Who even falls for a phishing attack? We’d like to think we’d never fall victim — we could never imagine giving personal passwords to a stranger making contact through an email. However, it turns out that anyone can be sucked in.

It’s not just the gullible fool who get phished. Smart, tech savvy people get phished too. Gimlet Media, a podcast producer known for Reply All, Crimetown, Homecoming, Heavyweight, and other popular podcasts decided to conduct an experiment. And on episode #97 of Gimlet Media’s Reply All, podcast host Phia Bennin gained insight into how the psychology of the attack plays out.

Phia worked with a hacker named Daniel who sent out phishing emails to everyone on the Reply All podcast team, including the CEO of Gimlet Media, Alex Blumberg.

“Watching him work just opened my eyes to all these different things phishing was capable of and the first thing I saw was that Daniel can impersonate anybody,” Phia said. “Daniel had bought a domain. He bought the domain gimletrnedia.com [r n instead of m], and he was sending the emails from there. But gimletrnedia looks exactly like gimletmedia.”

You don’t even need to fall for the phishing attack for the hacker to learn a ton about you. Just by getting hooked into a web page, the hacker can watch you interact with the fake site, observing what device you’re using and where you’re clicking. This is what happened when co-host PJ Vogt received an email that looked like an invoice coming from a consultant and clicked on the link to the invoice.

No spoiler alerts here. Listen to this fascinating tale of how and why cybercriminals are able to pull off phishing attacks.

Hear the full podcast at Gimlet Media.