1. Have Long, Anti-Social-Engineering Passwords
Your passwords are the first line of defense against intruders — but not all passwords are created equal. Short or predictable ones (such as birthdays, simple words, or “password123”) are easy for attackers to guess or crack. Strong passwords are long, use a mix of letters, numbers, and symbols, and are unique for every account. Reusing the same password across multiple platforms significantly increases risk, as attackers often rely on credential stuffing using data from previous breaches (NIST, 2020; Verizon, 2023). Cybersecurity experts emphasize that attackers frequently exploit personal information gathered from social media to support social engineering attacks.
“Use strong, unique passwords for each account — aim for at least 12 characters.”
— National Institute of Standards and Technology (NIST, 2020)
Using passphrases — longer, memorable sentences known only to you — improves both security and usability, provided they are not based on publicly available personal information (NIST, 2020).
2. Avoid Suspicious Links — Check Every Detail
One of the most common cyber threats today is phishing — deceptive messages containing links that appear legitimate but redirect users to malicious websites. These links are often delivered via email, SMS, or messaging apps and impersonate trusted organizations. Attackers commonly use email addresses or phone numbers that closely resemble legitimate ones, relying on users’ inattention to detail (Google, 2022).
Messages that create urgency — such as threats of account suspension — are a key psychological tactic used in phishing. Research shows that phishing attacks rely more on cognitive manipulation than technical sophistication, exploiting trust, fear, and haste (Parsons et al., 2019).
Google’s phishing awareness training has been shown to significantly improve users’ ability to identify malicious messages.
3. Enable Two-Factor Authentication (2FA)
Two-factor authentication (2FA) adds an extra layer of protection by requiring a second form of verification in addition to a password, such as a one-time code sent to a phone or generated by an authentication app. Even if attackers obtain a password, 2FA can prevent unauthorized access.
Studies show that enabling 2FA blocks the vast majority of automated account takeover attempts and significantly reduces successful phishing attacks (Google Security Team, 2019). Security agencies strongly recommend enabling 2FA on all critical accounts.
4. Explore Your Settings — Look at Activity Logs & Connected Devices
Many online services provide activity logs that display login history, locations, and connected devices. Reviewing these settings regularly helps users identify unauthorized access early. Unexpected logins or unfamiliar devices can indicate account compromise.
Security researchers note that early detection through account activity monitoring significantly reduces the impact of identity theft and long-term account abuse (FTC, 2022). These settings function as a personal security dashboard, empowering users to take immediate action.
5. Know the Difference Between Real Apps and Fake Pop-Ups
Deceptive pop-ups and fake applications are designed to mimic legitimate system warnings, often using copycat branding, misleading close buttons, or alarming messages such as “Your device is infected.” Technical support scams rely heavily on visual deception and urgency to trick users into clicking or downloading malicious software.
Research on typosquatting and malicious advertising found that a large majority of pop-ups on deceptive domains were linked to malware or scam operations (Kintis et al., 2017). Studies also show that older adults are disproportionately targeted due to lower familiarity with digital deception techniques (Burnes et al., 2020).
“Scammers use fake warnings and fake apps to create a false sense of urgency.”
— Federal Bureau of Investigation (FBI)
6. Be Careful Sharing Personal Information Online
Personal information such as full names, addresses, phone numbers, and financial details should be shared cautiously. Even seemingly harmless information can be combined and exploited through social engineering techniques to bypass security questions or impersonate victims.
Research indicates that oversharing on social media increases susceptibility to identity theft and phishing attacks (Acquisti et al., 2015). Users are advised to verify website legitimacy and ensure secure connections before entering sensitive information.
7. Set Up Backup Emails & Phone Numbers for Account Recovery
Account recovery options — such as backup email addresses, phone numbers, and recovery codes — are essential safeguards. If a primary account is compromised or a user loses access to their authentication device, recovery options may be the only way to regain control.
Authentication studies show that lack of recovery mechanisms is one of the leading causes of permanent account loss, particularly for accounts protected by 2FA (Guri et al., 2021). Proper recovery planning ensures resilience against lockouts and attacks.
References:
Acquisti, A., Brandimarte, L., & Loewenstein, G. (2015). Privacy and human behavior in the age of information. Science, 347(6221), 509–514. https://doi.org/10.1126/science.aaa1465
Burnes, D., DeLiema, M., & Langton, L. (2020). Risk and protective factors of fraud victimization among older adults. The Gerontologist, 60(7), 1288–1302. https://academic.oup.com/gerontologist/article/60/7/1288/5611991
Cybersecurity and Infrastructure Security Agency. (2023). Multi-factor authentication guidance. https://www.cisa.gov/mfa
Federal Bureau of Investigation. (2023). Internet crime report 2023. https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf
Federal Trade Commission. (2022). Protecting your online accounts and identity. https://consumer.ftc.gov/topics/identity-theft
Google Security Team. (2019, May 20). New research: How effective is basic account hygiene? https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
Google. (2022). Phishing protection and security tips. https://safety.google/security/
Kintis, P., Miramirkhani, N., Lever, C., Antonakakis, M., Dagon, D., & Feamster, N. (2017). A malicious pop-up ecosystem analysis. IEEE Security & Privacy, 15(2), 17–25. https://ieeexplore.ieee.org/document/7958566
National Institute of Standards and Technology. (2020). Digital identity guidelines (SP 800-63B). https://pages.nist.gov/800-63-3/sp800-63b.html
Parsons, K., McCormac, A., Butavicius, M., & Ferguson, L. (2019). Human factors and phishing susceptibility. Journal of Cybersecurity, 5(1), tyz004. https://doi.org/10.1093/cybsec/tyz004
Verizon. (2023). 2023 data breach investigations report. https://www.verizon.com/business/resources/reports/dbir/
Guri, M., Bykhovsky, D., Elovici, Y., & Oren, Y. (2021). Account recovery and authentication usability risks. In Proceedings of the 30th USENIX Security Symposium (pp. 3371–3388). https://www.usenix.org/conference/usenixsecurity21/presentation/guri