The Wily Spammers Infiltrating Google Hangouts and Calendar

You have to admire their ingenuity.

An illustration showing invites on Google from cam girls
Natalie Matthews-Ramo

When I looked at my Google Calendar, I realized I had a busy Friday ahead of me: two interviews with sources, a conference call. And then I noticed something surprising: an event scheduled for 4 a.m. to 5 a.m.?

I clicked on the event titled “RE,” and in the event details box was a message from Mrs. Sandrine Nzi, who desperately needed my help in donating her late husband’s money to start an orphanage. A noble cause, I’m sure, but I deleted the invite. (Mrs. Nzi, if you’re reading this and you really do want me to manage your funds, please get in touch again. You apparently already know my email.)

A couple months later, I started getting spam messages via Google Hangouts. Unlike Mrs. Nzi’s message, these were less wholesome.
Leonarda, Dmitriy, Satish, Joana, and Alyce were all cam girls who’d started group chats with several dozen people, inviting us to watch their feeds. These chats popped up in my Gmail window in the middle of the day, sometimes with NSFW photos. Thankfully, I work from home, but I imagine if I did have co-workers, they’d have questions about what I was up to on my screen. The spammers in these chats were persistent; in Leonarda’s, for instance, a user named Jose kept sending links to various cam girls’ Snapchat accounts, one of which included a gay slur. Sometimes, other recipients of the spam chats responded. Jim seemed eager to have gotten attention from a cam girl: “Tell you what Kimberly if you want let’s meet up,” he replied to the other 46 people in the chat.

I was desperate to stop the constant pings. But despite my best efforts, I could not figure out how. I tried to leave the chat, but I didn’t see an option to do so, nor did I see a way to just block the spammy account. A Google rep later told me that in each chat’s settings, there is a “leave conversation” option—good news, though it’s confusing why I didn’t see it when I initially received the chat—and explained how to block the spammers. After exchanging several emails with this helpful rep, it appeared that the only way I could block my spammer was to send them a chat invite—not exactly what I wanted.* There was also no way to just block the spammy account. Finally, I found a solution: I removed every other person from one of the chats I was in. To keep it from happening again, I looked into changing my settings for Hangouts invitations. But there was no way to prevent it. If a user has your phone number or email address, Hangouts allows you to choose between two options: They can send you invitations or contact you directly. While there is a setting to block invitations from “everyone else,” a spammer who has your email or number can still send you invites.*

Because I am hopelessly dependent on Google products, I tried to Google search my way to a solution. What I found instead were folks on Reddit, Google’s support site, and an Android message board describing the same problems with Hangouts and Calendar. On Quora, a guy named Brad said he even got a call through Hangouts that he suspected was a sexy spammer. These aren’t the only Google products spammers have also exploited to run their schemes: Redditors posted about location sharing requests they received on Google Maps for Android from “You Have Received a Free Prize,” which sounds like the digital equivalent of free candy from an unmarked white van. Luckily, Google’s weeded out that problem: In October, it announced it was disabling Nearby, the feature that enabled these spammy notifications.

The hive mind, alas, provided no good solutions to preventing Hangouts spam. But there is a small tweak you can make to mitigate Calendar spam: In your settings, deselect “automatically add events from Gmail to my calendar” so that any spam invitations won’t autopopulate amongst the things you actually have scheduled. Still, that doesn’t stop the spammy messages from appearing in your email inbox.

A Google spokesperson told me that the company is “deeply committed to protecting our users from spam across our services,” pointing out that the company has options for users to report spam in Calendar and Maps and to block users on Hangouts. But even Hangouts’ blocking function only works once you’ve accepted chat requests. It won’t stop new spammers’ invitations from popping up.

To be fair to Google, spam is not a straightforward problem to solve. It’s done a phenomenal job of relegating business deals from Nigerian princes and extremely wealthy widows to my Gmail spam box while making sure emails with legitimate offers still get to me. Google told me its spam filter has a 99.9 percent accuracy rate, no small feat given how spam prevention is like whack-a-mole. A 2010 paper presented at a spam conference called this a “mutual evolution of spammers and spam filters.” For instance, spammers used to send messages with all text in a photo because filter bots can’t read photos—this is the idea behind CAPTCHA. But then developers wised up to that strategy and blocked all messages their filters couldn’t read.

To the casual observer, it seems inconceivable that spam could be worth it. Why put so much effort into something so obviously fake? But it turns out spam’s actually quite profitable. A 2008 study in which researchers sent out their own spam found that the “conversion rate” for penis enlargement ads—that is, the number of people who fall for messages and give spammers their credit card number—was 0.00001 percent. That sounds tiny, but it resulted in $2,731.88 worth of purchases over a month. The researchers estimated that if they’d scaled up the number of bots they used, they could make upward of $9,500 a month. (Lucky for those spammed in this study, they received an error message after clicking on the “checkout” button on the researchers’ fake website.)

In some strange way, I admire the forward-thinking spirit of my Calendar and Hangouts spammers. They’re on the vanguard of this arms race. Rather than joining the crowded market of email scammers, I imagine the folks who run Calendar, Hangouts, and Maps bots are seeking out new challenges, with potentially big rewards. Good luck to them, but I’m still not clicking their invites.

Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.

Correction, April 12, 2019: This article originally misstated that there’s no setting to block invitations from users you don’t know. There is a function to block invitations from people who do not have your phone number or email address. The article also said incorrectly that there is no way to leave conversations or block users you don’t know. A Google rep later told the author that there is a way to block spammers, but it appears the only way she could block her spammer was to send them a chat invite.