Why is X running a phishing scam with event invites?

What happened

A new phishing campaign is targeting people through spoofed invitations. Hackers are impersonating brands used for sending and managing events—specifically Paperless Post, Evite, and Punchbowl—with the goal of getting recipients to interact with malicious content.

The warning is that the scam is designed to creep into a victim’s hard drive, meaning it’s not just phishing for passwords in the usual way; it’s trying to cause broader device compromise.

Why it matters

This type of attack matters because invitations are a high-trust context. When you receive something that looks like a legitimate RSVP or event message, you’re more likely to click quickly—especially if it appears time-sensitive.

A few practical takeaways from the incident:

• Don’t trust the sender identity implicitly. Even well-known services can be spoofed.
• Treat unexpected invitation links as suspicious. The brands named (event-invite platforms) are commonly used, so look for anything that doesn’t match what you expect.
• Be cautious about attachments and link destinations. The threat model here is device-level compromise.

For consumers, the key is to slow down when you see an invitation that you didn’t expect or that pushes you to click right away. Checking the URL and confirming whether the event truly came from a trusted sender can help prevent the phishing flow before it reaches your device.