There are all kinds of devious methods that unscrupulous scammers use to get hold of unsuspecting marks’ data— whether it’s tricking them to install ransomware or some other kind of malware, such as a keylogger, or having them visit a booby-trapped website and enter valuable credentials. Most people nowadays know better than to reply to an email purporting to come from a Nigerian prince who needs some help organizing a wire transfer for his considerable inheritance. Indeed, most scammers no longer bother with these kinds of ruses; their game has been considerably upped.

They may play on local events, especially natural disasters. They may also send targeted email based on public information harvested from the target’s social media accounts. For this reason, you should be extremely careful about what information you broadcast publicly about yourself. Knowing your interests, location, or even those of your friends is enough to gain a data-mining foothold. WannaCry and others like it exploited an unpatched vulnerability in Windows to spread, but this is comparatively rare. Most ransomware, and indeed most unauthorized access to computers, is installed by unwitting users being schemed and duped.

Fraudsters send email from domains that at a glance look legitimate—say, max1mumpc.com—or direct you to counterfeit websites at such domains. It’s incredibly easy to cosmetically clone an entire website with open-source spidering tools that have legitimate uses. Widgets and search facilities are harder to reproduce, but if you can dupe victims into thinking the site is real long enough for them to enter their username and password, you’ve already won. People tend to drop their guard considerably if they feel they are communicating with a friend, so contact lists from plundered email clients are valuable, too. Social media accounts then become like gold for scammers.