← Blog

That party invite asking for your password? The FTC says it's a scam

Tenant Strike2 min read

The FTC is warning about fake Evite and Paperless Post invitations that lead to counterfeit Google and Microsoft sign-in pages. Here's why a 'personal' scam is a business problem — and the one rule to share with your team.

The FTC (Federal Trade Commission — the US consumer-protection agency) doesn't issue alerts for every scam. In late May it issued one for this: fake party and graduation invitations that steal email passwords (FTC consumer alert).

How the scam works

You get an email or text that looks like an invitation from a real platform — Evite, Paperless Post, Punchbowl. Sometimes it even names someone you actually know as the host.

When you click to "see the event details," you land on what looks like a familiar "Sign in with Google" or "Sign in with Microsoft" screen. It's fake. Type your email and password there and the scammers have them.

Security researchers tracking this campaign have found roughly 80 phishing domains and 160 suspicious links built since December 2025 (ABC News).

Why this matters for your business, not just your inbox

This looks like a personal scam — and it is. But here's the business problem:

  • Many employees read personal email on a work computer, often in the same browser where they're signed in to Microsoft 365.
  • Many people reuse passwords between personal and work accounts. One stolen password gets tried everywhere.
  • The fake sign-in pages specifically imitate Microsoft and Google logins — the same screens your team uses for work every day. The scam trains people to type those credentials on lookalike pages.

A stolen personal password is a bad day. A reused one that also opens a work mailbox is how business email compromise starts.

The one rule to remember

A party invitation never needs your email password. Any invite that asks you to "sign in" to view it is a scam. Full stop.

A few supporting habits:

  • Check the sender's address, not the display name. Paperless Post, for example, says real invites only come from @paperlesspost.com addresses.
  • Don't click — go direct. If you think the invite might be real, contact the host the way you normally would.
  • If someone on your team typed their password into one of these pages: change that password immediately, change it anywhere else it was reused, and make sure MFA (multi-factor authentication — the extra verification code) is on.
  • Report it. Forward scam emails to [email protected], forward scam texts to 7726 (SPAM), and report to the FTC at ReportFraud.ftc.gov.

A two-minute team heads-up

Graduation season and summer parties make this scam seasonal and believable. It's worth a two-minute mention at your next team meeting: "If an invitation asks for your email password, it's fake — even if it names someone you know." That single sentence is most of the defense.


One quiet backstop: making sure MFA is actually enabled for every person on your Microsoft 365 account, so a stolen password alone isn't enough. That's exactly the kind of gap Tenant Strike's read-only check surfaces in minutes.

AI-researched from public sources, human-reviewed on July 8, 2026. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.