Last updated May 2025
Click below to listen to our Consumerpedia podcast episode where a former cyber thief explains how to protect your online accounts.
Our computers, phones, and tablets are under constant attack from hackers, identity thieves, and foreign governments attempting to work their way in. Software developers and hardware makers must play whack-a-mole to keep up with these relentless digital villains. There’s no way to completely secure your digital devices and personal info, but here are the best ways to deter criminals.
Be wary on the internet and when opening emails
Most cyberattacks rely on weak entry points. Often, that’s you: Many fool users into flinging open their digital doors.
A common ploy is to send an email or text posing as a government agency, bank, retailer, or other well-known entity (Amazon, FedEx, UPS) to manipulate victims into handing over user IDs and passwords. These messages often look legit—and might even send you to a website that also looks real. Don’t open emails unless they come from an expected source. Then, don’t click on links embedded in emails or texts, or download any attachments, unless you’re certain they come from a legitimate source. Also avoid visiting unfamiliar websites. Don’t download—or allow a site to download—anything unless you’re sure it’s safe.
Some other guidelines:
- Turn on email scanning to warn of potential threats.
- Ratchet up your email software’s spam filter settings to reduce the number of dangerous messages. Allow it to deliver email only from trusted sites and contacts. Carefully check quarantined messages before allowing them into your inbox.
- Configure email software so it doesn’t display (and open) email in a preview pane. Preview panes in many email clients allow part of the message to be downloaded, which sometimes is enough for a scripted virus to invade your computer.
Keep up to date
Crooks seek weak spots in software code. Nearly every day, security patches are issued by device manufacturers and software companies. Turn on auto-update options for your operating system, device drivers, and all other software.
If you receive an update alert, run it as soon as you can, and then check whether additional updates are available; sometimes they are pushed out in batches.
Use security software
Apple and Microsoft now embed free strong security software into their operating systems. For extra protection, you can install a second security app; good free ones are offered by Avast and Bitdefender. Keep all security software current by enabling automatic updates.
Get smart about passwords
Most people use the same password for multiple accounts. Bad idea. If criminals steal your password from one company, they can use it to hack your other accounts.
At the very least, create unique passwords for your most sensitive accounts, such as bank, credit card, investment, government benefits, and social media. They should be long (at least 10 to 12 characters—longer is better) and strong (include random numbers, uppercase and lowercase letters, and special symbols). Avoid common phrases such as LetMeIn, ILoveYou, or LukeIAmYourFather. Don’t use song lyrics, names of pets, or sports teams.
A better option is to use a password manager, which automatically generates strong passwords and stores them in an encrypted digital vault accessible only with your master password.
Consumer Reports regularly evaluates password management apps. It currently recommends 1Password Families ($60/year), Dashlane Premium ($60/year), Keeper Unlimited ($35/year), and Keeper Free.
Your phone, tablet, and computer probably already have password managers. Most internet browsers also employ them, with options to sync passwords across multiple devices. While these features are convenient, they’re not as robust as a dedicated password management program—but still an improvement over using the same password for multiple websites.
Use multi-factor authentication
Even the best password can be compromised (or stolen during a data breach). Multi-factor authentication (MFA) is an extra layer of protection that makes stolen passwords useless. MFA means that, to log into an account, you’ll enter both a password and use at least one other identifying factor (fingerprint, facial recognition, or a code from a text, email, phone call, or authentication app). It’s not foolproof, but MFA can stop most criminals from using stolen passwords. MFA can thwart 99.2 percent of all password hack attacks, according to the latest data from Microsoft.
(If you receive an authentication code when you’re not trying to log into an account, it could mean a thief is trying to access it. Better investigate.)
Make the switch to passkeys
A passkey is a new security tool providing the most secure way to log onto websites and apps. It replaces passwords with computer code called “cryptographic key pairs.”
With passkeys there’s no string of letters, numbers, and symbols to remember; nothing to lose or inadvertently share; nothing for hackers to steal; and no way to impersonate your authentication. Instead, when using a passkey to access a website or app, sign-in verification takes place on your device after you approve it using a PIN, fingerprint, or facial recognition. This means passkeys defeat common attacks like phishing and using stolen passwords. Apple, Google, Meta, and Microsoft already support this technology, which can be synced across all platforms on all devices.
Monitor your digital existence
Several websites, including haveibeenpwned.com, let you check whether hackers have stolen your logins or passwords during breaches of major websites such as Adobe, Evite, Facebook, LinkedIn, X (formerly Twitter), Yahoo!, and so, so, so many others. You can use it to search for email addresses you use; it keeps track of which ones were likely affected by breaches. Change passwords for businesses that were hacked, and make sure you don’t use possibly stolen ones to access other sites.
Install software only if you are sure it is clean
Download and install software and apps only from trusted sources. For your phone, download only from the Apple Store app or Google Play for Androids. Apple does a decent job of vetting available apps; Google Play…not so much. Avoid apps that have low numbers of user ratings or download counts.
