Birthday invite or phishing trap? AG’s office warns of new email scam

Careful whose online party invitation you accept — it could result in your email credentials being stolen.

The Attorney General’s Office is warning Pennsylvanians about a new email invitation phishing scam in which consumers receive email invitations from compromised accounts belonging to friends or acquaintances.

The scam often includes a link prompting recipients to view the invitation and RSVP. When recipients click the link, they are asked to log in or connect using an online account such as Google, Apple or Microsoft.

Once recipients log in, malware can be installed on their devices, and their email information can be stolen.

“Scammers are constantly evolving their tactics to appear more credible and trustworthy,” said Attorney General Dave Sunday, in a news release. “If you receive an unexpected invitation that requires you to log in or provide personal information, take a moment to verify it directly with the sender – that extra step can protect your personal data and prevent serious harm.”

Online invitation services began appearing in the early 2000s and have grown in popularity as an alternative to paper invitations and phone calls. Some of the more popular platforms, such as Evite, are used by more than 100 million people annually to send digital invitations. Evite has been in operation since 1998 and hosts more than 6 million invitations each year, according to PR Newswire.

Sunday’s office said legitimate invitation platforms will not require users to sign in simply to view an invitation, though they may later prompt recipients to sign in to RSVP. Legitimate invitations also will never ask for a password and rarely require downloads.

The Attorney General’s Office urges people to take precautions when responding to invitations sent through digital invitation or social planning platforms.

Recipients should verify invitations with the sender by text message or phone call, be cautious of generic invitations, and hover their mouse over links to view the URL and confirm it leads to a legitimate website.

People concerned that their email may be compromised should change their password immediately, enable two-factor authentication on their email account, and report the email as a phishing attempt or scam.