Is this ‘You’re invited’ party invitation text a scam?
You got a text or an email that said you’re invited. A graduation, a summer cookout, a baby shower. It looked like it came from Evite or Paperless Post, and it wanted you to tap a link and sign in to see the details. Something felt slightly off, so you stopped and searched instead of tapping. That instinct was right.
Regulators flagged this exact scam in late May. The messages copy real digital-invitation brands, then send you to a login page built to harvest your email or social account. Some versions go further and ask for your phone number, then for the verification code that gets texted to you a moment later. That code is the keys to the account. Once they have it, they can lock you out and fire the same fake invite to everyone in your contacts.
What they’re actually after
An invitation does not need your password. Real ones from Evite or Paperless Post open the details right in the message or the browser, no sign-in required. So the moment a party invite asks you to “log in to RSVP” or “verify your identity to view,” the party is the bait and your account is the target. Email accounts are the big prize, because bank resets and so many other logins hang off them. A graduation invite is just the friendliest door they could find.
How to tell it’s fake
Look at who sent it before you look at what it says. A real invitation platform sends from its own domain, not a personal Gmail address or a jumble of random characters. Press and hold the link without opening it, and check whether it truly goes to evite.com or paperlesspost.com, or to something close but wrong like evite-rsvp dot net. Watch for a logo loading at the wrong size, an image that won’t render, or text that sits a few pixels out of line. Then ask the plain question: do you actually know anyone who would invite you to this? An invite with no name on it, from no one you recognize, for an event you can’t place, is almost never real.
If you already clicked or logged in
If you only opened the link and closed it, you are very likely fine. Watching for trouble over the next few days is enough. If you typed your password into that page, change it now on the real site, and change it anywhere else you reused the same one. Switch on two-factor authentication while you are in the settings.
If you handed over a verification code, move quickly, because that is the step that actually surrenders the account. Get into the account settings, sign out of all devices, reset the password, and confirm the recovery email and phone number still belong to you. Scammers often swap those so they can climb back in later. Then check what that account unlocks. If it is your email, look for forwarding rules that were quietly added and password-reset messages sent to your bank. Tell a couple of close contacts you were hit, since they may get the same invitation from “you.”
Where this leaves you
Most people who catch this at the login screen walk away with nothing lost but a few uneasy minutes. If you want to report it, the FTC takes these at ReportFraud.ftc.gov, and your report feeds the wider pattern even though it won’t pull back a single message. If you’re not sure what to capture before you start deleting things, our guide to preserving evidence in the first 24 hours walks you through it.
If the takeover went further than a login page, money moved, or someone is now impersonating you across accounts, that is past what a short guide can fix. Our Investigation Help page covers the smaller attribution cases we sometimes take on, and for court-grade work on larger or financial-crime matters we route to Rexxfield.
Getting one of these does not mean you did anything wrong. They are built to look like good news on an ordinary day, which is exactly why that half-second of doubt is worth trusting.
— Gus