Most of us live a strange double life when it comes to hacking. We read headlines saying that our toaster might spy on us, that Russia is trying to hack into our social media, and that society as a whole could be under threat. At the same time, we install smart speakers in every room of our house, post more than ever to social media, and the worst we see of hacking attempts is the occasional email from a Nigerian ‘prince’. Trying to calibrate whether we should be terrified or unconcerned is a difficult task, so it’s refreshing when Scott Shapiro – a Yale law professor who also serves as the director of the university’s cybersecurity lab – says early in his book that neither is the correct approach.

If Fancy Bear Goes Phishing – the title a reference to the ‘Fancy Bear’ codename given to a Russian military hacking team – has any one message, it’s that hacking is not really about code, databases or infrastructure. It’s much more a story at the human level, about bored teenagers, under-employed twentysomethings, badly-drafted liability law and even social norms. As if to emphasise this, it sets out its case by describing five major hacks at different stages of the internet’s development.

The first was largely accidental, the work of the graduate student son of a senior National Security Agency official in the late 1980s.The second carried a tribute to a woman whom the hacker was trying to impress – the respected security researcher Sarah Gordon, who had jokingly asked for a virus to be dedicated to her, and who came to deeply regret that attempt at humour. The third hack, of Paris Hilton’s phone, was by a disaffected American teenager just looking for an outlet. Fancy Bear comes fourth, with Shapiro detailing how Hillary Clinton’s close adviser, John Podesta, and the Democratic National Committee were compromised by Russian state hackers. But it’s the fifth that is perhaps most striking: the creation of the Mirai botnet (named after an anime character) in 2016. This was a force that could have ‘taken down the internet’, which everyone assumed must be the work of a nation state, but was that of three young men hoping to make a few quick bucks.

Shapiro’s book is full of such surprising human stories and colour. The botnet operators made a point of offering genuine thanks to the FBI agent who finally caught them. The FBI, in turn, did not pursue jail sentences for any of them on the condition that their community service hours were spent assisting the FBI with online crime. We also hear how a fateful missing ‘not’ in an IT professional’s email to Podesta might have changed history – or at least the 2016 election result. That ‘not’ should have sat in the sentence: ‘This is a legitimate email.’ Ouch.

If you’re not technologically minded, you might assume that hacking is the art of tricking a computer into letting you in. The reality, as Shapiro sets out, is more often about tricking humans. What might make you click on a link without thinking first? In the 1990s, an email from an admirer with the subject line ‘I love you’ generally did the job. Today, regular users often receive a message suggesting their password has been stolen. Senior executives might be sent an email, purportedly from a colleague, saying: ‘Is our payroll data supposed to be live on our website?’ The trick is to bypass thought, and make you click what you should not.

Given how convincingly Shapiro persuades us that hacking is about the ‘upcode’ (laws, norms and psychology) rather than the ‘downcode’ (firewalls, antivirus), it is frustrating that Fancy Bear Goes Phishing doesn’t have confidence in that premise. A significant chunk of it is given over to textbook-like explanations of the technical workings of different hacks, with no clear audience in mind. Shapiro at one moment assumes that readers might not know what an operating system is, while at another asks them to parse lines of code. One apparently explanatory diagram shows a printer floating in a sea next to a cube containing a dismembered robot hand. I have covered security and technology for more than a decade and felt even more at sea than the printer.

It is often said that some books should have been articles, some articles should have been tweets and some tweets should never have been sent at all. Fancy Bear Goes Phishing is definitely a book – a lucid, grounded explanation of hacks, the mentality of the hackers behind them, and what it means for us. But many of its chapters should have been paragraphs. Shapiro’s message is sadly clouded by an urge to pedagogy – teasing us with a compelling human story before making us wade through technical explanations that are not necessary to the narrative. He sums up his thesis in his introduction: ‘Hacking is about humans.’ It’s a shame he didn’t fully convince himself of that.