Remember when Hillary Clinton’s campaign email was hacked? It wasn’t a brainiac code-cracking algorithm. It was simple human deception.

The hackers sent an email which led her campaign chair, John Podesta — after asking advice from his IT professional! — to enter his login and password into a phony website. That’s called a phishing scheme and it depends on sounding like an authority when you’re really a cheat.

Here’s that actual email below:

John Podesta isn’t stupid, and wasn’t without resources. There was a slight mixup when his IT advisor recommended he change his password directly on Google, but unfortunately Podesta, or someone on his staff, used the link in the email instead.

A whole lot of trouble could have been avoided if they’d been familiar with this rule of thumb: when there’s a password or other personal information involved, go to a company’s website directly rather than clicking on a link in email.

And another rule of thumb: the more urgent the email sounds, the more likely it’s a scam.

A version of that same email fooled Colin Powell and the Democratic National Committee. And in the years since, schemes have gotten more sophisticated.

This article was featured in our newsletter. To read more content from our newsletter, visit our archive page and sign up for our email list.