I Scanned a QR Code and It Added a Calendar Event — Is It a Scam?
You scanned a QR code and now there's an unfamiliar event in your Google Calendar, Apple Calendar, or Outlook — probably claiming you won a prize, that a delivery needs confirmation, or that your account requires urgent action. Here's what happened, what the real risk is, and exactly what to do.
The event itself is not malware — but the link inside it is the threat
Take a breath. A calendar event added by a QR code cannot install software on your device, steal your passwords, or access your contacts just by appearing in your calendar. It is a data file, not an executable.
The danger is what the event contains. Calendar spam events are engineered to look urgent — a fake delivery notice, a prize claim, a billing alert, or an account verification request — and each one includes a link. That link leads to a phishing page designed to harvest your credentials or payment details. As long as you do not tap the link inside the event, you are not at risk from this attack.
How a QR code ends up adding a calendar event
QR codes can encode more than just web URLs. Two mechanisms allow a QR code to trigger a calendar add:
- An iCalendar data URI. The QR code contains a
BEGIN:VCALENDARblock directly. When your phone scans it, the OS recognizes the format and offers to add the event — sometimes without asking. - A link to a .ics file. The QR code redirects to a calendar file hosted online. Your browser downloads the file and hands it off to your calendar app, which adds the event automatically.
These QR codes are placed on flyers slipped under windshields, stuck to parking meters, tucked into restaurant menus, or attached to fake email delivery notices — anywhere footfall is high enough to get clicks on the phishing link inside.
What to do right now
- Do not tap any link inside the event. This is the only action that turns a nuisance into a real threat. Treat every link in an unexpected calendar event as a phishing link until proven otherwise.
- Delete the event. Open your calendar app, find the event, and delete it. On Google Calendar, long-press the event → Delete. On iOS Calendar, tap the event → Edit → Delete Event. On Outlook, right-click → Delete.
- Turn off automatic calendar invitations on Google Calendar. Go to calendar.google.com → Settings (gear icon) → Event settings → change “Automatically add invitations” to “No, only show invitations to which I have responded.”
- Turn off calendar invitations from unknown senders on iPhone. Go to Settings → Calendar → scroll down to “Invitations from Unknown Senders” and toggle it off.
- Disable automatic meeting request processing in Outlook. Go to File → Options → Mail → scroll to “Send automatic replies” and adjust meeting request handling to require manual acceptance from external senders.
If you already tapped the link inside the event and entered any information, treat it as a phishing incident. See the full recovery checklist for step-by-step instructions based on what you submitted.
How to prevent this from happening again
The root problem is that your phone processed the QR code before you could evaluate where it was sending you. The fix is to put a checkpoint between the scan and any action your phone takes.
- Scan with QRsafer first. QRsafer checks the QR code's destination against threat intelligence databases before your device has a chance to process the link or download any file. A destination associated with phishing or malicious calendar spam will return a Dangerous verdict before anything loads.
- Be skeptical of QR codes on printed material you didn't request. Flyers under windshields, stickers on public surfaces, and paper slips left in mailboxes are common delivery methods for calendar spam QR codes.
- Keep your calendar privacy settings locked down. The “automatically add invitations” features on Google Calendar and iOS Calendar are convenient but make these attacks frictionless. Disable them permanently.
For more on what can happen after scanning a suspicious code, I scanned a QR code and it opened a weird website covers the full range of unexpected QR code behaviors.
Frequently asked questions
Can a QR code add a calendar event without me tapping anything?
Yes. QR codes can encode an iCalendar (.ics) data URI or link directly to an .ics file. When your phone decodes the code, your OS may prompt you to add the event — or in some configurations, it adds it silently. The event itself is not malware; the link inside it is the threat.
Is the calendar event itself dangerous?
The event file cannot steal your data on its own. The risk is the link it contains — disguised as a prize claim, delivery confirmation, or account alert. Tapping that link opens a phishing page. Delete the event without tapping any links inside it.
How do I stop QR codes from adding events to my calendar in the future?
On Google Calendar: Settings → Event settings → turn off “Automatically add invitations.” On iOS: Settings → Calendar → turn off “Invitations from Unknown Senders.” On Outlook: disable automatic processing of meeting requests from external senders. For advance protection, scan any QR code with QRsafer before your device processes its destination.
Check a QR code before your phone acts on it
QRsafer checks the destination URL for threats before your device downloads any file or opens any link. Free on iOS and Android.