🔒

Security Hacks for Beginners

How to keep your data secure — a practical guide

By Julie Coorevits

🔎
Searching across all sections — switch tabs to browse normally
🎯 Your 5-minute security checklist
Start here — check these off one by one. You can do all 5 today.
0 / 5 completed
Urgent — Do This Today
🔐 Account Security
🔑

1. Passwords

Use a password manager. Never reuse passwords.

Use strong, unique passwords

If a hacker gets one password, they try it everywhere. Every account needs its own unique password.

A strong password is:

  • Long — at least 16 characters
  • Random — not a word, name, or birthday
  • Unique — never reused across sites

Nobody can remember 100 unique passwords. That's why you need a password manager.

Recommended password managers

Bitwarden Bitwarden Free 1Password 1Password Apple Apple Passwords Free
📱 iPhone walkthrough
How to set up Apple Passwords on your iPhone Coming soon
Settings → Passwords → enable AutoFill → start saving passwords

Safely sharing passwords (Netflix, Spotify, etc.)

  1. Use a password manager's sharing feature. 1Password and Bitwarden both support shared vaults.
  2. Use the service's family plan. Netflix, Spotify, and YouTube all offer family plans.
  3. If you must share manually, use a self-destructing link like onetimesecret.com.
❌ Don't
  • ❌ Use your name, birthday, or "password123"
  • ❌ Reuse the same password on multiple sites
  • ❌ Share passwords via text or email
  • ❌ Store passwords on sticky notes or in Notes
✅ Do
  • ✅ Let a password manager generate & save them
  • ✅ Use a unique password per account
  • ✅ Share via a shared vault or self-destructing link
  • ✅ Lock your phone with Face ID / fingerprint / PIN
📱

2. Multi-Factor Authentication (MFA)

Add a second lock to your accounts. Passkeys > authenticator app > SMS.

What is it?

MFA adds a second step when logging in. Even if someone steals your password, they can't get in without this second factor. Think of it as a deadbolt on top of your door lock.

Three types compared

MethodHow it worksSecurityEase
PasskeysFace, fingerprint, or device PIN. No code to type.BestEasiest
Authenticator app6-digit code that changes every 30 seconds.Very goodGood
SMS codesCode sent via text message.WeakestEasiest

Recommended authenticator apps

Google Google Authenticator Microsoft Microsoft Authenticator Apple Apple Passwords Authy Authy

Why SMS is the weakest: Attackers can hijack your phone number through "SIM swapping." Authenticator apps and passkeys are tied to your physical device, not your phone number.

Where to enable MFA in popular apps

AppWhere to find it
GmailGoogle Account → Security → 2-Step Verification
InstagramSettings → Accounts Center → Password & Security → Two-factor authentication
FacebookSettings → Accounts Center → Password & Security → Two-factor authentication
TikTokProfile → Menu → Settings → Security → 2-step verification
YouTubeManaged via your Google Account (same as Gmail)
📱 iPhone walkthrough
How to enable 2FA on Instagram Coming soon
Settings → Accounts Center → Password & Security → Two-factor authentication

a) Got a new iPhone? How to transfer your authenticator app

If you use Google Authenticator:

1Open Google Authenticator on your old phone.
2Tap the menu (⋯) → "Transfer accounts" → "Export accounts".
3Scan the QR code with Google Authenticator on your new phone.
4Verify all accounts appear, then delete from the old phone.

If you use Apple Passwords, codes sync automatically via iCloud.

b) Personal vs. work authenticator apps

Keep them separate. Your employer can remotely wipe a work authenticator — if your personal codes are in the same app, you could lose access to your own accounts.

Microsoft Work: Microsoft Authenticator Google Personal: Google Authenticator

c) Your phone is stolen — what now?

⚠️ If you lose your phone and didn't back up your authenticator, you can get permanently locked out of your accounts. Set up cloud backup now, before it happens.

Before it happens (do this now):

  • Save your recovery codes when you enable MFA.
  • Use an authenticator with cloud backup (Authy, Apple Passwords, or Google Authenticator with sync).
  • Enable Find My iPhone.

After it happens:

  1. Use Find My iPhone to lock and erase the stolen phone.
  2. Use your recovery codes to log in.
  3. Set up MFA again on your new device.
  4. Change passwords for email and banking.
❌ Don't
  • ❌ Rely on just a password
  • ❌ Use SMS as your only second factor
  • ❌ Mix work and personal in one authenticator
✅ Do
  • ✅ Use passkeys wherever available
  • ✅ Use an authenticator app for everything else
  • ✅ Enable cloud backup in your authenticator
💾

3. Recovery Codes

Your emergency backup keys. Save them before you need them.

What are recovery codes?

