With all the craziness on the internet these days I decided to put
together a general guide and very simplified overview of various
things you need to be aware of on the internet that are
jeopardizing your digital world.
With a little knowledge you can help protect yourself and others
around you from getting scammed and potentially losing thousands
of dollars.
I feel it is important to review this entire document to get a
summary of the threats online. Cyber threats have evolved
significantly in recent years with the rise of AI-powered scams
making attacks more convincing than ever before.
Note: This is not a comprehensive guide. It is not
possible to cover every scam, threat, or scheme online. It is here
to help you recognize what is out there so you can be more informed
and stay safe online.
Scams can range in severity from trying to get your login info to
stealing thousands of dollars from your bank accounts.
Typically most all scams play on your fears or they can be a
complete deception.
When you get an email look at the from email address. That is often your
biggest clue that it's not real. When you are browsing the
internet look at the address bar and see if the website is secure
and if it is the website you are intending to visit.
Be aware that scammers now use AI to generate very convincing
emails, text messages, and even voice calls that sound exactly
like someone you know. Always verify through a separate channel
if something seems off.
These emails are anything that attempts to mislead you and trick you
into handing over your email logins and other information. The
emails typically take on scare tactics to persuade you to click
a link to fix a problem.
For example: "Your account is about to expire please take
immediate action to prevent your emails from being deleted."
or "Your invoice is past due please submit payment immediately."
With AI tools now widely available phishing emails have become
much harder to spot. They no longer have obvious spelling and
grammar mistakes. Always hover over links before clicking to see
where they actually go.
Once a hacker has your email credentials they can impersonate you
and if that person is high enough in a company can even extort
large sums of money from a company.
One of the biggest new threats is the use of AI to create
deepfake audio and video. Scammers can now clone someone's voice
from just a few seconds of audio and use it to call you
pretending to be a family member in trouble asking for money.
If you receive an urgent call from a loved one asking for money
hang up and call them back on their known number. Establish a
family code word that only your family knows for verifying
identity in emergencies.
AI is also being used to create fake websites, fake customer
service chatbots, and even fake video calls. If something feels
rushed or pressured it is likely a scam.
Scammers are now placing fake QR codes over real ones in
restaurants, parking meters, and public places. When scanned
these fake codes send you to phishing sites that steal your
login credentials or payment information.
Before scanning a QR code check if it looks like a sticker
placed over the original. When possible type the URL directly
into your browser instead of scanning.
Popup scams typically take on scare tactics that attempt to make
you download or install a program which then opens a back door to
additional hacking. These popups may look like a very real Windows
update notification. Your biggest clue here is if it's in a
browser window it's likely not real.
Also keep in mind Microsoft does not put their phone number on
support messages.
Redirects usually happen as a result of a bad plugin or extension
that has been added to your browser. These will often change your
home page to something new. They can also hijack your search
engine and address bar so that anything you search for can be sent
to one of their sites to make them even more money.
A very common trick that is used is to send you to a site that
looks like the real site then passes anything you type like
your email login to the real site.
As a result your email or account will then be compromised.
Keep an eye on your address bar. Visiting microsoft.com
is not the same as microsoft.com.windowssupport.net.
A real website will have a proper address followed by a slash microsoft.com/
Fileless Malware is extremely difficult to detect and prevent.
This type of malware looks to exploit vulnerabilities in software
like your web browser. By going to a website that is potentially
unsafe your computer can get infected just by being on the
website. They can also be loaded through file attachments in email or
downloaded programs.
The best way to prevent this type of threat is to ensure you are
going to trustworthy websites and not installing random software.
Jim Browning - https://www.youtube.com/@JimBrowning
Phone call scams can be downright scary if they are done right.
These scams will often extort money from you in one way or
another. Jim Browning has several videos where he reverse hacks
the scammers.
These scammers will attempt to impersonate some agency of
authority and make threats to your freedoms.
One example is the IRS scam. The scammer will call saying you are
being investigated by the IRS and it has been discovered that you
have not paid enough. If you don't pay they will come to arrest
you and you need to stay on the phone and work with them until it
is resolved.
With AI voice cloning scammers can now sound like anyone
including your bank, your boss, or even a family member. Never
trust caller ID alone as any phone number can be spoofed.
