The Federal Trade Commission issued a warning Tuesday about a phishing scam that arrives as an unexpected “You’re Invited” text or email and asks recipients to enter their email login credentials to view event details.
Cybersecurity specialist Chris Wright, who has tracked the messages, said the attacks often lean on familiar brands and a convincing surface to get people to act. Wright warned they trade on “borrowed credibility” and can look like “a wedding or a higher stature event or something like that.”
The weight of the alert is simple and immediate: the scam is sent via text or email; some fake invitations appear to come from well-known invitation platforms like Evite or Paperless Post; and “Some messages list someone you know as the host and make you enter your email username and password to see event details,” the FTC said. Other versions instruct recipients to “enter a phone number and share a special code to RSVP. That’s not how real invitations work.”
If you’ve been wondering what is a phishing scam, this is the answer on display — a message that pretends to be a harmless social invite but is designed to steal or reset account information so attackers can take over email accounts and resend the same lure to contacts. The FTC says it is getting reports of unexpected “You’re invited” texts and emails during graduation and summer party season, and warns recipients to resist the urge to click and to check with the named host before doing anything.
Wright described how the trick works in practice: scammers often “on to brands that you know, like Evie and other ones,” making the message trustworthy at a glance. One of the most common versions uses a fake login page that appears to be from Microsoft or Google and tells the recipient they must sign in to view the invitation. “If you actually look at the URL, it’s going to be nothing that looks like Microsoft or Google or anything that it says it is,” Wright said, and yet a Gmail recipient may be shown “a very convincing looking Gmail logon page.”
Beyond stolen passwords, some invitations carry a more dangerous payload. Wright said another version prompts the user to download an executable file that appears to be the invitation. “In all actuality, that executable file just gave the attacker remote access to your computer,” he said, which can let an attacker reach email, financial information and private files.
The tension in the story is that these scams look, for a moment, like real invitations from people you know or services you trust. That borrowed trust is precisely what the attackers hope will bypass caution. Wright said there are basic checks that “more often than not, is going to give it away as a scam”: slow down before clicking, inspect emails carefully, check the sender details, click to reveal the full email address and hover over links to preview where they lead.
The FTC lays out concrete steps for anyone who receives an unexpected invite: don’t click; check with the host directly to confirm the invitation; forward phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org; forward phishing texts to SPAM at 7726; and then report the attempt at ReportFraud.ftc.gov. Those steps matter because the goal is not only your one login but the attacker’s ability to use your account to reach the people you know.
Put plainly: this is phishing by social means — a party invitation used as the bait. If you get one and it makes you think “I did get that,” Wright said, that instinct is precisely the warning sign. Slow down, verify with the host, and report the message. Treating an unexpected invite the same way you would a suspicious attachment will stop many of these scams before they spread.
