Last updated December 2020
Click below to listen to our Consumerpedia podcast episode where a former cyber thief explains how to protect your online accounts.
It may shock you to know how often—it’s constantly—digital bad guys try to worm their way into computers, tablets, phones, websites, and internet-service providers. Software developers and hardware manufacturers, racing to get new products to market, are often no match for these ever-more-sophisticated thieves and troublemakers.
Unless you’re willing to live a completely unplugged life worthy of a Netflix series or survivalist blog, there’s no way to completely secure your digital devices and your personal info from a skilled, diligent hackers—but there are ways to deter them.
Be wary on the internet and when opening emails.
Most cyberattacks rely on weak points for entry. Often, that’s you: Many baddies fool users into flinging open their digital doors.
A common ploy is to send an email or text posing as a government agency, bank, retailer, or other well-known entity (for example, Amazon or your cable TV or internet service provider) to manipulate victims to hand over their user IDs and passwords. These messages often look legit—and might even send you to a website that also looks like the real thing. Don’t open emails unless they come from an expected source. Then, don’t click on links embedded in emails or texts, or download any attachments, unless you’re certain they come from a legitimate source. Also avoid visiting unfamiliar websites. Don’t download—or allow a site to download for you—anything unless you’re sure it’s a safe spot.
Some other guidelines:
- Turn on email scanning to warn of potential threats.
- Ratchet up your email software’s spam filter settings to reduce the number of dangerous messages. Allow it to deliver email only from your trusted sites and contacts. Check other incoming messages while held in quarantine before allowing delivery to your inbox.
- Configure email software so it doesn’t display (and therefore open) email in a preview pane. Preview panes in many email clients allow part of the message to be downloaded, which sometimes is enough for a scripted virus to land on your computer.
Keep up to date.
Digital crooks spend a lot of time finding and exploiting weak spots in software code. Nearly every day, security patches are issued by device manufacturers and software companies. Turn on auto-update options to keep your operating system, device drivers, and all other software up to date.
If you receive an update alert, run it as soon as you can, and then check whether additional updates are available; sometimes big updates are pushed out in batches.
Avoid using unsupported, old operating systems—Windows 7 and older versions, for example, no longer get security patches from Microsoft.
Use security software.
Apple and Microsoft now embed into their operating systems free, strong security software. If you want extra protection, you can install a second security app; good free ones are offered by Avast and Bitdefender. Keep all security software current by enabling automatic updates.
Use a password manager to create strong, unique passwords.
Create a long, complex unique password for each of your devices and online accounts. Recommendations:
- Configure your devices to require your fingerprint or use facial recognition to log you on.
- Choose a different password for your computer, your email, and each website login. If you use the same password everywhere, then a lot of databases will have your master password, and anyone who steals it from one site has access to your entire digital existence.
- Make passwords long. Secure passwords consist of at least 16 characters, but the longer the better.
- Create long passwords, but avoid common phrases and words such as “LukeIamYourFather.” One effective strategy is to pick a relatively obscure but easy-to-remember secret phrase and insert extra letters, numbers, and symbols. For example: “&IheartluvWorkingfor1625Checkbook!”
That’s a lot of passwords and precautions—so much work that most of us don’t do it. Password management software makes it easy by creating strong unique encrypted passwords for each of your online accounts. They’re stored in a digital vault accessible from all your devices. You just need to create (and remember) one master password.
Consumer Reports tested 10 password managers, grading each on usability, security, and privacy. The clear winner was 1Password ($60 per year). CR also gave favorable overall ratings to Keeper Password Manager ($29.99 per year) and Bitwarden ($10 per year, but its free version also earned good overall marks).
Coming in at the bottom of CR’s ratings were Dashlane Free, Norton 360 Deluxe, and McAfee True Key.
You may already have password managers on your devices. Apple’s embedded password manager is called “Keychain.” Most internet browsers also have them, with options to sync those passwords across multiple devices. While browsers’ “save passwords” features are convenient, they’re not as robust as what you’d get from a dedicated password management program.
Take advantage of two-factor authentication.
Even the best passwords can be compromised—so opt for two-factor authentication when available. It requires a password and a second identifying factor—such as a fingerprint or entering a code sent to your phone, email address, or app—to log in. It’s not foolproof, but two-factor authentication can stop most hackers from using a stolen password to access important accounts.
Two-factor authentication is particularly important for your retirement and investment accounts. As we’ve previously reported, while your credit accounts and bank deposits are largely protected from unauthorized transactions, your investment and retirement assets mostly aren’t—which can leave your life savings vulnerable in the age of identity fraud.
