Phishing is when a hacker lures you into taking the bait, namely, giving up some password under a pretext. That pretext often is a claim that your account has already been hacked or your password compromised, so you need to reset it. When you reset the password, you’ve actually given the old (and still valid) password to the hackers.

It’s not always possible to tell what is real and what is not. We get emails almost daily at the law school purporting to come from university IT seeking such password resets, often coming from email addresses that spoof a real email address. The best practice is to NEVER update a password in response to an email (don’t even click on the link requesting the update unless it is in response to you going to a website (make sure it’s real too) to request a new password.

John Podesta did what seemed like the smart thing at the time, he asked Clinton campaign IT about the email. IT told him is was legit. It wasn’t.

The AP reports, Emails show how Clinton campaign chair was apparently hacked

New evidence appears to show how hackers earlier this year stole more than 50,000 emails of Hillary Clinton’s campaign chairman, an audacious electronic attack blamed on Russia’s government and one that has resulted in embarrassing political disclosures about Democrats in the final weeks before the U.S. presidential election.

The hackers sent John Podesta an official-looking email on Saturday, March 19, that appeared to come from Google. It warned that someone in Ukraine had obtained Podesta’s personal Gmail password and tried unsuccessfully to log in, and it directed him to a website where he should “change your password immediately.”

Podesta’s chief of staff, Sara Latham, forwarded the email to the operations help desk of Clinton’s campaign, where staffer Charles Delavan in Brooklyn, New York, wrote back 25 minutes later, “This is a legitimate email. John needs to change his password immediately.”

But the email was not authentic.

The link to the website where Podesta was encouraged to change his Gmail password actually directed him instead to a computer in the Netherlands with a web address associated with Tokelau, a territory of New Zealand located in the South Pacific. The hackers carefully disguised the link using a service that shortens lengthy online addresses. But even for anyone checking more diligently, the address — “google.com-securitysettingpage” — was crafted to appear genuine.

In the email, the hackers even provided an Internet address of the purported Ukrainian hacker that actually traced to a mobile communications provider in Ukraine. It was also notable that the hackers struck Podesta on a weekend morning, when organizations typically have fewer resources to investigate and respond to reports of such problems. Delavan, the campaign help-desk staffer, did not respond immediately to the AP’s questions about his actions that day.