1. Why Hackers Target Ordinary People

Most people think: "I'm not important enough to be hacked." That's exactly what hackers count on. The truth is, cybercriminals don't usually pick specific targets. They run automated tools that scan millions of accounts, emails, and devices at once — looking for the easiest doors to walk through.

Your accounts have value even if you're not famous or rich. Your email is connected to your bank, your shopping accounts, your social media, and your personal photos. Your phone number can be used to impersonate you. Your home address can be sold. Your credit card details can be used anywhere in the world within minutes of being stolen.

The hacker mindset: Attackers are not looking for the hardest target — they're looking for the easiest one. If your neighbour has bad security and you have good security, they'll go after your neighbour. Security doesn't need to be perfect. It just needs to be better than doing nothing.

The good news: the vast majority of attacks can be stopped with a handful of simple habits. You don't need to understand how hacking works — you just need to make it not worth the effort.

2. Passwords — Your First Line of Defence

Passwords are the front door to everything. Weak or reused passwords are the number one reason ordinary people get hacked. Follow every rule in this section — each one matters.

The Password Rules You Must Follow

Rules What Every Strong Password Must Have
  1. At least 12 characters — ideally 16 or more. Length is the single most powerful defence. Every extra character multiplies the difficulty exponentially. A 16-character password is billions of times harder to crack than an 8-character one.
  2. Use all four character types together: uppercase letters (A–Z), lowercase letters (a–z), numbers (0–9), and special characters (! @ # $ % ^ & * ( ) _ + - = [ ] { } ; : ' " , . < > ? /). A password missing any of these is far weaker.
  3. Never use personal information. Your name, birthday, city, phone number, pet's name, favourite team, or anniversary are the first things attackers try. They also check your public social media before guessing.
  4. Never use common words or patterns. password, 123456, qwerty, iloveyou, Password1!, Summer2024! — these are in every hacker's dictionary list and crack in seconds.
  5. One account = one unique password. Always. If any site you use gets breached, attackers automatically try that password everywhere else. This is called credential stuffing and it's fully automated.
  6. Change important passwords regularly. For email and banking, change your password every 6 months — or immediately if you suspect a breach. For other accounts, once a year is reasonable. Don't wait until something goes wrong.
  7. Never share your password with anyone — not with friends, family, colleagues, or anyone claiming to be support staff. Legitimate companies never ask for your password.

What Weak vs Strong Looks Like

Examples Password Strength Comparison

✗ Terrible: john1990 — personal info, no special chars, cracks in under 1 second

✗ Weak: Password1! — only 10 chars, predictable substitution, cracks in minutes

~ Okay: Tr0ub4dor&3 — 11 chars, mixed, but short and a known example (XKCD)

✓ Strong: M@s4aki-Tech!2026#Secure — 23 chars, all four types, would take centuries to crack

✓ Also Strong: correct-horse-Battery$staple7 — long passphrase + numbers + special chars = excellent

The reuse trap: One password used on 10 sites = 10 accounts compromised the moment one site gets breached. Breaches happen to major companies constantly — LinkedIn, Adobe, Dropbox, Facebook have all been hit. Your data from those breaches is sold on criminal marketplaces within hours.

Use a Password Manager — You Can't Do This Without One

You need a different 16+ character password for every account. Nobody can memorise 50 of those — so use a password manager. It stores all your passwords in an encrypted vault protected by one strong master password that only you know. It also generates secure random passwords for you automatically.

Bitwarden

Free, open source, works on all devices and browsers. The best choice for most people. Generates and autofills strong passwords.

1Password

Paid but very polished. Great for families and teams. Has a travel mode that hides vaults at border crossings.

Apple Keychain

Built into iPhone/Mac. Convenient if you stay in Apple's ecosystem. Now generates strong passwords and warns about reused ones.

Google Password Manager

Built into Chrome and Android. Convenient, but Google has visibility into your vault. Consider whether you trust that trade-off.

Action step: Install Bitwarden today (free). Spend one hour going through your important accounts — email, bank, Instagram, WhatsApp, Google/Apple ID — and generate a unique strong password for each one using the app's built-in generator. That single hour makes you dramatically harder to hack.

