this a vulnerability? Should users expect Apple to patch this via a security update anytime soon? According to Glynn, unfortunately, no patch is forthcoming.
“This is an abuse of a legitimate functionality and not a new vulnerability,” said Glynn.
Apple previously patched serious Calendar vulnerabilities, including critical zero-click exploits, he explained. Glynn added that this technique is not exploiting a security flaw, but a design feature of the invite function.
“Apple should restrict invite functionality to prevent malicious content,” Glynn said.
Apple should restrict invite functionality to prevent malicious content.
Fergal Glynn, Mindgard
What to do when your iPhone inbox or Calendar looks like this
We searched online for users complaining about iCalendar scams, spam, or phishing attacks and found that these are more common than they ought to be. Apple users repeatedly express their frustration with this security issue, which has not yet been fixed by Apple.
The screenshot below, shared by a user on Reddit 8 months ago, shows the sheer volume of malicious Calendar invites users are getting.
Other common Calendar scams include iCloud Photo Sharing albums or images, iCloud payment scams, and money-back scams.
What can Apple users do to stop getting spam and phishing messages via Calendar?
We asked Glynn what Apple users can do, as many say online that they cannot find a way to block these invites.
“Users should disable automatic invite acceptance, scrutinize unexpected invites, and never call suspicious phone numbers,” Glynn said.
“Apple needs stricter Calendar invite content controls,” he warned.
Apple’s step-by-step instructions on how to stop Calendar spam and phishing are time-consuming
While not the best fix because it requires going through each and every spam invite you get, Apple officially says that users should report junk or spam Calendar invites.
To do this:
- Go to icloud.com/calendar and sign in to your Apple Account.
- Open the event you want to report and click Report Junk.
- Click the Close button.
The company also says users can go into their Calendar, click on the spam event, and choose to “Unsubscribe” from the sender. This should not notify the spammers that your account is active, and, in theory, they should receive no notification.
Unfortunately, the methods Apple proposes are less than ideal, given the high levels of spam that many users are dealing with. Both methods involve the time-consuming process of manually reporting and unsubscribing from each and every sender.
As Glynn told us, the most effective solution may be disabling automatic calendar invite acceptance in iCloud settings and setting it up to require manual approval for external invitations.
“Users can enable Advanced Data Protection for iCloud, even if the calendar data can’t be end-to-end encrypted, as it requires third-party integration,” he added.
Final thoughts
Apple iCloud Calendar malicious invites are once again on the rise. While bad actors have found a dangerous new way to use Apple’s own server to send out phishing invites, the gist of the scam is nothing new. These attempts should be easy for most users to spot.
Unfortunately, it seems that there is no quick fix here. With no update or security patch currently on its way, it seems this problem isn’t going anywhere.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Mac, iCloud, and iPhone are trademarks of Apple Inc. PayPal is a trademark of PayPal, Inc.