If you’re still not sure something is safe, use a trusted verification tool such as Jotti or VirusTotal.
Use a firewall
Because your computer’s firewall is its first line of defense against intrusion, make sure it’s turned on:
- Windows—Search for “Windows Firewall” or find it in the Control Panel. Make sure it is toggled on. If you want to fine-tune your settings, search the web for “Windows [operating system version] Firewall Settings” and select the discussion hosted by Microsoft.
- Apple—Open “System Preferences,” click “Security & Privacy,” then “Firewall.” To block incoming traffic on ports used by one of the sharing services, disable that service in the Services pane. Apple has a discussion of settings here.
- Chromebook—Open the Chrome browser and click on the three-dot menu icon in the top right corner. Select “Settings,” then “Privacy and security,” then “Firewall and network options.”
Encrypt your hard drive
If a thief steals your computer, encryption will prevent them from accessing sensitive files like tax returns and medical info. Windows and Apple computers come with encryption tools, but they’re turned off by default. In Windows, search for “BitLocker” to check your encryption options; on Macs, they’re located in FileVault. Chromebook hard drives are encrypted by default.
Secure your router
It’s not enough to secure devices; you also need to lock down your router.
First, determine the login IP address for your router by checking support documentation on the manufacturer’s website. It’s likely http://192.168.1.1 or http://192.168.0.1 or a slight variation of these two. Then enter it as a URL in an internet browser. That should display the login screen for your router.
Change the user ID and password. The default out-of-the-box logins and passwords assigned by manufacturers for most routers are vulnerable to hackers.
For a wireless router, make sure it encrypts traffic using WPA2 (okay) or WPA3 (best). This requires users to use a strong key (passphrase) to connect to your network. If your router uses older, weaker WEP or WPA encryption, replace it.
Check the website for your router’s manufacturer to make sure you have the most recent firmware updates for your router. Because installing firmware updates can be tricky, read instructions carefully and follow them to the letter.
Be careful when using public Wi-Fi
It’s much easier for hackers to get into your computer or phone when you’re using a poorly secured router at the coffee shop, airport, or other public spots.
Connect only to public hotspots that you trust. Crooks often set up fake Wi-Fi accounts and name them something innocuous-sounding like “Starbucks” or “Free Airport Wi-Fi.” After connecting, check that your browser shows a green padlock symbol in the URL bar area. If you don’t see one, know that the info you send and receive from websites you visit is snoopable.
Do not plug in unknown devices
If you find a USB storage device, don’t plug it in. A tactic used by bad actors is to load portable storage media with viruses and leave them lying around coffee shops, airports, and other high-traffic areas.
Do what you can to lock down internet-connected appliances, TVs, thermostats, etc.
Own something that connects to your wireless router or has Bluetooth? Hackers can use it to invade all your other connected devices.
While we focused here on securing your computers and phones, many of these tips apply to lots of other stuff in your home—especially making sure any gizmo’s software remains up to date. And if you don’t care about controlling your thermostat or fridge from your phone or computer, disable that feature.
Make a backup plan
There is a saying among IT pros: If it doesn’t exist in more than one independent place, it doesn’t exist.
Set up your computers to automatically back up important data to an external drive or to a cloud-based service. Focus especially on saving irreplaceable pics and videos.
Good portable drives cost $80 or more. A big advantage cloud services have over physical drives is that you can log on from anywhere. Take a pic with your phone, save it to the cloud, then use your computer (or a friend’s) to log on to the cloud and download it. If you go to work and leave your laptop at home, you can access the laptop’s backed-up files while at your office.
When shopping for a cloud service, keep in mind that many companies offer free storage, typically capped at 5GB—plenty for most users.
With Apple, you get 5GB for free; 50GB costs $.99/month and 200GB costs $2.99/month.
Chromebooks come with 15GB of Google Drive storage; upgrade to 100GB for $2/month.
Microsoft offers 5GB of cloud storage for free, but if you subscribe to one of its 365 software plans you’ll get 100GB to 1TB of storage, depending on the plan.
If you mostly have photos and videos to store, Amazon Prime members can back up unlimited pics to its cloud for free, plus get 5GB storage for video.
Scads of other companies offer free cloud backup, usually capped at 5GB. If you need more than that, you can sign up with two or three services, or buy a large-capacity plan. For example, with Proton Drive you can get 5GB for free or 200GB for $3.99/month; with Dropbox you get 2GB for free or 2TB for $11.99/month. IDrive provides 10GB of data for free, 100GB for $2.95/year, or 5TB for $99.50/year.
Before signing on for terabytes of backup space to stow your music and movies, check with the vendors who sold them to you. Most digital music and movie sellers allow you to re-download content you own, so you don’t need to back up those files.
Wipe your data before getting rid of an old device
It’s not enough to simply delete all your files; this usually won’t permanently destroy digital data. Follow the manufacturer’s instructions for how to revert the device back to its original factory settings, which will reset it and remove all files and any personal info. For PCs, you can also run a utility program, such as Disk Wipe or DBAN to destroy whatever data is left on the drive.
