KEEP YOUR ONLINE ACCOUNTS SAFE

Written By Rachel Bosworth
View of a tree outside through a rain covered window and a pillow in the windowsill

This is the blog post I never thought I’d have to write.

RB Collaborative operates solely online, and as such, I’ve always been super careful about scams. My mornings begin by flagging and deleting junk mail, and preparing for a slew of calls from unknown numbers. I mean, who even answers a call from a number they don’t recognize? [Or even those they do…] 

I’ve always told clients when they get an email that looks even remotely suspicious that they can forward it to me and I will confirm. And of course, they should never click on anything. But a couple of weeks ago, I broke my own rule.

An executive director, that I don’t know personally but know the nonprofit they work for, reached out asking for a proposal. I was so excited at the prospect of designing another new Squarespace website that I clicked the shared document, which opened a Canva page with a link. But the Canva document itself would not open. I was redirected to Gmail and tried accessing it there by putting in my email address and password. Still, no luck.

That was my first mistake. 

I emailed the executive director back to let them know that I was having this issue and also to ask for more specifics. They responded immediately to confirm they requested the proposal, but no other information was provided. So, I emailed again but didn’t get a response. My second mistake was that I didn’t think anything of this, either.

Last week things changed. A former editor, two former clients, and a few friends all texted me at once with a screenshot of an email I had sent them requesting a proposal and suggested my account may have been hacked. That was just the beginning of a days-long nightmare.

The same email I had first received was now being sent to every person I had every emailed — people I interviewed when I was a journalist, artists I’ve worked with, former and current clients, friends, family, restaurants where you made reservations by email… they did not discriminate.

Below I am sharing a summary of what happened, what I did to rectify the situation, and some tips to keep yourself safe.

What the hackers did:

  • Sent out multiple mass emails with the subject line: “Bid Invitation Submitted: Business Proposal”  and a link to open a Google document.

  • Set up a vacation responder in my Gmail account with this message:
    “This email confirms it's from our company with a project proposal attached. Please log in using your email account to access and review the document.”

  • Deleted email messages from my inbox and sent folders to effectively hide any messages that would indicate my email was hacked. This included undelivered email notifications and responses from contacts asking what the document was.


How I recovered my account:

  • First and most importantly — I changed my password. 

  • Followed the steps to recover my account in Google, which included: 

    • Reviewing security settings [it was here I discovered Canva had been at risk]

    • Securing my other accounts

    • Checking all financial activity

    • Reviewing where my email had been accessed from. Once I saw that my account was logged into unknown devices, I was able to then sign out of those.

  • Set up two-factor authentication for my email. It’s never been my favorite, but now I see the light.

  • Began updating all passwords saved in my Google account, and beyond.

  • Restored deleted emails

  • Found and removed the RFP document in Canva. I emptied the trash as well.

  • Downloaded the contacts and began sending a personal update to what was going on, urging people to not click the link, but if they did, and especially if they entered their password, to update those passwords and perhaps others. 

Email sent to all of my contacts.

Vacation responder setup in Gmail

RFP found in my Canva documents

How you can keep yourself safe:

  • We’ve heard it time and again — update your passwords and stop using the same passwords for all accounts!

  • Set up two-factor authentication for your email and other accounts.

  • If you receive a suspicious email, or you’re unsure, open a new message and reach out to the contact to ask for specifics. If their response is still vague, do not click on anything. Anyone requesting a proposal from you should be much more personal than sending a simple link.

  • Spread the word! Let people know this scam/phishing attempt is going around. You can share this blog post to help people understand what’s involved and how to avoid falling victim to this.

This is scary. Like many people I know and work with, I’m in a business where Canva and Google are important tools I use on a daily basis. I’m also in a business where sending proposals is how I get new clients and keep operating. Many of the people that initially responded to that email were saying they couldn’t open the document, and have since been put at risk. 

Please help spread the word so this doesn’t happen to others. Stay cyber safe!

—RB

Rachel Bosworth https://rbcollaborative.com
Next

IS YOUR WEBSITE REALLY THAT ACCESSIBLE?