The nude photos first emerged on 4chan. From there they spread to Reddit and Imgur—a hoard of around 500 photos implicating at least a hundred individuals, including celebrities like Jennifer Lawrence, Kirsten Dunst, McKayla Maroney. A month later, two more batches of photos would also come online, dragging Kim Kardashian, Rihanna, and Scarlett Johansson into the fold.

While being interviewed by the FBI, Lawrence broke down and had a panic attack. She later publicly denounced the leak as a “sex crime.” The photos seemed to originate from a hack. Initial speculation suggested that hackers had taken advantage of a security flaw in Apple’s iCloud. But the culprit, sentenced to nine months in prison earlier this year, said that the celebrities had actually been phished.

Clicking on the wrong link had unleashed emotional devastation and public-relations nightmares. But in 2016, a similar hack resulted in what was previously unthinkable: It may have swayed an American presidential election. When Democratic political operative John Podesta’s private e-mails were published in bulk, the contents of his e-mails were covered in the media for weeks. (One set of e-mails would fuel a popular online conspiracy theory known as “Pizzagate,” culminating in a gunman firing off a weapon inside a D.C. pizzeria the following January.)

Along the way, the media relentlessly referred to the Podesta e-mail “hack,” conjuring up the image of a shadowy figure in a basement somewhere pounding on his keyboard, making glowing green code scroll up a black screen as he cracks into the secret substructures of the Internet. That’s not really how it works. Despite the fevered hysteria around Russian state-sponsored hacking, the Podesta e-mail release wasn’t the result of state-of-the-art Cold War cryptographic research. His hackers didn’t need classified CIA malware or any yet-undocumented software exploits. The source of Podesta’s problems was mostly likely a dodgy message masquerading as an alert from Google, warning him to reset his password.

The published e-mails revealed that Podesta had forwarded the alert to a computer technician for the Clinton campaign, who had then made the mistake of identifying the fraudulent alert as a genuine communication from Google. Russians—if the hack was indeed state-sponsored—may have influenced an election just by getting Podesta to click a bad link.

If you’ve ever used e-mail, you’ve probably been phished at some point or another. An unexpected password-reset notice. A generic-looking business e-mail that says, “See attached receipt.” A shipping confirmation from a company you’ve never bought anything from, directing you to click on a link to track your package.

Spearphishing involves a component of social engineering: It’s the most boring kind of hacking, but also the most dangerous.

No one knows exactly how many phishing e-mails are sent out per day, but one antivirus company has claimed to have blocked over 70 million phishing attempts in a three-month span. The last time someone tried to phish you, the message probably landed in spam. Or you spotted the misspelling in the subject line and deleted it without a second thought (or, like approximately 12 percent of victims, you actually opened the e-mail and then clicked on an attachment).

John Podesta was phished, but unlike that unhappy 12 percent, he was the victim of what is known in industry parlance as spearphishing: a targeted phishing attack aimed at a particular person. It’s a sniper shot versus a shotgun blast, and the person on the receiving end doesn’t get much of a chance to duck for cover.

Regular mass-mail phishing attacks are often clumsy and a little obvious—words are misspelled, graphics are misaligned, the sender’s address is hosted at a suspicious-sounding domain. But these e-mails were likely sent out en masse—they’re not trying to fool everyone, just enough people to turn a profit. But, in turn, anti-spam systems can detect the hallmarks of mass mailings and seek to prevent malicious e-mails from landing in inboxes.

When someone decides to target you and only you, it gets a lot harder to protect yourself. In fact, Podesta, like any spearphishing victim, wouldn’t have been safer with more secure phones or better antivirus software or smarter company security at Google or Yahoo or Facebook.

We all know what it’s like to receive mass-mailed spam. But most people aren’t going to attract enough attention to merit being spearphished. What’s that like, anyway? And how is it different from regular phishing? To search for those answers, I went out and found someone to spearphish me.

You can’t just wait around hoping to get spearphished—unless, I guess, you work for the Democratic National Party. So I asked Cooper Quintin—staff technologist at the Electronic Frontier Foundation, and a friend—to hack me. “Sorry, I didn’t have time to prepare,” he apologized, after I burst into his office on short notice.

Compromising someone’s digital security is time-consuming, though not for the reasons pop culture might suggest. Hacking isn’t a matter of typing furiously into a cyberpunk-y computer terminal like in The Matrix (although Quintin did indeed spend much of our session typing into an old-fashioned command-line interface). What he needed was time to skulk through my social-media profiles to figure out who I was, who my friends were, where I worked, who I worked with, who I was close to, who I would trust—the kind of information, thanks to social media, that's available to anyone who wants to look. This is the key difference between spearphishing and regular ol’ phishing. Spearphishing involves a component of social engineering: It's the most boring kind of hacking, but also the most dangerous.