Phishing scammers have moved from fake bank alerts and IRS threats to something many people are far less likely to suspect: party invitations. The new wave is disguising itself as messages from Paperless Post, Evite and Punchbowl, turning a routine social note into a trap that can steal passwords and personal data.
One Mashable editor got one of the emails, which appeared to come from her sister-in-law and looked like a Punchbowl invitation. She clicked the link, saw a prompt to enter her Gmail password and only then checked with her sister, confirming the account had been hacked. The detail matters because the scam works by borrowing trust from someone you know, not just from a brand you recognize.
Rachel Tobac said the scheme first appeared around last holiday season, and it fits a pattern that keeps shifting to whatever emotion gets people to click. “Every few months, she noted to the publication, phishing schemes find a new emotional lever to pull — and the fear of missing out is a powerful one,” she said. In this case, the hook is not panic over a bank account or government notice but the urge not to miss a birthday party or a celebration of life, as Evite's Olivia Pollock put it.
The scam has two main forms. In one, the link looks dead when a recipient clicks it, but the click still triggers malware in the background that harvests passwords and other personal data. In the other, the link works and leads to a fake login screen that asks for credentials, handing hackers full access to accounts once the victim types them in.
The invitation ploy lands in a year already crowded with other text-based scams. Mashable said 2025 was defined in particular by fake E-ZPass toll notices, phony DMV warnings, fraudulent job offers impersonating Indeed and IRS impersonators, showing how phishing keeps finding a new wrapper for the same theft. The invitation version is simply the latest disguise in a long line of schemes that have proliferated over the past few years.
That makes the warning signs important now, not later. Evite says vague invitation wording should raise suspicion, and Paperless Post has set up a dedicated email address, [email protected], for users who want suspicious invitations checked before they click. For anyone wondering what is a phishing scam, this is the answer in real time: it is a confidence trick that depends on speed, familiarity and just enough plausibility to beat caution.