Fake digital invitations from Evite, Punchbowl and Paperless Post spread phishing scams

Do not tap RSVP, open invitation, or download anything in the first 30 seconds of an unexpected digital invite. Treat the message as suspicious until you verify the sender through a separate text, call, or new message thread, because scammers are using familiar names like Evite, Punchbowl and Paperless Post to push phishing links and malware onto personal devices.

Paperless Post said it has recently seen phishing emails pretending to be its invitations, and that the fakes are designed to trick people into handing over login information, especially for email accounts. The company said the messages often come from compromised accounts belonging to people the recipient may know, which makes the lure more effective and harder to spot. Paperless Post also said those phishing emails are sent entirely outside its platform, meaning the company cannot stop them from being sent once attackers move off its system.

Alexa Hirschfeld, a founder of Paperless Post, said the scam works because it hijacks social trust. She said that when it looks like you are getting an invitation from someone you know, "your first instinct is excitement, not skepticism." That split-second reaction is exactly what attackers are counting on, because a quick click on an RSVP button can lead to credential theft or malware.

Security researchers at Sublime Security said Evite and Punchbowl are currently the most frequently impersonated brands in invitation-based attacks. The group said the lures can be configured either for credential phishing or for malware distribution, and that some campaigns use fake Cloudflare checks and branded login pages to make the trap look legitimate. Sublime Security also said suspicious invitations may be sent to undisclosed recipient lists or BCCs, a detail that can expose the attack before a click.

The warnings have reached colleges as well. Mount Holyoke College’s library IT staff in South Hadley, Massachusetts, warned on February 6, 2026, of a recent rise in scammers using event-organizing websites like Paperless Post and Punchbowl to target colleges and universities. Punchbowl has told customers to report phishing attempts and has said legitimate invitations still outnumber fake ones, but that even one scam is too many. The pattern is clear: attackers are not just spoofing brands, they are weaponizing trust, and the safest response is to slow down, verify the sender out of band, and ignore any invite that asks for credentials, downloads or an immediate click.