fundraising calendar

Help us reach our annual fundraising goal!

Consumers' Checkbook is the only nonprofit providing in-depth service reviews and price research. We take no advertising or referral fees from businesses. Help us continue to serve your community.

Donate by December 31 to support unbiased independent service reviews.

Padlock on a computer keyboardOur ratings and advice on computer stores and computer repair shops will help you find high-quality stores for buying advice and reliable shops for upgrades and repairs—as well as information to help you save money.

This article details 14 steps you can take to minimize the chances of getting hacked. As we’ve learned from hacks of Yahoo!, LinkedIn, Target, the Democratic National Committee, and thousands of other organizations, it’s almost impossible to protect against cyberattack. It may shock you to know how often (it’s constantly) bad guys probe websites, networks, internet service providers, and your devices for weaknesses. Software developers and hardware manufacturers, under pressure to race new products to market, are often no match for these ever-more-sophisticated thieves and troublemakers. Unless you’re willing to live a completely unplugged life worthy of a primetime show on TLC, there’s no way to completely secure your digital devices and your personal info from a sophisticated, diligent hacker—but there are several steps you can take to deter them.

1. Keep up to date.

Digital crooks spend a lot of time finding and exploiting weak spots in software code. Nearly every day, security patches are issued by Microsoft, Apple, Adobe, Google, and other software companies. Turn on auto-update options to keep all your software up to date. If you notice software that needs to be updated, after it updates, go to the manufacturer’s website to see if additional updates are available; sometimes big updates are pushed out in batches.

2. Be careful on the internet and when opening emails.

Be wary of unfamiliar websites. Don’t download—or allow a site to download for you—anything unless you’re sure it’s a safe spot.

Baddies often manipulate victims to hand over their user IDs and passwords by sending emails posing as banks and other companies; often these emails look like the real thing and send you to a site that also looks like the real thing. Don’t open an email unless you’re certain it is legitimate. Don’t click on links embedded in emails, or download any attachments, unless you’re sure they’re safe.

Some other guidelines:

  • Turn on features in your antivirus software so it automatically scans incoming and outgoing email for potential threats.
  • Ratchet up your email software’s spam filter settings to reduce the number of dangerous messages. Allow it to deliver email only from your trusted contacts and from sites you trust. Check other incoming messages while held in quarantine before allowing delivery to your inbox.
  • Configure email software so it doesn’t display (and therefore open) email in a preview pane. Preview panes in many email clients allow part of the message to be downloaded, which sometimes is enough for a scripted virus to land on your computer.

3. Use security software.

Both Microsoft and Apple operating systems come with free built-in security software. If you want extra protection, install a second security app; free ones recommended by Consumer Reports include Bitdefender Free Edition and Avast Free Antivirus. Keep security software current by enabling automatic updates.

4. Use a firewall.

Because your computer’s firewall is its first line of defense against intrusion, make sure it’s turned on:

  • Windows—Search for “Windows Firewall” or find it in the Control Panel. Make sure it is toggled on. Discussions of settings for various Windows operating systems can be found by searching for “Windows [operating system version] Firewall Settings” and selecting the discussion hosted by Microsoft.
  • Mac OS X—Open “System Preferences,” click “Sharing,” click “Firewall,” and then “Start.” To block incoming traffic on ports used by one of the sharing services, disable that service in the Services pane. A discussion of settings for Mac OS X is available here.

5. Use strong passwords and switch them up.

The easiest, most effective, and most neglected security tool is a strong password:

