Google published its June 2026 fraud and scams advisory this week, and buried in it is something genuinely new: a phishing attack that doesn’t require you to click anything. It lands directly in your Google Calendar, and most people have no idea it’s there until they see a fake bill for several hundred dollars.

That’s one of several scams the company is flagging this month. AI-powered fraud has exploded, and the tactics are getting harder to spot.

The calendar trick

Here’s how it works. Scammers send a calendar invitation that includes a fake subscription renewal notice, complete with a large dollar amount, an invented transaction ID, and a phone number to call if you want to dispute the charge.

The problem: Google Calendar automatically adds event invitations to your schedule even from people you’ve never interacted with. The malicious invite lands in your calendar without you opening any email, without you pressing accept, without any action on your part at all.

When you see the event and panic about a $349 renewal you don’t remember signing up for, you call the number. That’s the scam. The person on the other end gets your bank details, your credentials, or both.

“Calendar automatically adds event invitations to your schedule from people you’ve never interacted with, and the malicious invite can land on your calendar without you opening any email or pressing accept.”, Google Safety Team, June 2026

The fix: go into your Google Calendar settings and change event invitations from “Automatically add to calendar” to “Only if the sender is known.” You can also disable calendar invites from strangers entirely.

The AI angle

The bigger context of Google’s advisory is the role AI is now playing in fraud. The company cites industry reports showing 1,210% growth in AI-powered scams including deepfakes, voice cloning, and synthetic identities.

Voice cloning is the one that’s landing hardest right now. Scammers take a few seconds of someone’s voice from social media or voicemail and use AI to generate a convincing clone. Then they call the victim’s family members claiming to be them: stranded at a border crossing, arrested overseas, in a hospital. They need money wired immediately.

“AI-powered scams including deepfakes, voice cloning and synthetic identities are driving massive losses, with industry reports showing 1,210% growth.”, Google, June 2026

If you get a call that sounds like a family member in distress, hang up and call them back directly on a number you already have. Do not wire money based on an incoming call alone.

QR codes are now a major attack surface

The third trend in Google’s advisory is “quishing”, phishing via QR code. It works because most people trust a printed QR code, especially if it appears in a physical location like a parking garage, a restaurant table, or a package.

Microsoft Defender reported a 146% increase in QR code phishing detections from January to March 2026 alone. The attack often leads to a fake login page that harvests your credentials, or a prompt to install malware.

The rule: never scan a QR code from an unexpected email using your personal phone. For QR codes in physical spaces, check that the sticker hasn’t been placed over the original.

How big the problem actually is

To put numbers on this: global fraud losses reached approximately $580 billion in 2025. About one in five adults fell victim to a scam that year. Americans alone lost more than $11 billion to cryptocurrency-related scams.

The rate of attacks is not declining. If anything, AI has made fraud faster to deploy and harder to detect, which means the numbers are likely to get worse before they get better.

What to do right now

Three things worth doing today:

  • Google Calendar: Change your invitation settings so only known senders can add events.
  • Phone calls: Set up a family code word that only you and close relatives know. If someone calls claiming to be a family member in crisis, ask for the code.
  • QR codes: Navigate directly to websites rather than following QR codes from unexpected places.

Google’s full advisory is live on the Google Blog if you want the complete list of attack vectors and recommended settings.

For more on tech news and platform changes affecting your daily life, visit the Tech section.