When you hear about someone getting hacked, there’s a good chance it started with an email.
Everyone from celebrities to your work colleagues fall for the same trick. It’s called “phishing” (yes, with a “ph”), and it relies on an unsuspecting someone clicking on a link in his or her inbox, inviting the hackers inside.
If you use email, you’ve already encountered phishing in its crude forms. Those emails from a Nigerian prince or a stranded traveler, who invites you to join some scam where you each make money. But everyone knows about these scams, and so few people fall for this form of phishing.
Today, though, phishing comes in new and much more devious forms. Often called “spear-phishing,” it relies on scammers sending you a message that looks it from someone you know or trust—for instance, your bank or a friend or your email provider. (Check out our “Data Drop” video above to see how it works).
This form of phishing is so effective because people will let their guard down if they think an email is from a known company or theirboss. As a result, they are much more likely to click on a link or fill out a form that gives hackers a way into their inbox.
This is what happened to John Podesta, the head of the Democratic National Committee, who clicked on a link he thought was from Google, and let Russians steal thousands of sensitive political emails. In the same way, hackers obtained private photos of celebrities like Kate Upton and Jennifer Lawrence by sending them password reset requests that appeared to be from Apple.
Get Data Sheet, Fortune‘s technology newsletter.
And it’s not just famous people. More and more, scammers are targeting corporate employees with emails that appear to be from their boss. Or they will get into one person’s email account and send messages to everyone in their contact list with a suspicious link. Once again, because the email is from a known sender, people are more likely to fall for it.
So how can you avoid falling for a phishing scam? In the case of companies, many of them use phishing-detection from cyber-security firms like FireEye or AreaOne, which can screen out suspicious emails—such as ones that appear to be from the SEC—in the first place.
As for individuals, there are often a few clues that an email is a phishing attempt. For instance, misspellings or odd grammar are a big giveaway. And the document or that the hackers want you to click will usually show something odd such as extra letters. If you see any of these red flags, delete the email or find another way to check if the sender is real.
But the biggest defense to phishing is common sense. Ask yourself, for instance, why you’re getting an email to reset your password out of the blue. Or be skeptical about an email that appears to be from a friend or family member asking you to click on a random link.
Ultimately, we can’t defeat phishing altogether because it relies on human nature and our natural curiosity. That’s what makes it so effective—and so dangerous.