FTC Warns: Fake Party Invitations Are the Latest Phishing Hook
Criminals are disguising phishing attacks as wedding and birthday RSVPs. The Federal Trade Commission says victims are handing over passwords and payment details without realising the invitation was never real.

The Federal Trade Commission issued a consumer alert in 2025 warning that criminals are sending convincing fake event invitations by email and text message to steal personal information from unsuspecting recipients.
A Social Disguise That Bypasses Suspicion
Phishing works best when the bait looks harmless. A message claiming your bank account has been frozen raises immediate suspicion. A cheerful note about a friend's upcoming birthday party? Not so much. That gap in our guard is exactly what this campaign exploits.
Attackers craft messages that mimic genuine RSVPs, complete with the kind of warm, casual language you would expect from someone you know. The message might reference a wedding, a retirement party, or a neighbourhood get-together. It arrives via email or SMS, meaning the attack surface is essentially anyone with a phone or an inbox.
The FTC, the US government body charged with protecting consumers from deceptive practices, flagged this trend specifically because the social framing of the lure is unusually effective. People are conditioned to respond to invitations. Ignoring one feels rude. Scammers count on that social reflex to get the click.
What Happens When You Click
The link inside a fake invitation typically leads to one of two things: a credential-harvesting form dressed up as an RSVP page, or a site that drops malware onto the device. Either outcome is bad.
On the harvesting path, victims fill in fields asking for their name, address, date of birth, and sometimes a payment method to cover a "gift contribution" or "event fee." Every field they complete feeds an attacker's dossier. On the malware path, simply loading the page on an unpatched browser can be enough for the compromise to begin.
The Verizon 2024 Data Breach Investigations Report found that phishing and pretexting together were the initial access vector in 73 percent of socially engineered breaches. Fake invitations are pretexting at its most low-tech: no spoofed corporate domain needed, no sense of financial urgency required, just a believable excuse to click a link.
How to Tell a Real Invitation from a Fake One
The FTC's core advice is simple: go around the message entirely. If an invitation arrives unexpectedly, contact the supposed host directly using a phone number or address you already have, not any contact detail embedded in the message itself.
Beyond that, watch for these signals:
- Artificial urgency. "RSVP by tonight or lose your spot" is a pressure tactic, not a party norm.
- Mismatched sender details. The display name says your cousin's name but the email domain is random characters.
- Unfamiliar links. Real event platforms have recognisable domains. A link that resolves to a string of numbers or an obscure subdomain is a warning sign.
- Requests for payment or sensitive data. Legitimate social invitations rarely ask for a credit card number upfront.
- No prior communication. If you had no idea this event was happening and the host has not mentioned it in any other context, treat the message with suspicion.
If you already clicked and entered information, act immediately. Change any passwords associated with the data you entered. If payment details were involved, call your card issuer and request a new card number. File a report at reportfraud.ftc.gov so the FTC can track the campaign's spread.
The Control That Failed: Awareness, Not Technology
No firewall on earth stops a person from voluntarily typing their password into a convincing web form. That is the fundamental problem this incident category exposes. Technical controls, spam filters, link scanners, and endpoint protection all play a role, but they are supporting cast. The leading actor in any socially engineered attack is human judgment.
Organisations that invest in security-awareness training give their people a cognitive framework for moments exactly like this: pause, verify the sender through a trusted channel, and treat unsolicited requests for personal data as suspicious by default. Without that training, even a technically sophisticated workforce is vulnerable to the simplest lure.
The broader lesson is that attackers are not always hunting for zero-day exploits or misconfigured cloud buckets. Sometimes they send a party invitation and wait. Defending against that requires people who instinctively slow down when something seems off, even when it seems friendly.
What Defenders and Individuals Should Do Now
For individuals, the FTC's advice maps neatly to a single habit: verify before you click. Use the phone. Start a fresh message thread. Do not trust context provided inside the suspicious message itself.
For security teams, this wave of social-invitation phishing is a useful scenario for tabletop exercises and simulated phishing campaigns. The variant is novel enough that many employees will not have encountered it before, and novel lures consistently outperform familiar ones in click-rate tests. Running a simulated fake-invitation campaign internally, with debrief and training built in, is a practical and proportionate response.
Organisations can review their current phishing simulation coverage and staff training modules at Train2Secure's standards page, and compare programme options at Train2Secure pricing.
The FTC's consumer guidance remains active. Readers can report suspicious invitations at reportfraud.ftc.gov and check the FTC's consumer alerts page for updates as the campaign evolves.
How this could have been prevented
- Train staff and personal users to verify unexpected invitations through a trusted, independent channel before clicking any link.
- Run simulated phishing campaigns that include social-invitation lures, not just impersonated IT or finance emails, to expose this specific blind spot.
- Establish a clear report-and-debrief process so that people who spot suspicious messages share them quickly with the wider team.
Train2Secure's simulated phishing and awareness modules cover social-engineering variants like this one, helping your people build the habit of pausing before they click.
Start free, no card requiredSources & further reading
Frequently asked questions
What is the fake party invitation scam the FTC warned about?
Criminals send fake RSVP messages by email or text that impersonate friends, family, or colleagues. The links inside lead to pages that steal passwords, personal details, or payment information. The FTC issued a consumer alert about this tactic in 2025.
How can I tell if a party invitation I received is real or a phishing attempt?
Contact the supposed host directly using a phone number or contact method you already have, not anything inside the suspicious message. Watch for urgency, mismatched sender addresses, unfamiliar links, and requests for payment or sensitive personal data.
What should I do if I already clicked a link in a fake invitation and entered my details?
Change any passwords associated with the information you provided immediately. If you entered payment card details, call your bank or card issuer and request a new card number. Report the incident to the FTC at reportfraud.ftc.gov.
Why are fake invitation scams harder to spot than typical phishing emails?
Social invitations carry a friendly, low-stakes framing that does not trigger the same suspicion as financial or account-security messages. Attackers rely on the social reflex to respond to invitations, which lowers a recipient's critical guard before they click.



