- Get a password manager (Bitwarden is free). You only need to remember one master password. It generates unique strong passwords for every account.
- Your email account is the most important one to protect, every other account's password reset goes there. Use a unique password and turn on two-factor authentication.
- Turn on two-factor authentication for email, banking, and social media. An authenticator app is more secure than SMS codes.
- Urgency is the main tool scammers use. If a message pressures you to act immediately, slow down and verify directly, don't click the link.
- Freeze your credit at all three bureaus (Equifax, Experian, TransUnion), it's free and prevents anyone from opening accounts in your name.
Passwords
Weak or reused passwords are the most common way accounts get compromised. The fix is simple and takes about 20 minutes to set up.
Use a password manager
A password manager generates, stores, and autofills strong unique passwords for every account you have. You only need to remember one master password. This solves the root problem: people reuse passwords because remembering dozens of unique ones is impossible. With a manager, you don't have to.
Good free options: Bitwarden (open source, free tier is genuinely complete) and Apple Keychain or Google Password Manager if you're already in one of those ecosystems. Paid options like 1Password and Dashlane add features but aren't necessary for most people.
What makes a strong password
- At least 16 characters long
- Random mix of letters, numbers, and symbols, or a long random passphrase
- Unique to that account, never reused anywhere else
If you use a password manager, it generates these for you automatically. You never have to see them or remember them.
If your email account is compromised, every other account is at risk, because password reset links go to your email. Make your email password unique, long, and protected by two-factor authentication. That account is the one to protect first.
Two-Factor Authentication (2FA)
Two-factor authentication adds a second verification step when logging in: usually a code sent to your phone or generated by an app. Even if someone gets your password, they can't access your account without also having your second factor.
Turn it on for every account that offers it, with priority on:
- Email accounts
- Bank and financial accounts
- Password manager
- Social media accounts
- Any account linked to a payment method
Types of 2FA, ranked by security
Recognizing Scams and Phishing
Phishing is when someone impersonates a legitimate company or person to trick you into handing over credentials, money, or personal information. It's the most common way people get hacked, and it works because the messages often look completely real.
Signs something is a scam
- Urgency and pressure. "Your account will be suspended in 24 hours." "Act now or lose access." Urgency is designed to make you act before you think.
- The sender address doesn't match. An email claiming to be from your bank but sent from a Gmail address, or a domain with a subtle misspelling (paypa1.com, arnazon.com).
- Unexpected requests for credentials or payment. Your bank, Apple, Google, and the IRS will never ask for your password by email or text. If something asks for it, don't enter it.
- Links that don't go where they say. Hover over a link before clicking. The actual URL that appears may be different from the text. On mobile, press and hold to preview.
- Something feels slightly off. Trust that feeling. Scams often have small inconsistencies in tone, formatting, or context that your brain registers before you consciously do.
If you get an email from your bank saying there's an issue with your account, don't click the link. Open a new browser tab and go directly to your bank's website. If there's actually a problem, you'll see it there. This one habit stops most phishing attempts cold.
Common scam types to know
- Tech support scams. A popup or call claims your computer is infected and asks you to call a number or install software. Microsoft, Apple, and your ISP will never do this. Hang up or close the window.
- IRS and government impersonation. The IRS initiates contact by mail, not phone or email. Anyone claiming to be the IRS demanding immediate payment is a scammer.
- Job offer scams. Unusually high pay for vague remote work, offers you didn't apply for, or "employers" who ask for personal information or money before you've started. Legitimate employers don't ask for payment.
- Romance and friend impersonation scams. Someone online builds rapport over time, then has an emergency requiring money. Or a message arrives appearing to be from a friend or family member claiming to be in trouble. Call the actual person before sending anything.
- Package delivery scams. A text or email claims your package is stuck and asks you to click a link or pay a small fee to release it. Go directly to the carrier's website with your actual tracking number instead.
Protecting Your Personal Information
What to guard carefully
- Social Security number. Share it only when legally required: a new employer, a financial institution opening an account, or a government agency. Anyone else asking for it is a red flag.
- Bank account and routing numbers. Be cautious about who you provide these to. Use credit cards rather than debit cards for online purchases. Fraud protection is significantly better.
- Date of birth and mother's maiden name. These are common security question answers. Be careful about sharing them online, including on social media.
Freeze your credit
A credit freeze prevents anyone from opening new credit accounts in your name, including you, until you lift it. It costs nothing, can be done online in minutes, and is the single most effective thing you can do to prevent identity theft. You can temporarily lift it when you actually need to apply for credit.
You need to freeze your credit at each of the three major bureaus separately:
Monitor your accounts
- Check your bank and credit card statements at least monthly. Fraudulent charges are common and easy to miss if you don't look.
- Set up transaction alerts on your accounts so you get notified of charges above a threshold you set.
- Check your credit report at AnnualCreditReport.com for free. Look for accounts you didn't open or inquiries you don't recognize.
Device and Network Security
- Keep your software updated. Most major hacks exploit known vulnerabilities that have already been patched. Turning on automatic updates for your phone and computer is the easiest security improvement you can make.
- Lock your devices. Use a PIN, password, or biometric lock on your phone and computer. It takes seconds to set up and prevents a stolen device from becoming an identity theft.
- Be careful on public Wi-Fi. Public networks at coffee shops, airports, and hotels are not secure. Avoid logging into financial accounts on them. If you need to, use your phone's cellular data instead, or a VPN.
- Back up important data. Photos, documents, anything you'd be upset to lose. Cloud backups (iCloud, Google Photos, Google Drive) are automatic and free up to a point. An external hard drive as a secondary backup is worth it for irreplaceable files.
- Be thoughtful about app permissions. When an app asks for access to your contacts, location, camera, or microphone, ask yourself if it actually needs that to work. Deny what isn't necessary.
Social Media and Your Digital Footprint
What you post publicly online can be seen by employers, landlords, and people you haven't met yet. A few habits worth building now:
- Review the privacy settings on your accounts. Most platforms default to sharing more than you'd choose. Spend 10 minutes tightening them.
- Assume screenshots exist. Anything posted online, even in a private message or disappearing story, can be captured and shared. Act accordingly.
- Search yourself occasionally. Knowing what comes up when someone Googles your name is useful information.
- Think before tagging locations in real time. Posting that you're away from home is an invitation to people looking for empty houses.