3) Click Event Settings and set "Automatically add invitations" to "No, only display invitations to which I have replied"
Edit: if you want to disable event auto-add from Gmail while you're at it, click Events from Gmail then untick "Automatically add events from Gmail to my calendar"
If you have fully shared your calendar (i.e. to a spouse / partner) then even though they are not displayed for you they are still displayed to your partner.
There remains no decent way to ensure no-one sees the spam.
This is mentioned in the article along with a way for spammers to get around it.
"There is an option that states “No, only show invitations to which I have responded”. This prevents the first method of injecting events from working. However, BHIS found that it is possible to set the target’s response status to “Accepted” using the Google API. This effectively bypasses this security setting."
My bad, it was a little hidden, sentence beginning "There are a few settings that can be set within Google Calendar to prevent events from automatically being added to the calendar".
2) Click the Settings Gearwheel then Settings
3) Click Event Settings and set "Automatically add invitations" to "No, only display invitations to which I have replied"
Edit: if you want to disable event auto-add from Gmail while you're at it, click Events from Gmail then untick "Automatically add events from Gmail to my calendar"