Melinda Haring is the deputy director of the Atlantic Council’s Eurasia Center. Damon Wilson is executive vice president of the Atlantic Council.

Early this month, senior staff here at the Atlantic Council received an email claiming to come from Leonid Volkov, the chief of staff to imprisoned Russian opposition leader Alexei Navalny. Volkov is someone we know and respect, so we immediately opened the message. The email was well-written and sympathetic. It praised our work and requested an on-camera meeting with the top three executives at our organization, one of Washington’s leading think tanks.

But the message was fake. The people who sent it were trying to lure us into a potentially sensitive or even embarrassing online conversation. Spear-phishing attempts like this have been arriving more and more frequently in in-boxes at think tanks and nongovernmental organizations in Washington and elsewhere. Thankfully, we smelled a rat and contacted Volkov through other means to check whether he had sent the message. He had not. With that confirmed, we warned our colleagues in other organizations, some of whom had received the same note on the same day.

In March, the leaders of another Washington-based nongovernmental organization received a similarly personalized email with a request for an on-camera meeting. The set-up was similar: The message claimed to come from exiled Belarus opposition leader Svetlana Tikhanovskaya. Unfortunately, the person claiming to represent Tikhanovskaya turned out to be a troll — which the organization realized only in the middle of the recorded meeting. The group privately warned others in Washington, which helped us to be better prepared when we were targeted.

Our colleagues haven’t gone public with their story, but we want to share ours, including the email, so we can raise awareness among people and organizations that need to be protecting themselves.

We can’t know for sure who sent the email to us, but the pixels point toward Moscow. The culprits may have been the same notorious pair of Russian pranksters who in February tricked Amnesty International staffers into saying embarrassing things on camera by pretending to be Volkov.

But the ruse may have come from more official quarters. The Russian Prosecutor General’s Office named the Atlantic Council an undesirable organization in 2019, and we are often the target of cyberattacks, mostly designed to gain information about our staff, our work and our engagements. Back in 2014, a denial-of-service attack against the Council brought down our website just as we were hosting then-Vice President Joe Biden for a major conference promoting a Europe “whole and free.”

Exposing this latest phishing attempt won’t end that, but every step we take to make our community less vulnerable and more resilient and aware will make it harder for the Kremlin and other mischief-makers to discredit their perceived adversaries. And who are they targeting? Organizations willing to speak out about Moscow’s many violations of international law and human rights, from the assassination or attempted assassination of domestic political opponents to the annexation of Crimea and continuing conflict in eastern Ukraine to the carnage in Syria to a string of attempts to undermine the democratic process in countries with free and fair elections.

Nina Jankowicz, a disinformation fellow at the Wilson Center and an expert on Russian online behavior, notes that such pranks — especially when edited to unflattering effect — can be highly embarrassing for the organizations involved: “No fake news necessary — just the release of an ill-advised conversation.”

The U.S. corporate sector has already upped its game in the fight against spear-phishing attempts. Think tanks and nongovernmental organizations need to do the same. They should start by treating every request with healthy suspicion. The modern office rewards those who respond to emails instantly, but we all need to slow down and verify the authenticity of requests by using other channels. It’s always a good idea to look for mistakes in the subject line or email body and pay close attention to the sender address. All private organizations who do work similar to ours should take a hard look at their current defenses and undertake whatever reforms may be needed.

Think tanks and nongovernmental organizations are private and independent, but foreign governments and their supporters don’t necessarily see it that way. Many senior fellows previously worked in high-level positions at the White House, State Department and Pentagon, and remain in close contact with policymakers. Moscow views nongovernmental organizations as seditious and responsible for organizing street protests (even though that isn’t even remotely part of our job description).

Think tanks and nongovernmental organizations are in a unique position. We may have ties to our own government, but we are also independent and free to criticize. That’s something the Kremlin, seeing the world in its fun-house mirror of conspiracy and coercion, will never understand, let alone appreciate. They will keep targeting us. Let’s work together to make their job a touch harder.

Read more: