They targeted Donna from Marketing for a spear phishing attack. Donna doesn't report to Nick the CFO, so the scammers assumed she doesn't have Nick's phone number in her contact list. Also, they sent the text message over the weekend to make it feel more urgent and probably Donna wouldn't want to talk over the phone on a weekend.
To make this feel urgent, the scammers crafted a fake complaint letter from a key customer. They made it seem like Donna did something wrong and she needed to fix it ASAP.
The Scammers personalized the link with Nick's name and they made it feel like a secure drive, with the hopes that Donna will think it's legit.
Next, they tell Donna that Nick wants to talk to her on Monday in order to build credibility. If this was a scammer they wouldn't need to meet on Monday... all these small things build Trust.
Donna takes the bait and clicks on the phishing link, she logs into a Fake Google Login Page with her real user name and password.
And in order to close the loop so Donna doesn't realize she was hacked and reports this, they displayed a fake complaint letter. This gives the criminals enough time to take over the account.
1) Don't Automatically trust anyone, even if you think you know them. Digital identities aren't the same as meeting someone in person.
2) Call and verify with your Admin, Company, or Person, the authenticity of the request.