Since at least May of this year, malicious individuals have been sending Gmail users unsolicited Calendar invites. The scam takes advantage of the fact most people have their Google accounts set to automatically add and notify them of Calendar invites. Since these invites can include an accompanying URL, scammers will use Calendar as a Trojan Horse to get individuals onto a phishing website. With the summer winding down, Google now says it's working on a fix for the oversight.
On its official support forum, the company writes it's "aware of the spam occurring in Calendar," and notes that it is "working diligently" to resolve the issue. At the moment, however, there's no estimated timeline for when people can expect a fix.
In the meantime, you can easily protect yourself against this type of spam by changing how GCal handles event invitations. On a desktop browser, visit the Google Calendar website and click on the cog icon to open the app's settings menu. Then click on "Event settings" and find the option labeled "Automatically add invitations." When you click on it, a drop-down menu with three options will appear. For the time being, the one you want to enable is "No, only show invitations to which I have responded."
As a further precaution, you'll also want to prevent Calendar from automatically adding events from Gmail. To do this, click on the "Events from Gmail" heading, then uncheck "Automatically add events from Gmail to my calendar." At this point, Google will warn you that this will prevent Calendar from automatically adding events from Gmail, in addition to removing any previously added events. Click okay.
Unfortunately, neither of these precautions are ideal, as they limit some of the more useful functionality that's available in Google Calendar, but with how frequent these scams have become, better safe than sorry.