  • Configure your computer so a password or fingerprint is required to use it. If you’re a Mac user, turn on and use FileVault, which uses your password to protect everything on the device.
  • Make passwords long. Secure passwords consist of at least 16 characters, but the longer, the better.
  • Avoid incorporating common phrases. Create long passwords, but avoid common phrases, such as “LukeIamYourFather2017!” One effective strategy is to pick a relatively obscure but easy-to-remember secret phrase or sentence and add numbers or punctuation. For example, if your secret phrase is “I love writing articles for Checkbook magazine,” you can add additional characters to create the password “&Ilovewritingarticlesfor1625Checkbookmagazine!”
  • Change them up. Choose a different password for your computer, your email, and each website login. If you use the same password everywhere, then a lot of databases will have your master password, and anyone who steals it from one site has access to your entire digital existence.
  • Consider password-management software. Since we sometimes forget the names of our children, we know it’s unrealistic to suggest you remember dozens of different nearly random passwords. Password managers can help by remembering them for you or—even better—creating completely random passwords and then saving them under your master key. Some password managers will even analyze your passwords and alert you if they are weak or used on multiple websites. Good options include Google Chrome’s built-in manager LastPass, Dashlane, and 1Password. Macs come with Keychain, Apple’s password-management system, which you have to use to log on to its devices, but it’s wise to use a separate password manager for websites you use.
  • Enable multifactor authentication. Many websites now allow or require users to set up multifactor, or two-factor, authentication. This usually means that the website sends a text message with a temporary code you have to enter to complete registration, change a password, or log on from a new device.

6. Create and use a limited account for everyday work.

If you visit the wrong website while logged on to your computer with administrative rights, you open the door to big-time risks. Create a user account with limited admin rights for use when you do everyday tasks, like emailing and using the internet, and switch to your admin-privileged account only when you need it. PC owners can set up additional users by going to the Control Panel; Mac users can do it by clicking on “Users & Groups” under System Preferences.

7. Secure your router.

It’s not enough to secure all your devices; you also need to lock down your router.

  • First, determine the login IP address for your router by checking support documentation or the manufacturer’s website. It’s likely http://192.168.1.1 or http://192.168.0.1 or a slight variation of these two. Then enter it as a URL in an internet browser. That should display the login screen for your router.
  • Change the user ID and password. The default out-of-the-box logins and passwords assigned by manufacturers for most routers are vulnerable to hackers.
  • For a wireless router, make sure it encrypts traffic using WPA2. This requires users to use a strong key (passphrase) to connect to your network. If your router uses the older, weaker WEP encryption, consider buying a new router.
  • Check the website for your router’s manufacturer to make sure you have the most recent firmware updates for your router. Because installing firmware updates can be tricky, read instructions carefully and follow them to the letter.

8. Encrypt your hard drive.

If a thief steals your device, encryption will prevent him or her from accessing sensitive files, such as your tax returns, medical info, and all that good stuff. Windows and Apple computers come with encryption tools, but they’re turned off by default. In Windows, search for “BitLocker” to check your encryption options; on Macs, look for “FileVault.”

9. Be careful on public Wi-Fi.

It’s a lot easier for hackers to get to your computer when you’re online at the coffee shop, airport, and other public spots. Check:

  • Connect only to public Wi-Fi if you’re sure you know who is providing it. Crooks often set up fake Wi-Fi accounts and name them “Starbucks” or “Free Airport Wi-Fi.”
  • After connecting, check that your browser shows a green padlock symbol in the URL bar area. If you don’t see one, know that the info you send and receive from websites you visit is snoopable.

10. Install software only if you’re sure it’s clean.

Lots of malware count on users to voluntarily install them. If you’re not positive an app is safe, investigate it before you mess with it. Not sure? Scan it using a trusted verification tool such as Jotti or VirusTotal.

11. Keep watch over your digital existence.

Several websites, including Haveibeenpwned.com, let you check on whether hackers have stolen your log-ins or passwords from major websites such as LinkedIn, Yahoo!, and many others.

12. Don’t plug in unknown devices.

If you find a USB storage device, don’t plug it in. A growing tactic used by crooks is to load up portable storage media with viruses and leave them lying around coffee shops, airports, and other high-traffic areas.

13. Consider alternative software.

Because the most popular applications attract the most crooks, consider using less-popular options (Firefox as a web browser instead of Explorer; Foxit Reader as a PDF reader instead of Acrobat, etc.).

14. Back it up.

There is a saying in the IT world that if it does not live in at least three independent places, it doesn’t exist. Use portable drives or subscribe to a cloud service to periodically back up important files. Dozens of websites offer up to 5GB of free storage, and Amazon Prime members can back up unlimited pics and videos to its cloud.