Somewhere between the cap-and-gown photos and the open-house planning, millions of Americans will receive digital party invitations this month. The Federal Trade Commission wants you to know that some of those invitations are traps.
In a consumer alert published in May 2026, the FTC warned that scammers are sending fraudulent messages designed to look like they came from Evite or Paperless Post. The messages, which the agency says may arrive by email or text, surface during peak graduation season and include a link to “view” an invitation. But instead of showing party details, the link leads to a credential-harvesting page that asks for your Google or Microsoft email password, or a “special pass code,” before you can see anything. In the agency’s words: “If you get an invite to a party or event and are asked to enter your email address and password to see it, don’t. It’s a scam.”
The figure of 80 spoofed domains has circulated in coverage of this campaign, though the FTC’s published alert does not list or confirm a specific count of fraudulent URLs. What the agency does confirm is the playbook: attackers are registering domains that closely mimic the real Evite and Paperless Post websites, timing the push to the weeks when digital RSVPs feel completely normal.
Why graduation season is the perfect cover
Phishing campaigns are built around expectations. Fake shipping alerts spike during the holidays. Bogus tax documents flood inboxes in April. And fake party invitations hit hardest in May and June, when high school and college graduations generate a wave of legitimate digital invites that prime people to click without thinking twice.
Evite and Paperless Post are household names, and that familiarity is exactly what the attackers are exploiting. The FTC’s broader phishing guidance explains that scammers deliberately impersonate trusted brands because recognition lowers a person’s defenses. A link that appears to come from a service you have used before does not set off the same alarm bells as a message from an unknown sender.
The stakes go well beyond losing access to one inbox. Once an attacker has your Google or Microsoft password, they can rifle through years of email archives, cloud-stored documents, and banking notifications. They can trigger password resets for every other service tied to that address. A single stolen login can open the door to financial fraud, identity theft, and unauthorized access to workplace systems.
How real invitations work, and how the fakes break the pattern
Knowing the normal flow makes the scam easier to spot. When someone sends you a real Evite or Paperless Post invitation, the link takes you straight to the event details: the host’s name, the date, the location. You can view all of that without logging in. If you want to RSVP, you may need to enter your name and email so the host gets your response, but you are never asked for your email account password.
The phishing versions flip that sequence. Instead of the invitation, you see a login screen styled to look like Google’s or Microsoft’s sign-in page. Some variants ask for a “special pass code” that supposedly unlocks the invite. Others prompt you to approve a multi-factor authentication request. Any invitation that puts a password wall between you and the party details is fraudulent.
Spotting the fake URL is one of the few reliable individual defenses, but it is not easy. The FTC’s cybersecurity resources for small businesses describe how spoofed domains are hard to block at scale. The resource explains that phishing sites can appear and disappear quickly, and the addresses often differ from the real thing by a single character, a swapped letter, or an added word like “secure” or “verify.” Before you type anything into a login field, look at the address bar carefully.
What to do right now
If you have not clicked a suspicious link:
- Do not tap links or scan QR codes in unexpected invitation messages, even if the sender’s name looks familiar.
- Open a browser yourself and go directly to evite.com or paperlesspost.com. Log in to your account and check for pending invitations. If nothing is there, the message was fake. Both platforms maintain help or support pages where users can report suspicious messages that misuse the company’s branding.
- Delete the suspicious message. If it came by text, block the sender’s number.
- Report it through the FTC’s fraud portal at reportfraud.ftc.gov. These reports feed directly into law-enforcement investigations.
If you already entered your password:
- Change your Google or Microsoft account password immediately. Use a strong, unique password you have not used on any other site.
- Turn on two-factor authentication if it is not already active. Google labels it “2-Step Verification” in account security settings; Microsoft calls it “Two-step verification” under the same menu. This adds a second barrier that can block attackers even if they have your password.
- Check your recent sign-in activity. Both Google and Microsoft display a log of devices and locations that have accessed your account. Flag anything you do not recognize.
- Inspect your email forwarding rules. A common attacker move is to set up auto-forwarding to a secondary address so they keep receiving your messages even after you reset your password.
- Audit every linked account. If your email serves as the recovery address for banking, social media, or workplace tools, check those services for unauthorized changes or login attempts.
What the FTC has and has not said
The FTC’s alert is a preventive warning, not a post-incident report. It does not include victim counts, geographic breakdowns, financial loss estimates, or a list of specific fraudulent domains. As of June 2026, neither Evite nor Paperless Post has issued a public statement confirming the scope of domain abuse or describing any takedown efforts.
The agency also has not attributed the campaign to a specific criminal group or released technical forensic details linking the fake domains to known phishing infrastructure. Claims about the attackers’ identities or the precise number of active malicious URLs should be treated with caution until more information surfaces.
But what the FTC has confirmed is enough to act on: the scam is active, it is targeting people during graduation season, and the defense is simple. If an invitation asks for your email password, close the page. Navigate to the platform directly. And if you have already handed over your credentials, move quickly to lock down your account before the damage spreads.
Warren Cohen is a finance writer based in Phoenix, Arizona, covering personal finance topics including credit, banking, and beginner investing. He earned his degree in business administration from Arizona State University and began his career working in consumer finance, where he gained direct experience with lending and credit systems. He now writes for personal finance websites and fintech platforms, focusing on clear, practical content that helps readers make informed financial decisions.