With any phone call scam do not be afraid to hang up. If you are
at work and they call you back tell them to call the corporate
office. Do not give them the number and hang up. Take note of when
this occurred and notify IT of the attempted scam. Any real and
genuine issue will typically go through your corporate office
through official channels.
If you get a scam targeting you personally try to get as much
information as you can and see if you can get a call back number. Do not give
any personal information even if they seem to know a lot. Do not
call the number back. If they claim to be some agency you can
look up the information for the agency and call them directly if
you feel it might be real. If you discover it is not real call
your local non-emergency number for the police and give them the
information. Notifying the police is important if it turns out to
be an identity theft issue.
SIM swapping is when a scammer convinces your cell phone carrier
to transfer your phone number to their device. Once they have
your number they can receive your text message verification
codes and break into your accounts.
To protect yourself set up a PIN or password with your cell
phone carrier that is required before any changes can be made to
your account. Also consider using an authenticator app instead of
text messages for two-factor authentication.
Do not give anyone remote access to your computer.
If anyone asks for access to your computer for any reason be sure
to verify it is for a legitimate reason.
Lets say someone calls saying they are from Microsoft to say your
computer has an issue and they need remote access to your
computer.
First off Microsoft won't do that. You would have to call
Microsoft and if they request remote access they won't send you to
TeamViewer or some other remote software site. They will send you
to a microsoft.com site.
The other way to know if remote access is legitimate or not is if
you are asked to use a trial version of remote software.
Malware and viruses can be very damaging and extremely disruptive.
Depending on how bad the infection is it has the potential of
being something as basic as a small program that sits and waits
for instructions on what to do next or it could actively spread
and bring down entire systems and networks and even take
down an entire city government or hospital system.
There are many forms of malware and viruses. Some can log
everything you type and send it to a server on the internet while
others will hijack your browser and start showing you ads for
anything and everything which can lead to more and more malware
and viruses being installed on your system.
The worst of these currently is ransomware which can be loaded by
a trojan virus from a website or an email attachment.
Text message scams have exploded in recent years. You have likely
received texts claiming to be from USPS, FedEx, or UPS saying a
package could not be delivered. Or a message from a toll agency
saying you have an unpaid toll. Or your bank alerting you to
suspicious activity with a link to verify your account.
These are almost always scams. Legitimate companies will not ask
you to click a link in a text message to resolve an issue. If you
receive a suspicious text do not click the link. Instead go
directly to the company's website or call them using the number
on their official site.
Never reply to these texts even to say "STOP" as this confirms
to the scammer that your number is active and will result in even
more spam.
What is Ransomware?
https://en.wikipedia.org/wiki/Ransomware
In short ransomware is a malicious program that has been run on your
computer from an infected file that was received through an email
attachment, fake update or even a fileless attack from a malicious
website.
The ransomware program encrypts all the documents, images and
other files on your computer and leaves you a ransom note telling
you to pay a certain amount of money in exchange for a decryption
key.
Some ransomware also transmits your data to a server to ensure
that you pay or they will release your information publicly if you
don't.
Ransomware is such an issue that it is critical for you
not to install anything from unknown or untrusted sources.
Ransomware attacks have dramatically increased in recent years.
Hospitals, schools, city governments, and major corporations have
all been targets. The Colonial Pipeline attack in 2021 shut down
fuel distribution across the eastern United States. These attacks
now routinely demand millions of dollars.
What browser do you use?
Edge is built on the same engine as Google Chrome (Chromium)
and is a capable modern browser however in its default state
Edge is gathering significant telemetry and metadata on its
users. Microsoft collects browsing data, search history, and
usage patterns. Unless you take the time to dig through the
settings and disable the extensive data collection Edge should
be avoided.
Chrome is fast and widely supported but has significant privacy
concerns. Google has made changes to its extension system
(Manifest V3) that limit the effectiveness of some ad blockers
and privacy extensions. Chrome also collects browsing data for
advertising purposes.
Install link - https://www.google.com/chrome/
Firefox continues to be one of the best browsers for privacy. It
has built-in Enhanced Tracking Protection that blocks trackers,
fingerprinters, and cryptominers. Firefox also has a container
feature that can isolate Facebook and other trackers to prevent
them from following you across the web.
