Last updated: March 2026 · 10 min read

Online threats have become part of everyday life. Phishing emails, data breaches, account takeovers, and invasive tracking affect millions of people every year — and the vast majority of victims weren't doing anything particularly risky. They just hadn't taken a few simple precautions.

This guide covers practical, proven steps that significantly reduce your risk online. None of them require technical expertise. Most take less than five minutes to set up.

1. Use Strong, Unique Passwords for Every Account

Weak and reused passwords are the single most common cause of account takeovers. When one website suffers a data breach, hackers take the leaked passwords and try them on every other major service — a technique called credential stuffing. If you reuse passwords, one breach can compromise dozens of accounts.

What to do:

• Use a password manager (Bitwarden is free and open-source; 1Password and Dashlane are excellent paid options).
• Let the password manager generate long, random passwords for every site.
• You only need to remember one strong master password.
• Never reuse the same password on more than one site.

A strong password doesn't need to be full of symbols — a phrase like purple-window-34-toast is far stronger than P@ssw0rd! and much easier to remember.

2. Enable Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds a second step to logging in — usually a code sent to your phone or generated by an app. Even if someone steals your password, they can't access your account without also having your phone.

What to do:

• Enable 2FA on your email account first — it's the key to resetting everything else.
• Enable 2FA on banking, social media, and any account containing personal or financial data.
• Use an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator) rather than SMS codes where possible — SMS can be intercepted via SIM-swapping attacks.

3. Recognise Phishing Attempts

Phishing is the attempt to trick you into handing over your credentials, payment details, or personal information by impersonating a trusted source — a bank, delivery company, government agency, or even a friend.

Red flags to watch for:

• Urgent language: "Your account will be suspended in 24 hours" or "Immediate action required".
• Unexpected emails or texts claiming to be from your bank, HMRC, Royal Mail, or Amazon.
• Links that look almost right but have subtle differences: amaz0n.co.uk instead of amazon.co.uk.
• Requests for your password, full card number, or PIN — legitimate companies will never ask for these via email.
• Attachments you weren't expecting, even from people you know (their account may have been hacked).

What to do: If you receive a suspicious message, go directly to the company's website by typing the address yourself — never click the link in the message. Call them using a number from their official website if you're unsure.

4. Keep Software and Devices Updated

Software updates are often dismissed as inconvenient, but they frequently contain critical security patches that close vulnerabilities attackers are actively exploiting. Delaying updates leaves known holes open.

What to do:

• Enable automatic updates on your phone, laptop, and tablet.
• Keep your browser up to date — Chrome, Firefox, and Edge all update automatically if you allow it.
• Update your router's firmware periodically — check the manufacturer's website or your router's admin panel.
• Don't ignore "End of Life" warnings on operating systems. An unsupported OS (like Windows 7 or older Android versions) no longer receives security patches.

5. Be Careful on Public Wi-Fi

Public Wi-Fi in coffee shops, airports, hotels, and libraries is convenient but carries real risks. These networks are often unencrypted and can be monitored by other users on the same network. "Evil twin" attacks involve criminals setting up a Wi-Fi hotspot with a convincing name (like "Starbucks Free WiFi") to intercept your traffic.

What to do:

• Avoid accessing sensitive accounts (banking, email) on public Wi-Fi without a VPN.
• Use a VPN to encrypt your traffic before it leaves your device — this makes it unreadable to anyone on the same network.
• If you don't have a VPN, use your mobile data instead for sensitive tasks.
• Make sure websites you visit use HTTPS (look for the padlock icon in the address bar).

6. Review App and Browser Permissions

Many apps and websites request far more access than they actually need. Apps that ask for your location, contacts, camera, or microphone should be questioned — does a torch app really need access to your contacts?

What to do:

• On your phone, go to Settings → Apps and review which permissions each app has. Revoke anything unnecessary.
• In your browser, check which sites have been granted location, camera, microphone, or notification access (Settings → Privacy).
• When installing new apps, be cautious about permissions requested at setup.
• Delete apps you no longer use — they may still have access to your data even when idle.

7. Manage Your Digital Footprint

Everything you do online contributes to a digital footprint — a profile built from your IP address, browsing history, social media activity, and data purchases. While you can't eliminate it entirely, you can reduce it.

What to do:

• Use a privacy-focused browser like Firefox or Brave, or at minimum use Chrome with privacy settings adjusted.
• Install a tracker-blocking extension like uBlock Origin.
• Regularly clear cookies, or use a browser that does this automatically.
• Use a VPN to prevent your ISP and network operators from logging your browsing activity.
• Use GoIPScan to check what information your IP address reveals about you.

8. Secure Your Home Network

Your home router is the gateway to every device in your home. If it's compromised, attackers can intercept all your traffic without touching your devices directly.

What to do:

• Change your router's default admin username and password (the defaults are publicly known).
• Use WPA3 or WPA2 encryption for your Wi-Fi — never WEP or no password.
• Rename your Wi-Fi network to something that doesn't reveal your address or ISP.
• Disable WPS (Wi-Fi Protected Setup) — it has known vulnerabilities.
• Set up a separate guest network for smart home devices, which are often less secure than computers and phones.

9. Check If Your Data Has Been Breached

Billions of email addresses, passwords, and personal details have been exposed in data breaches over the years. Your information may already be circulating in criminal databases without your knowledge.

What to do:

• Check your email address at HaveIBeenPwned.com — a free, reputable service that tells you if your email has appeared in known breaches.
• If your email appears in a breach, change the password for that service immediately.
• If you reused that password elsewhere, change it on every other site too.
• Consider setting up breach alerts so you're notified if your email appears in future leaks.

10. Think Before You Share

Oversharing on social media is one of the most overlooked privacy risks. Information you share publicly — your location, workplace, school, holiday dates, family members' names — can be used in social engineering attacks, targeted scams, or identity theft.

What to do:

• Review your social media privacy settings. Who can see your posts, your friends list, and your profile details?
• Avoid posting your exact location in real time, especially when you're away from home.
• Be cautious about sharing details that are often used in security questions: your mother's maiden name, your first pet, your first school.
• Consider what a stranger could piece together from your publicly visible posts.

Your Online Safety Checklist

• ✅ Password manager installed and all passwords unique
• ✅ 2FA enabled on email and important accounts
• ✅ Automatic software updates turned on
• ✅ VPN installed for use on public Wi-Fi
• ✅ Router admin password changed from default
• ✅ Email checked on HaveIBeenPwned
• ✅ App permissions reviewed on your phone
• ✅ Tracker blocker installed in your browser

Frequently Asked Questions

Do I need antivirus software in 2026?

On Windows, the built-in Windows Defender is now genuinely effective and sufficient for most users. On Mac, built-in protections are strong but adding a reputable third-party tool like Malwarebytes adds an extra layer. The more important protection is keeping software updated and being careful about what you download.

Is incognito mode private?

No — not in the way most people assume. Incognito mode prevents your browser from saving your history locally, but it doesn't hide your activity from your ISP, your employer (if you're on a work network), or the websites you visit. For genuine privacy, use a VPN.

How do I know if my phone has been hacked?

Signs include unusual battery drain, unexpected data usage, apps you don't recognise, and your phone running hot when idle. If you suspect a compromise, run a reputable security scan and consider a factory reset as a last resort.