Kwamaine Ford traveled in famous circles. He worked for a celebrity and had social media accounts that showed him living a glamorous life, surrounded by well-known people.

But Ford, now 28, funded his lifestyle with an illegal hobby—using his knowledge of celebrities to phish their personal accounts and charge the associated credit cards.

Between 2015 and 2018, Ford, posing as an Apple customer service employee, emailed various celebrities to ask them to change or share their passwords.

More than 100 victims, including athletes and musicians, unwittingly gave Ford their passwords. Since the passwords were for their iCloud accounts, he had access to anything stored in the cloud, including email and photos.

Apple notified the FBI, who began investigating.

“A lot of people are using cloud-based services to back up data from their devices. This important information is stored remotely and accessed through login credentials,” said Special Agent Joseph Zadik, who investigated the case out of the FBI’s Atlanta Field Office.

Investigators learned Ford stole an estimated $325,000 by fraudulently using victims’ credit card numbers that he accessed through phishing.

Ford pleaded guilty to computer fraud and aggravated identity theft charges earlier this year. In July, he was sentenced to more than three years in prison.

Phishing is a growing problem. Phishers send emails or text messages that instruct recipients to click on links or provide other information to the scammer. According to the FBI’s Internet Crime Complaint Center, there were more than 26,000 victims of phishing and similar crimes reported in 2018.

There are steps you can take to protect yourself and your information.

Zadik said companies do not generally ask for your passwords. If you receive an unsolicited request via text or email, don’t click on anything. Look up the company’s phone number on your own (not the one a potential scammer is providing). Call the company or bank to ask if the request is legitimate. It is probably a would-be scammer.

It’s also important to set up two-factor (or multi-factor) authentication on any account that it allows it and never disable it.

Be careful of how much information you share online or on social media. If one of your security questions is your pet’s name, and you reveal your pet’s name on a social media account, someone can easily guess your answer.

In some cases, Ford convinced his victims to disable their two-factor authentication or to give him the answers to their security questions. Then, once he had their passwords, he had automatic access to their accounts, Zadik said.

“Everyone—especially high-profile or high-net worth individuals—needs to be aware that your personal information is very valuable. You are likely being targeted,” Zadik said. “You wouldn’t give out the alarm code to your house or the combination to your safe. You shouldn’t give out your passwords, either.”