Earlier this year, two Russian spies working in tandem with two professional cyber criminals were charged in the major Yahoo hack that was reported on last December. As a quick recap, Yahoo had a major data breach in which as many as 500 million user accounts were compromised. The breach was announced by the company in December 2016, but the full story wasn’t revealed to the public until March 2017, when the Department of Justice charged the four with the crime.

And despite all of their credentials (the two spies were both on the cybercriminal team of the Russian Federal Security Service, which is the modern day KGB), the actual method the criminals used to gain access to the data was surprisingly low-tech. They sent out messages to a select group of high-level employees (although not the top executives) and someone in that group clicked a malicious link that led to the break. In other words, they spear phished.

But what is spear phishing? Let’s take a look.

You may have heard of phishing already, which is when cyber criminals pose as a known contact or company and include malicious links or downloads with the goal of gaining personal information from the user. While traditional phishing schemes usually involve sending out a lot of emails to a lot of different people, spear phishing — as the name implies — is targeted and way more personal.

Thieves who use spear fishing do background research before emailing their target. They want to find out as much as they can about the person they’re trying to extract information from because they know that most people will be more likely to respond to someone that they know and trust. So, for example, they might figure out your mom’s name and then pose as her, asking for login information to your Amazon account. If you give them that information, they’ll try that username and password — and variations on them — on a range of different accounts to see what they can get.

Another common move by spear phishers to pose as someone high up in a company or organization and asking people to click on a link or send over confidential information. Think about it: If you receive an email from your boss saying that you have to do something immediately, you do it, right? Most good employees would. Thieves are relying on that fact to do what they do.

The breach at Yahoo is just one example of this slightly more sophisticated phishing method and it’s hard to believe that its success won’t lead to an uptick in this kind of attack. Your best bet for protecting yourself and your company against spear phishing attacks is to always confirm via a separate email or, even better, a phone call when someone asks you for personal information. It can be a annoying at times, especially when you’re in a rush, but you never want to face theft of you or your customer’s confidential information.