Fake event invitation email steals your login credentials or installs remote access software
An email appearing to be a party or event invitation from a compromised account leads to a fake Google or Apple login page to steal credentials — or silently installs ScreenConnect, giving attackers full remote access to your device.
Also known as: RSVP phishing scam, fake event invitation malware, party invite ScreenConnect scam, invitation link credential theft, fake Evite phishing
Already happened to you? Do this in the next few minutes
- 1 Call your bank or card's fraud line right now. Use the number on the back of your card — not any number from the message or caller. Ask them to stop or reverse the payment and freeze the account.
- 2 If you paid by gift card, wire, or an app (Zelle, Venmo, Cash App): contact that company immediately and report it as fraud. Acting fast sometimes recovers the money.
- 3 Report to the FBI at ic3.gov and the FTC at reportfraud.ftc.gov. The sooner, the better.
- ! If you installed any "support", "server", "refund", or remote-access app at their request (AnyDesk, TeamViewer, Quick Support, etc.): disconnect the internet now, then run free SeraphSecure (https://www.seraphsecure.com) to detect and remove it.
What to do right now
- 1 Do not click any link or open any attachment in an unexpected invitation email — contact the sender directly by phone or a separate message to confirm they sent it
- 2 If an invitation link prompts you to sign in with Google, Apple, or Microsoft, close the page immediately — legitimate services do not require login just to view or RSVP to an event
- 3 If you entered your credentials on an invitation page, change that password immediately and enable two-factor authentication on all accounts linked to that email
- 4 If you downloaded and ran any file from the invitation (especially a .msi or .exe file), assume your device may be remotely controlled — disconnect it from the internet and seek help from a trusted technician
- 5 If you installed any 'support' or 'server' or 'refund app' or remote-access app at the scammer's request (AnyDesk, TeamViewer, Quick Support, etc.), run free SeraphSecure (https://www.seraphsecure.com) to detect and remove it.
- 6 Report to the FTC at https://reportfraud.ftc.gov and the FBI's IC3 at https://www.ic3.gov.
Was remote-access software installed?
If a scammer asked you to install AnyDesk, TeamViewer, Quick Support, or any remote-access app, your device may still be compromised.
Run SeraphSecure to detect and remove it →Red flags
- ⚠ An invitation arrives from someone you know — scammers use compromised accounts so the email clears spam filters and looks trustworthy
- ⚠ The RSVP link requires you to 'sign in' with Google, Apple, or Microsoft before viewing the invitation — legitimate invite services never require login just to read an RSVP
- ⚠ After clicking a link or opening an attached file, nothing obvious happens — that silence can mean credentials were stolen or software was silently installed in the background
- ⚠ The invitation includes a downloadable file (.msi, .exe) — no real invitation requires installing a program to view it
- ⚠ Urgency language ('RSVP by tonight,' 'limited seats,' 'confirm now') is designed to stop you from pausing to verify with the sender
Known variants
-
A fake party invitation email includes a downloadable MSI file (RSVPPartyInvitationCard.msi) that silently installs ScreenConnect, giving the attacker full remote access without any visible sign on the victim's screen.
Last seen: 6/4/2026
-
Text or email impersonating Evite or Paperless Post shows a real friend as host and prompts you to enter your email username and password to 'view the invite.' Goal is email account takeover — scammer then blasts the same attack to all your contacts.
Last seen: 6/4/2026
-
A fake Evite or Paperless Post invitation presents 'Sign in with Google' or 'Sign in with Microsoft' OAuth buttons. 80+ phishing domains (mostly .de, active since December 2025) share the same credential-harvesting backend; a stolen Google or Microsoft account cascades to every service using 'Continue with Google.'
Last seen: 6/4/2026
Sources
- Pennsylvania AG — New email invitation phishing scam alert (May 2026)
- Malwarebytes — Fake party invitations installing ScreenConnect remote access (Feb 2026)
- ConsumerAffairs — Scammers using fake invitations to steal personal information (May 2026)
- FTC Consumer Alert — Asked to enter your email address and password to open a party invite? That's a scam (May 2026)
- TechTimes — Fake Party Invitation Phishing Scam Spoofs Google and Microsoft OAuth Logins: FTC Warns (May 2026)
- ABC News — FTC warns about email scam masking as party invitations (May 2026)
- NewsNation — FTC issues warning about fake graduation party invitations (June 2026)
- WCNC — Is that graduation party invite real? FTC warns of phishing scam texts and emails (June 2026)