It happened to John Podesta. It happened to Paul Manafort’s daughter. It’s a type of computer hack called “spearphishing,” a much more sophisticated attack than the typically clumsy mass-mail attempts to gain your online credentials. Social engineers target you alone — masquerading as someone you know — using your natural proclivity to trust against you. At GQ, Sarah Jeong willingly got spearphished in a bid to understand and share the latest shady tactics of computer baddies, so it doesn’t happen to you.
I got a taste of what might have tricked Andrea Manafort when an e-mail from my friend, Parker, inviting me to look at a Google Doc, landed in my inbox.
It had taken several hours to get to that point, hours during which I had sat back, watching Quintin construct an attack against me. He went through my social-media accounts, rifled through my work information, skimmed through my latest articles. The idea was to slip into my shoes and construct an e-mail that I would click on without thinking. The tried-and-true method is to pretend to be someone the person already knows, using social media to scout out connections to impersonate.
Good social engineers persuade people to give something away without a second thought, because the request is so innocuous—like a friend asking me to look at his or her Google Doc. Spearphishing is just another form of social engineering.
But protecting yourself against social engineering is an ongoing chore, like living through an endless April Fool’s Day. Your paranoia must be constantly pitted against a hacker’s persistence. For now I’m turning on my two-factor and my password manager, and squinting at web addresses—living as though the Internet is out to get me. Every day I stake my digital life on the hope that any would-be hackers will run out of time, money, and attention before I run out of luck. And whether you know it or not, you do, too.