Check If Your Passwords Have Already Been Stolen

Go to haveibeenpwned.com and type your email address. This free service (run by a respected security researcher, Troy Hunt) shows you every known data breach your email has appeared in. If your email is listed — change those passwords immediately.

3. Spotting Phishing — Fake Emails, SMS & Websites

Phishing is when a criminal sends you a message pretending to be someone you trust — your bank, Amazon, PayPal, Instagram, a friend — to trick you into clicking a link or handing over your password. It's the most common attack against regular people because the messages look genuinely convincing.

Red Flags in Emails

Warning Signs How to Identify a Phishing Email
  1. Urgency and fear: "Your account will be suspended in 24 hours!" "Unusual sign-in detected — verify immediately!" Criminals create panic so you act before you think.
  2. Suspicious sender address: The display name says "Instagram" but the actual email is [email protected]. Always click the sender name to reveal the real address.
  3. Unexpected attachments: A random PDF, invoice, or ZIP file you weren't expecting. Opening it can silently install malware.
  4. Links that don't match: Hover over a link (don't click) and look at the URL that appears at the bottom of your screen. If it looks odd or doesn't match the company's real domain, don't click.
  5. They ask for your password or code: No bank, no company, no platform will ever ask for your password or 2FA code by email. Ever. If they do — it's a scam.
  6. Poor grammar and spelling: A classic sign — though modern AI-assisted phishing is now written perfectly, so don't rely on this alone.

SMS Phishing (Smishing)

The same tricks work over text message. Common examples: "Your package is held — pay £2.99 to release it." "Your bank account is locked — verify here." The link leads to a convincing fake site that captures your card or login details.

Golden rule: Never click a link in an unexpected email or SMS. Go directly to the company's website by typing the address yourself, or open the official app. Then check whether the alert is real. Real problems have real records inside official apps.

How to Spot a Fake Website

4. Two-Factor Authentication (2FA) — The Lock on Your Lock

Two-factor authentication (2FA) means that even if someone knows your password, they still cannot log into your account — because they also need a second proof that it's really you. Usually a time-sensitive code that appears on your phone.

Think of it as a bank vault: the password is the combination, but 2FA is the physical key. Without both, the door stays closed.

Types of 2FA (From Weakest to Strongest)

SMS Code (Okay)

A 6-digit code sent by text. Convenient but can be bypassed by SIM-swapping (criminals convince your carrier to transfer your number). Better than nothing.

Authenticator App (Recommended)

Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes offline on your phone. Much harder to steal. Recommended for everyone.

Hardware Key (Best)

A physical USB device like a YubiKey. Plug it in to confirm it's you. Essentially unphishable — but overkill for most people's personal accounts.

Action step: Enable 2FA on your email first — it's the master key to all your other accounts. Then your bank, then Instagram, Facebook, and WhatsApp. Go to Settings → Security → Two-Step Verification in each app. It takes two minutes and stops the vast majority of account takeovers.
Never share a 2FA code. If you receive a 2FA code you didn't request, someone has your password and is actively trying to get in. Change that password immediately. No legitimate caller, support agent, or friend needs your code — ever.

5. Software Updates — Why They Actually Matter

Software updates feel like an annoyance — they interrupt you and usually just claim to "fix bugs." But security updates are different. They patch holes that hackers are actively using right now to break into devices like yours.

Real example: In 2017, the WannaCry ransomware infected hundreds of thousands of computers worldwide — including hospitals that had to cancel surgeries. It spread through a Windows vulnerability that Microsoft had patched two months earlier. Every infected machine was simply running an outdated version of Windows.

What to Update and How

Your Phone's OS

iPhone: Settings → General → Software Update. Android: Settings → System → System Update. Update immediately when a new version is available.

Windows / macOS

Enable automatic updates and don't postpone them indefinitely. On Windows: Settings → Windows Update. On Mac: System Settings → General → Software Update.

Your Browser

Chrome, Firefox and Safari update automatically. When the browser asks you to restart to apply an update — do it. The patch isn't active until you restart.