Install Link - https://www.mozilla.org/firefox/
Brave is focused on privacy and securing your information. By
default Brave blocks ads and trackers so you don't have to install any ad
blockers and it also has malware and phishing protection. There is
also a very useful browser sync feature that doesn't require you to
sign up for an account allowing you to keep your bookmarks, history,
and passwords updated across multiple computers.
Install link - https://brave.com/
While there are other browsers out there Brave is the best all
round browser for protecting your privacy and blocking malicious
trackers and sites and is actively maintained.
Ad blockers are very important as they will help reduce the
number of potentially damaging and misleading popups on your
computer while browsing the internet.
The ad blocker I recommend is AdGuard
(https://adguard.com/en/adguard-browser-extension/overview.html).
AdGuard works well across all major browsers and has adapted to
Chrome's Manifest V3 extension changes that have limited other
ad blockers. It blocks ads, trackers, and phishing sites
effectively. The browser extension is free.
Remember that the Brave browser has a built-in ad blocker and
does not require any extra add-ons.
Be very cautious of other ad blockers out there as there are many
that pretend to be ad blockers only to later reveal themselves to
be malware and browser hijackers.
Public WiFi at coffee shops, airports, hotels, and other public
places is not secure. Anyone on the same network can potentially
intercept your internet traffic and see what you are doing online.
Hackers can also set up fake WiFi networks with names like
"Starbucks_Free_WiFi" to trick you into connecting.
A VPN (Virtual Private Network) encrypts all of your internet
traffic so that even if someone intercepts it they cannot read it.
Using a VPN on public WiFi is one of the most important things
you can do to protect yourself.
Even at home a VPN prevents your internet provider from tracking
and selling your browsing data.
Mullvad VPN - One of the most
privacy-focused VPNs available. They don't even ask for an email
to sign up. You get an account number and that's it. Very
transparent about their practices.
Proton VPN - Made by the same
team behind ProtonMail. They have a free tier with no data limits
which is great for getting started. The paid version adds more
server locations and faster speeds.
Be cautious of free VPN services that are not from reputable
companies. Many free VPNs make money by logging and selling your
browsing data which defeats the entire purpose of using a VPN.
Don't use the same password everywhere. The first thing a hacker
attempts is to try your compromised logins on other sites.
If your information is part of a data breach it would
essentially make it simple to take over your digital life if you
use the same password everywhere.
Longer passwords are safer. With modern hardware and AI an 8
character lowercase password can be cracked almost instantly.
Even passwords with mixed characters can be cracked in minutes
if they are too short. Use at least 14 characters with a mix of
upper and lowercase letters, numbers, and special characters.
Better yet use a passphrase of 4 or more random words.
Here are some very important questions to ask yourself!
What is your email password? Is your email password used
anywhere else?
What is the first thing you do if you forget your password for
your bank account?
If your email password is simple and used in more than one place
you are setting yourself up to lose a lot.
An attacker that gains access to your email can see what bank
account you have and can attempt to reset your password allowing
them to gain full access to your bank account.
Always keep your email password unique and complex. Your email
is the backdoor to most if not all of your online accounts.
Passkeys are a newer and more secure replacement for passwords
that are now supported by Apple, Google, and Microsoft. Instead
of typing a password you authenticate using your fingerprint,
face, or device PIN. Passkeys cannot be phished or stolen in a
data breach because they are tied to your specific device.
Whenever a website offers passkey support consider setting it
up as it is the most secure login method available today.
Bitwarden is the best option for a free password manager.
https://bitwarden.com/
Bitwarden is open source and encrypts all your information so
that it is not visible to anyone without your master password.
It works across all devices and browsers.
Note: LastPass which was previously recommended suffered major
security breaches in 2022-2023 where encrypted user vaults were
stolen. I no longer recommend LastPass.
Using a password manager can also help you discover phishing
attempts. Password managers detect the login pages of websites
you use and associate the username and password accordingly. If
you end up on a phishing site the password manager will
not offer to fill in the password as the phishing
site will not match the real site.
Enable 2FA everywhere you can. This way even if your account
login is compromised an extra step is needed for the hacker to
gain access to your accounts.
Use an authenticator app like Microsoft Authenticator or Google
Authenticator instead of text message codes when possible. Text
messages can be intercepted through SIM swapping attacks.
