Yesterday afternoon I received two strange emails within a few minutes of each other. They both said that someone had shared a Google Doc with me. That by itself wasn't suspicious. Nonprofit technology people love Google Docs and the fact that someone would share a doc without first giving me a heads up wasn't all that unusual. Also, I had reason to believe that docs might be coming my way—both people are Salesforce consultants and we're currently in the process of making some big changes to our Salesforce instance.
Still, I wasn't sure I should click. The email didn't tell me the document title and didn't include a message. I sent my colleague, Kyle, a Hangout message asking whether I should be expecting any documents from a Salesforce consultant. We went back and forth a little about the people who sent the message and the current project and then he asked me, "Is it attached or like a Google Doc? [Sender] is the type to just send over something with no context."
I'm sure a lot of people thought the same thing just before clicking. Our trust in and familiarity with Google (and the by-the-seat-of-our-pants way nonprofits often work) make nonprofits especially vulnerable to these kinds of phishing attacks.
Fortunately, no one at Idealware clicked. Kyle and I looked more closely at the email and found that the "To" field contained a bizarre email address full of "H's" and the url didn't quite match what you would expect from a doc. Then I looked on Twitter and found that thousands of people had received similar emails. Minutes later I got an email from one of the senders explaining that the link is a scam.
We weren't compromised—this time—but it was a reminder of how close any nonprofit staffer can come to clicking the wrong link and exposing contacts, emails, and more.
My takeaway: If it doesn't feel right, don't click. Ask around and do a little research. The extra few minutes you spend verifying the email will save you a lot of headaches in the long run.