Your Apps

Enable auto-update in the App Store or Google Play, especially for banking apps, Instagram, WhatsApp, and other apps with access to sensitive data.

Old devices: Phones and computers stop receiving security patches after about 5–7 years. An unpatched device used for banking or email is a real risk. If your device no longer gets updates, consider it a sign to upgrade — or at minimum, don't use it for sensitive tasks.

6. Public Wi-Fi — What You Risk and How to Stay Safe

Free Wi-Fi at cafés, airports, hotels, and shopping centres is convenient — but it's also where criminals hunt. Anyone connected to the same network can potentially intercept your traffic. And sometimes the network itself is fake — an attacker creates a hotspot called "Airport Free WiFi" and waits.

What Can Happen

How to Protect Yourself

  1. Avoid sensitive tasks on public Wi-Fi. No banking, no logging into email for the first time, no purchases. Use mobile data or wait until you're home.
  2. Use your phone as a hotspot instead. Your phone's personal hotspot is far safer than any public network.
  3. Use a VPN. It encrypts all traffic between your device and the internet — more on this below.
  4. Only use HTTPS sites. The padlock icon means your connection to that specific site is encrypted, even on a compromised network.
  5. Forget public networks after use. Your phone auto-reconnects to saved Wi-Fi. A fake "Starbucks" hotspot near you can catch devices that connected to a real one months ago. Go to Wi-Fi settings and forget networks you no longer need.

7. VPNs — When They Help and When They Don't

A VPN (Virtual Private Network) creates an encrypted tunnel between your device and the internet. Anyone watching your connection — the café owner, your internet provider, another user on the same Wi-Fi — sees only encrypted gibberish instead of your actual traffic.

What a VPN is NOT: A VPN is not anonymity. It doesn't protect you from phishing, malware, or weak passwords. It doesn't stop websites from tracking you with cookies. It shifts trust from your local network to the VPN provider. Pick a trustworthy one.

When a VPN Actually Helps

Recommended VPNs

Mullvad

Best-in-class privacy. No account required, accepts anonymous payment, regularly audited by independent security firms.

ProtonVPN

Open source, Switzerland-based, free tier available. Run by the team behind ProtonMail. Excellent trust record.

NordVPN / ExpressVPN

Popular and user-friendly. Usable, but both have had past incidents. The options above are better for privacy.

Never use a free VPN. Free VPNs are almost universally selling your browsing data to advertisers — or worse, they're outright malicious. A VPN that monetises your traffic defeats the entire purpose.

8. Social Media Privacy — What You're Sharing Without Knowing

Social media is engineered to make sharing feel natural and rewarding. But the details you post publicly — where you live, where you work, your daily routine, photos of your home, travel dates, your children's school — form a detailed profile that criminals use in targeted attacks.

What Attackers Build From Your Profile

Key Privacy Habits

  1. Set accounts to private — only approved followers see your content. One toggle in every platform's settings.
  2. Remove your phone number and email from your public profile. These are harvested for spam, SIM-swapping, and phishing.
  3. Disable location tags on posts and photos. Metadata in photos and auto-location tagging reveal where you are and where you live.
  4. Audit third-party apps. "Login with Facebook/Google" has quietly given hundreds of apps access to your data. Revoke anything you don't recognise or no longer use.
  5. Post travel photos after you return, not while you're away.
  6. Be thoughtful about photos of children. School uniforms, name badges, and recognisable locations in backgrounds reveal far more than you intend.
Friend requests from strangers: Romance scams, fake investment advisors, and "brand ambassador" recruiters start with a friend or follow request. If you don't know the person in real life, be cautious. Criminals build rapport over weeks before the ask comes.

9. Instagram Safety — The Platform Everyone Uses

Instagram is one of the most targeted platforms for account hacking, scams, and impersonation. Here is a complete step-by-step guide to locking down your account — go through each one now.