Keep watch over your digital existence.
Several websites, including havei-beenpwned.com, let you check on whether hackers have stolen your logins or passwords from major websites such as Adobe, LinkedIn, Yahoo!, and so, so, so many others. You can use it to search for email addresses you use; it keeps track of which ones were likely affected by breaches. Change passwords for businesses that were hacked, and make sure you don’t use possibly stolen ones to access other sites.
Install software only if you’re sure it’s clean.
Download and install software and apps only from trusted sources. For your phone, download only from the Apple App Store or Google Play for Androids. Apple does a decent job of vetting available apps; Google Play…not so much. Avoid apps that have low numbers of user ratings or download counts.
Use a firewall.
Because your computer’s firewall is its first line of defense against intrusion, make sure it’s turned on:
- Windows—Search for “Windows Firewall” or find it in the Control Panel. Make sure it is toggled on. If you want to fine-tune your settings, search the web for “Windows [operating system version] Firewall Settings” and select the discussion hosted by Microsoft.
- Mac OS X—Open “System Preferences,” click “Security & Privacy,” then “Firewall.” To block incoming traffic on ports used by one of the sharing services, disable that service in the Services pane. Apple has a discussion of settings at support.apple.com/en-us/HT201642
Encrypt your hard drive.
If a thief steals your computer, encryption will prevent him or her from accessing sensitive files like tax returns and medical info. Windows and Apple computers come with encryption tools, but they’re turned off by default. In Windows, search for “BitLocker” to check your encryption options; on Macs, they’re located in FileVault.
Be careful when using public Wi-Fi.
It’s a lot easier for hackers to get into your computer or phone when you’re using a poorly secured router at the coffee shop, airport, or other public spots.
Be cyber smart by connecting only to public hotspots that you trust. Crooks often set up fake Wi-Fi accounts and name them something innocuous-sounding like “Starbucks” or “Free Airport Wi-Fi.” After connecting, check that your browser shows a green padlock symbol in the URL bar area. If you don’t see one, know that the info you send and receive from websites you visit is snoopable.
For computers, use limited accounts for everyday work.
If you visit the wrong website while logged on to your computer with administrative rights, you open the door to big-time risks. Create a user account with limited admin rights for use when you do everyday tasks, like emailing and using the internet, and switch to your admin-privileged account only when you need it. PC owners can set up additional users by going to the Control Panel; Mac users can do it by clicking on “Users & Groups” under System Preferences.
Secure your router.
It’s not enough to secure all your devices; you also need to lock down your router.
- First, determine the login IP address for your router by checking support documentation on the manufacturer’s website. It’s likely http://192.168.1.1 or http://192.168.0.1 or a slight variation of these two. Then enter it as a URL in an internet browser. That should display the login screen for your router.
- Change the user ID and password. The default out-of-the-box logins and passwords assigned by manufacturers for most routers are vulnerable to hackers.
- For a wireless router, make sure it encrypts traffic using WPA2. This requires users to use a strong key (passphrase) to connect to your network. If your router uses the older, weaker WEP encryption, consider buying a new router.
- Check the website for your router’s manufacturer to make sure you have the most recent firmware updates for your router. Because installing firmware updates can be tricky, read instructions carefully and follow them to the letter.
Don’t plug in unknown devices.
If you find a USB storage device, don’t plug it in. One tactic used by bad guys is to load up portable storage media with viruses and leave them lying around coffee shops, airports, and other high-traffic areas.
Consider alternative software.
Because the most popular applications attract the most crooks, consider using less-popular options (Firefox as a web browser instead of Chrome or Edge; Foxit Reader as a PDF reader instead of Acrobat, etc.).
Do what you can to lock down “smart” appliances, TVs, thermostats, etc.
Own something that connects to your wireless router or has Bluetooth? Hackers can use it to invade all your other connected devices.
While we focused here on securing your computers and phones, many of these tips apply to lots of other stuff in your home—especially making sure any gizmo’s software remains up to date. And if you don’t care about controlling your thermostat or fridge from your phone or computer, disable that feature.
Make a backup plan.
There is a saying among IT pros: If it doesn’t exist in more than one independent place, it doesn’t exist.
Set up your computers to automatically back up important data to an external drive or to a cloud-based service. The advantage of using a cloud is that you eliminate the danger of a fire or robbery dooming both your computer and its backup device; and as you continue to accumulate snapshots of your precious Sally and Stan, you’ll never run out of storage space.