That Punchbowl or Evite invitation might be a password-stealing scam
[banner]
The latest email scam looks like an invitation to a party from someone you know. But their email was hacked. If you click the invite, you’re likely to get hacked yourself. If you receive an unexpected invite, do not open it unless you contact the sender by phone or text and ask. Don't reply to the email; if their account has been taken over, you'd be asking the scammers.
[toc]
Summary
Scammers are sending fake party invitations that imitate Punchbowl, Evite, and similar services, often from the hacked account of someone you know.
Clicking the link leads to a fake Gmail or AOL login page. Type your password there, and the scammers take over your email account.
A newer version skips the login page and downloads an installer that gives scammers remote control of Windows computers.
If an invitation arrives unexpectedly, confirm with the sender by phone or text before clicking anything.
Gmail users can upgrade their security to help protect themselves by signing in with a passkey instead of a password.
I've seen this one catch people over and over lately, clients and friends alike. Someone receives a party invitation from a person they know, clicks the link to read it, and types their email password on the page that appears. It's a phishing scam. By the time the account gets locked down, everyone in their contacts has received an invitation appearing to be from them, and there's no telling how many of those people got hacked next.
It's sneaky because it breaks the usual pattern. My standard advice is to be suspicious of anything scary or urgent. This scam looks friendly and inviting instead. Nobody's guard goes up for a birthday party.
A fake invitation email as it appears in Gmail
Variation A: Fake email login page steals your password
The email looks like an invitation from Punchbowl, Evite, or another invitation service. The link doesn't go to that service; it goes to a fake page that looks like the sign-in screen for Gmail, AOL, or Yahoo and asks you to sign in to view your invitation. Type your email address and password there and you've handed over your keys. The scammers sign in to your real account and send the fake invitation to everyone in your contacts. Each victim becomes the trusted sender for the next round.
Variation B: The link loads a remote-control app onto your Windows PC, allowing hackers to take over your computer
The fake invitation page downloading an installer file on a Windows PC
A newer version skips the fake login page. The invitation claims it can only be viewed on a Windows computer, and the page downloads an installer file instead of showing any party details. That installer quietly sets up remote-control software that gives the scammers the same access as a remote IT technician, even after a restart. The file can't run on a Mac, but many of my clients have a Windows PC in the house or family members who do.
If the file was opened on a Windows PC:
Disconnect the computer from the internet right away: turn off Wi-Fi, unplug the network cable, or unplug your modem or router. The scammers' remote connection dies with it.
Open Settings, then Apps, then Installed apps, and remove anything named ScreenConnect Client, the program this scam installs. You may want to remove any other unfamiliar apps. Google their names if you don’t know what they are.
Run a full scan with a security tool. I recommend Malwarebytes, which is free to download, run, and uninstall.
Change your important passwords, starting with email, from a different device. Your email password is extra sensitive: a hacker with access to your email can request a password reset on almost anything else.
If you're not confident the machine is clean, have someone who works on PCs check it before you use it for email or banking again.
What should I do when an unexpected invitation arrives?
Contact the person who supposedly sent it, by phone or text, and ask. Don't reply to the email itself; if their account has been taken over, you'd be asking the scammers.
How do passkeys protect your email account?
Now might be a good time to consider enabling and using passkeys, which can help protect you from many scams. As I explain in my post on what passkeys are and why they beat passwords, a passkey works only on the real website it belongs to. A fake page can copy Google's look, but it can't trigger your passkey, and there's no password for you to type. If you use Gmail, you're in luck: Google has implemented passkeys more thoroughly than any other email provider. Here's how I set this up for clients:
Remove authenticator and phone number verification methods, leaving only passkeys
Go to myaccount.google.com, open the Security tab, and create a passkey under "How you sign in to Google." On an iPhone or Mac, it saves to iCloud Keychain and syncs across your Apple devices.
Turn on "Skip password when possible."
Confirm the passkey works on at least two devices, so a lost phone can't lock you out.
In the 2-Step Verification section, be sure to remove any phone numbers or authenticators. These can be phished, unlike passkeys. But only do this if your software is reasonably up to date; passkeys work only on devices that have gotten updates in the past couple of years. While you're at it, you may want to get backup codes as well, in case you ever get locked out of your account.
From then on, only ever sign in with your passkey. A page asking for your Google password is the alarm bell. Eventually, Google and others may allow you to delete your password entirely, reducing the ways a scammer can take over your account.
What if I already typed in my password?
Move quickly, in this order:
Change your email password from a device you trust.
If you use Gmail, review the security settings in your Google account and remove any mystery email addresses, phone numbers, or devices the scammers may have added.
Check your Sent folder and warn anyone who received a fake invitation from you.
Set up a passkey as described above so this can't happen again.
Is this scam Punchbowl or Evite's fault?
No. The scam emails don't come through their systems. The hackers are borrowing familiar names, the way a counterfeiter sews a famous label onto a fake handbag, and there's nothing the companies can do to stop it. But if you're the one hosting parties, consider skipping these services. Every real invitation you send trains your friends to click links in invitation emails, the exact habit this scam depends on. A plain email or text in your own words gets the RSVPs without giving the scammers a practice run.
Key takeaways
Confirm any unexpected invitation with the sender by phone or text, never by replying to the email.
Never type your email password or download a file to view an invitation. Real invitations require neither.
If you use Gmail, set up a passkey this week, confirm it works on two devices, then remove phone numbers and authenticators from 2-Step Verification.
If you host events, invite people with a plain email or text so your guests never get used to clicking invitation links.
Further reading
What are passkeys, and why should you use them instead of passwords?
Reduce scam risks by disabling 'Use Smart Addresses' in Apple Mail
If you'd like help setting up passkeys, checking whether your accounts have been compromised, or building better defenses against phishing scams, that's exactly what I do during a digital security audit. I offer one-on-one tech tutoring in San Francisco and Washington DC in person, or over Zoom anywhere. Book a session, and we'll lock things down together.