Essential Security Settings to Enable

Step by Step Instagram Security Checklist
  1. Enable Two-Factor Authentication (2FA)
    Profile → Menu (☰) → Settings → Accounts Center → Password & Security → Two-Factor Authentication → Choose your account → turn on Authenticator App (not SMS — it's stronger).
  2. Set your account to Private
    Profile → Menu (☰) → Settings → Account Privacy → Private Account → toggle ON. Only approved followers will see your posts, Stories, and Reels.
  3. Enable login alerts
    Accounts Center → Password & Security → Login Alerts → turn ON for both "On Instagram" and "Email". You'll be notified instantly if someone logs in from a new device.
  4. Use a strong, unique password
    Profile → Menu → Settings → Accounts Center → Password & Security → Change Password. Use a 16+ character password with uppercase, lowercase, numbers, and special characters. Do not reuse a password you use elsewhere.
  5. Review where you're logged in
    Accounts Center → Password & Security → Where You're Logged In. See every device with active access. Tap "Log Out" on any device you don't recognise or no longer use.
  6. Restrict who can message you
    Settings → Messages → Message Controls → set "Others on Instagram" to "Don't receive requests." This stops strangers from sliding into your DMs unsolicited.
  7. Hide your activity status
    Settings → Messages → Show Activity Status → OFF. Others won't see when you're online.
  8. Revoke connected apps
    Settings → Account → Apps and Websites → Active. Remove any app you don't recognise or actively use. These can read your profile and DMs.

DM Scams — Know What They Look Like

Instagram DMs are one of the most active channels for fraud. Here are the scams you will encounter:

"Brand Ambassador" Scam

A brand offers to send you free products in exchange for a post — you just need to pay a small "shipping fee" first. There are no products. The fee disappears.

Crypto / Investment Scam

"I made €5,000 last week trading, let me show you how." They guide you into a fake trading platform where you deposit real money — then vanish when you try to withdraw.

Fake Celebrity / Giveaway

A "verified" celebrity account announces a giveaway — you just need to send a small fee to claim your prize. Celebrities don't do this. It's a scam, every time.

"Your Account Will Be Deleted"

A message claiming to be Instagram Support says your account violates a policy and will be deleted unless you verify via a link. Instagram doesn't send security messages through DMs.

Romance / Friendship Scam

Someone attractive starts a friendly conversation and builds trust over weeks. Eventually they have a financial emergency, or pitch a business opportunity that requires your money.

Profile Cloning

A criminal copies your profile photos and name to create a fake account, then messages your followers pretending to be you. Check periodically if your photos appear in other accounts.

The rule for Instagram DMs: If someone you don't know in real life mentions money, a prize, a job, an investment, or sends you a link — it is a scam. Block and report immediately. Don't engage, don't click the link, don't reply.

If Your Instagram Account Gets Hacked

  1. Act immediately. The window to recover access is narrow — attackers change the email and phone number on the account within minutes.
  2. Go to instagram.com/hacked and follow the account recovery flow. Instagram has a dedicated path for this.
  3. Select "I can't access this email or phone number" if the attacker already changed them, then use the video selfie verification option Instagram offers.
  4. Once recovered: change your password immediately, enable 2FA, and review all active sessions.
  5. Tell your followers publicly that your account was compromised. Attackers often use hacked accounts to scam the victim's friends.
  6. If recovery fails, use the in-app "Get More Help" option, which escalates to Instagram's support team.
Protect your linked email above all else. Your Instagram is only as secure as the email account it's connected to. If an attacker gets into your email, they can request a password reset for Instagram and lock you out. Secure your email with a strong password and 2FA first — always.

10. Safe Browsing — Spotting Fake Sites & Dangerous Downloads

Your browser is the window to the internet — and it can also be the entry point for malware. A few habits make your browsing dramatically safer.

Browser Basics

Keep Your Browser Updated

Chrome, Firefox, and Safari update automatically. When prompted to restart to apply an update — do it. The patch isn't active until you do.

Use a Reputable Browser

Chrome, Firefox, Safari, and Edge are safe choices with active security teams. Avoid obscure browsers that promise "total privacy" without an auditable track record.

Install uBlock Origin

Free, open-source ad blocker that also blocks malicious ads ("malvertising"). Ads on legitimate sites have been used to spread malware — an ad blocker removes that entire attack surface.