Use a long password on your email and don't use that password
anywhere else. Your email is the doorway to your digital life.
As an example lets say you forgot your password on one of your
accounts. The typical way to recover access to your account is
to send a password reset to your email. As a result anyone with
access to your email can take over any of your accounts.
They can also create rules in your email to prevent you from
seeing certain emails and also setup a forwarder to send all
your emails to another email account.
Installing system updates is important as it closes security
loopholes that can be exploited by hackers.
Do not click on any popups saying your system needs an update of
any kind. Use the operating system's built-in tools to check for
updates.
If you have McAfee, Norton, AVG, or Avast on your computer I
would recommend removing them. McAfee and Norton slow your
computer down and come with fees. AVG and Avast have
been caught selling user browsing data to advertisers.
While Windows 10 and 11 come with Microsoft Defender built in
it is very weak compared to dedicated antivirus solutions and
should not be relied on as your primary protection.
https://www.bitdefender.com/en-us/consumer/free-antivirus
Bitdefender is my primary recommendation for antivirus. The free version
is excellent and provides strong real-time protection. In
independent testing by channels like The PC Security Channel
Bitdefender frequently comes out on top beating most paid
antivirus solutions. It is lightweight and for the most part
an install and forget it's there type of program.
https://www.malwarebytes.com/
This program is very effective as a secondary scanner for clearing up
potentially unwanted programs (PUPs) and can also remove tracking
cookies put on your system by advertisers. Run it alongside
Bitdefender for an extra layer of protection. The free
version allows manual scans.
No antivirus is foolproof. These programs do their best to detect
what they know about but something new that has never been seen
before can still get through. It is up to you to be aware of
things that don't seem right and use good judgment online.
Use https://ninite.com/
to see if the software you need is there.
Ninite is great in that it prevents additional software being
installed at the same time.
If the software you need is not on Ninite make sure it is from a
reputable source.
Don't click on the first link in your search and download from
random file sharing sites.
It is best to go to the actual company's website to download
the installer directly. Other file sharing sites could have
compromised installers with malicious payloads that can infect
your computer.
Be especially cautious of sponsored search results at the top
of Google searches. Scammers have been buying ads that look like
official download links for popular software but instead lead to
malware-infected installers.
When installing software check what else the software is
trying to install. Many programs bundle extra software that you
don't need. Be sure to uncheck these
additional installs and install only what you need.
Having good backups is one of the most important things you can do
to protect yourself. If your computer gets infected with
ransomware, crashes, or is stolen your data is gone unless you
have a backup. A good backup strategy can make a ransomware
attack merely an inconvenience rather than a disaster.
Follow the 3-2-1 backup rule:
- 3 copies of your data
- 2 different types of storage (such as an external hard drive and cloud storage)
- 1 copy offsite (cloud storage or a drive kept at another location)
Most cloud backup and storage services like Google Drive,
Microsoft OneDrive, iCloud, and Dropbox do not use true end-to-end
encryption. This means the hosting company and anyone with
sufficient access on their end can see your data. Only the owner
of the data should have the keys to that data.
I would recommend against using any cloud backup service that
does not offer end-to-end encryption where only you hold the
decryption keys. If you do use cloud storage for convenience be
aware that your files are not truly private.
Local backups that you physically control are the most secure
option for protecting your data.
An external hard drive or USB drive is a good option for a local
backup. Windows has built-in backup tools under Settings and Mac
has Time Machine. Set it up and let it run automatically.
Important: If you keep your backup drive plugged in all the time
ransomware can encrypt it too. Consider unplugging your backup
drive when not in use or keeping a second backup in a different
location.
A NAS (Network Attached Storage) is a personal cloud that sits
in your home on your own network. It gives you the convenience
of cloud storage and automatic backups without handing your data
over to a third party. Your data stays on hardware you own and
control.
Most NAS devices support automatic backup from your computers
and phones, can be accessed remotely when you are away from home,
and many support RAID configurations so your data survives a
hard drive failure.
Synology - The most
popular and well-regarded NAS brand. Their DiskStation models
are easy to set up and their software is excellent. Great for
beginners and advanced users alike. Synology Drive works similar
to Google Drive or Dropbox but everything stays on your own
hardware.