Check the URL Before Logging In

Before entering any password, verify the domain in the address bar is exactly correct. One wrong character means a fake site. Take two seconds to look.

Dangerous Downloads

Most malware is installed because someone downloaded something that looked legitimate. Be suspicious of:

"You have a virus" pop-ups: This is a scam. Close your browser immediately. If you can't close it, press Alt+F4 on Windows or Cmd+Q on Mac, or force-restart the device. You are not infected — but you will be if you follow the pop-up's instructions and call that number.

11. Back Up Your Data — Because Ransomware Is Real

Ransomware is malware that encrypts all your files — photos, documents, videos — and demands payment to restore them. Even victims who pay often never get their files back. The only reliable defence is a backup that exists independently from your computer.

The 3-2-1 Backup Rule

Rule 3-2-1: The Backup Strategy That Works
  1. 3 copies of your important data — the original plus two backups
  2. 2 different storage types — e.g. your computer AND an external hard drive
  3. 1 copy stored off-site — e.g. cloud storage (iCloud, Google Drive, Backblaze) so a fire, flood, or theft doesn't destroy everything simultaneously

iCloud / Google Photos

Automatically backs up your phone photos and videos. Enable in Settings — it runs in the background without any effort.

External Hard Drive

Plug in weekly or monthly. Windows: Backup and Restore. Mac: Time Machine. Simple and cheap.

Backblaze

$9/month backs up your entire computer continuously in the background. The easiest full-computer cloud backup available.

Test your backup. A backup you've never tested may not work when you need it most. Once every few months, try restoring a single file from your backup to confirm it works.

12. What to Do If You Get Hacked

Even careful people get hacked — a data breach at a company you use, a moment of distraction on a phishing link, a phone left unattended. What matters is how fast and methodically you respond.

Signs You May Have Been Hacked

Immediate Response Steps

  1. Stay calm and act quickly. Speed matters — attackers act fast once they're in.
  2. Change the password on the compromised account immediately to a new, unique, strong one.
  3. Enable 2FA on that account if it wasn't already active.
  4. Check your email account — if your email was compromised, the attacker may have already triggered password resets on your bank, Instagram, and other accounts.
  5. Review active login sessions — go to Account Settings → Security → Active Sessions (or equivalent). Sign out all unrecognised sessions.
  6. Check email forwarding rules. Attackers commonly set up silent forwarding so they keep receiving your emails even after you change the password.
  7. Call your bank if financial data may be compromised. They can freeze your card and reverse fraudulent transactions.
  8. Scan for malware — Malwarebytes (free version) is excellent for Windows and Mac.
  9. Alert anyone affected — if your account sent scam messages to your contacts, let them know immediately so they don't fall victim too.
After the crisis: Use the incident as motivation. Install a password manager, enable 2FA everywhere, check haveibeenpwned.com, and review your privacy settings. The best time to do this was before it happened — the second best time is now.

Reporting Cybercrime

Quick Checklist — Do These Today

Everything in priority order. Start at number one and work down.

Priority Your Complete Internet Safety Checklist
  1. ✓ Install Bitwarden (free password manager)
  2. ✓ Set a 16+ char password with uppercase, lowercase, numbers & special chars on your email
  3. ✓ Enable 2FA (authenticator app) on your email
  4. ✓ Enable 2FA on Instagram and all social media
  5. ✓ Set Instagram to Private + enable login alerts
  6. ✓ Enable 2FA on your bank account
  7. ✓ Check haveibeenpwned.com — change any breached passwords
  8. ✓ Enable automatic updates on your phone and computer
  9. ✓ Set all social media profiles to private
  10. ✓ Review and revoke unused third-party app access on Instagram/Facebook
  11. ✓ Install uBlock Origin on your browser
  12. ✓ Enable automatic photo backup (iCloud / Google Photos)
  13. ✓ Avoid banking and sensitive logins on public Wi-Fi
  14. ✓ Change your important passwords (email, bank, Instagram) every 6 months
Share this guide. The people around you — family, friends, colleagues — are only as safe as their habits. If one person in your circle gets hacked and your details are in their contact list, you become a target too. Security is a shared effort. Send this to someone who needs it.