UGREEN NASync -
A newer option that has been getting very positive reviews. Their
NAS devices are well built and competitively priced. A great
alternative to Synology.
Note: QNAP is another brand you may see but their devices have
had significant security vulnerabilities over the years including
being targeted by ransomware. I would avoid QNAP and stick with
Synology or UGREEN.
A NAS is one of the best investments you can make for protecting
your data while maintaining full control and privacy.
If you and a friend both have a personal cloud setup you could
back up to each other's devices for a true offsite backup while
still keeping full control of your data. Setting that up is well
beyond the scope of this overview but it is worth knowing it is
possible.
Data brokers are companies that collect and sell your personal
information including your name, address, phone number, email,
age, and even family members. This information is publicly
searchable and is often used by scammers to make their attacks
more convincing.
There are services that will remove your information from these
data broker sites on your behalf. While you can do this manually
it is extremely time consuming as there are hundreds of data
broker sites and they frequently re-add your information.
OneRep is a data removal service that should be avoided. In 2024
Krebs on Security revealed that OneRep's CEO Dimitri Shelest also
founded Nuwber, one of the largest people-search data broker
sites. They were essentially profiting from both sides — selling
your personal data and charging you to remove it. Mozilla also
dropped OneRep from Firefox Monitor as a result. If you are
currently using OneRep I would recommend switching to one of the
services below.
https://joindeleteme.com/
DeleteMe is one of the most established and trusted data removal
services. They actively scan and remove your personal information
from data broker sites and provide regular reports showing what
was found and removed. They cover a large number of data broker
sites and continuously monitor for your information being
re-added.
https://incogni.com/
Incogni is made by Surfshark and is another solid option for
data removal. It sends removal requests to data brokers on your
behalf and tracks the progress. It is generally more affordable
than DeleteMe and covers a wide range of data broker sites.
One of the most effective ways to protect yourself from identity
theft is to freeze your credit with all three major credit
bureaus. A credit freeze prevents anyone from opening new
accounts, loans, or credit cards in your name. It is completely
free and does not affect your credit score.
When you need to apply for credit yourself you can temporarily
lift the freeze online in minutes and then re-freeze it
afterwards.
If you have not already done this I highly recommend doing it now.
It only takes a few minutes at each bureau:
Equifax - Freeze Your Credit
Experian - Freeze Your Credit
TransUnion - Freeze Your Credit
You should also freeze your credit with
Innovis which
is a lesser known fourth credit bureau that identity thieves
sometimes target because most people don't know about it.
What you share on social media can be used against you in ways
you might not expect. Scammers and hackers actively mine social
media for information they can use.
Be careful about sharing:
- Your birthdate, pet names, school names,
and mother's maiden name — these are common security
question answers
- Vacation plans — announcing you are away from home tells
criminals your house is empty
- Location data — check-ins and geotagged photos reveal
your daily patterns
- Photos of keys, badges, or documents — these can be
duplicated from a photo
Be very careful about sharing photos of yourself and your
family online. With AI tools scammers can take your photos and
create deepfake images and videos of you. These deepfakes can be
used for blackmail, fraud, impersonation, or other harmful
purposes. The more photos of you that are publicly available the
easier it is for someone to create a convincing deepfake. This is
especially important to consider when sharing photos of your
children.
Review the privacy settings on all of your social media accounts
and limit who can see your posts and personal information. Set
your profiles to private when possible and be selective about
who you accept as friends or followers.
This is almost impossible these days but you can try to reduce
it by checking for the little "sign up for our newsletter"
check boxes or similar marketing options that are on almost
every website. Very often if you sign up for any of these the
list is shared with a 3rd party.
If you need to sign up for an account somewhere but don't intend
on keeping the account use a fake name and email if possible.
A lot of websites these days will make you verify your email so
you can't use a fake email. In that case use a temporary email
that expires minutes after it's used.
https://temp-mail.org/
https://guerrillamail.com/
https://www.minuteinbox.com/
https://maildrop.cc/
This guide was originally written in December 2019 and last
updated in March 2026. The internet is constantly changing and
new threats are constantly emerging. AI-powered attacks are
making scams more sophisticated than ever. Stay vigilant and
when in doubt verify before you click, call, or send money.