One-time-use backup codes (usually 8-10) that let you log in if you lose your phone or authenticator app. They're your safety net.

Where to save them

OptionSafe?
Printed and stored in a safe place at home✅ Yes
In a password manager (1Password, Bitwarden)✅ Yes
In a locked note on your phone + laptop✅ Decent
Screenshot saved only on your phone⚠️ Risky
In your email inbox❌ No — if hacked, exposed
Nowhere ("I'll remember")❌ Never
❌ Don't
  • ❌ Save them in your email inbox
  • ❌ Screenshot and leave in camera roll
  • ❌ Skip saving them — "I'll do it later"
✅ Do
  • ✅ Store in your password manager
  • ✅ Print and keep in a safe or locked drawer
  • ✅ Save immediately when you enable MFA
Less Urgent — But Very Worthwhile
🚨 Staying Alert Online
🔄

4. Keep Your Software Updated

Updates patch security holes. Turn on auto-update everywhere.

When you see "update available", that often means a vulnerability has been disclosed and attackers are already scanning for unpatched devices.

📱 iPhone walkthrough
How to turn on automatic updates on iPhone Coming soon
Settings → General → Software Update → Automatic Updates
❌ Don't
  • ❌ Click "Remind me later" for weeks
  • ❌ Keep apps you never use
  • ❌ Run outdated browsers
✅ Do
  • ✅ Turn on automatic updates everywhere
  • ✅ Restart after updates to activate them
  • ✅ Delete unused apps to reduce risk
🎣

5. Spot a Phishing Attack

Fake messages that steal your login. Learn the red flags.

Phishing = a fake message pretending to be from a trusted company to steal your login or money. It's the #1 way people get hacked.

Red flags

  • Urgent language: "Your account will be closed in 24 hours!"
  • Sender email doesn't match the company (e.g. support@appl3-help.com)
  • Links go to weird URLs — hover before clicking!
  • They ask for your password, credit card, or 2FA code — real companies never do this

What to do

  • Don't click — go directly to the website by typing it yourself
  • Report phishing emails (Gmail: three dots → "Report phishing")
  • When in doubt, call the company directly
Passkeys protect you from phishing. Even on a fake website, passkeys won't work on the wrong domain — the login simply fails.
📞

6. Scam Calls & Texts

Fake bank calls, fake deliveries, fake "it's me" texts. Hang up, don't click, call back yourself.

Scammers increasingly call or text instead of emailing — pretending to be your bank, a delivery company, the tax office, or even a relative in trouble.

Common scams

They say...Red flag
"This is your bank's fraud team, we need to verify your card"Banks never ask for your PIN, full card number, or 2FA code by phone
"Pay this fine immediately or face arrest"Real authorities don't threaten arrest over the phone
"Click this link to reschedule your delivery"Unexpected delivery texts with links are almost always fake
"It's me, I'm in trouble, send money" (unfamiliar number)Always verify by calling the person back on their known number

What to do

  • Hang up, then call the company back using the number on their official website or the back of your card — never a number given to you during the call.
  • Never share codes — one-time codes, PINs, or passwords should never be given over the phone.
  • Slow down — urgency and fear are the scam working as intended.
Save your bank's real fraud line in your contacts now, before you ever need it.
❌ Don't
  • ❌ Give codes, PINs, or passwords over the phone
  • ❌ Call back a number given to you during the call
  • ❌ Click links in unexpected delivery/bank texts
✅ Do
  • ✅ Hang up and call the official number yourself
  • ✅ Verify "it's me" messages with a phone call
  • ✅ Report scam texts (forward to 7726 / "SPAM" in many countries)
📷

7. QR Code Scams ("Quishing")

Fake QR codes on parking meters, menus, and posters send you to scam sites. Read the link before you tap.

Quishing = phishing via QR code. Scammers print malicious QR codes on stickers and place them over real ones — or put them in emails, because QR codes slip past spam filters that would catch a suspicious link.

Where it happens

  • Parking meters & EV chargers — a sticker over the real payment code sends you to a fake payment page
  • Restaurant menus & posters — tampered codes in public places
  • Emails & letters — "scan to verify your account" or fake package notices
  • Unexpected packages — a QR code inside a parcel you never ordered

How to stay safe

  • Read the URL preview before tapping. Your camera shows the link — check the domain looks right (e.g. your city's real parking site, not parking-pay-now.xyz).
  • Look for sticker tampering — peeling edges, a code stuck on top of another, or a code that doesn't match the sign's design.
  • Pay another way when unsure — use the official app or type the website address yourself.
  • Never download an app from a QR code — get apps only from the App Store / Google Play.
  • Never enter passwords or card details on a page you reached by scanning something in public.
A QR code is just a link you can't read. Treat every scanned code with the same suspicion as a link in a random email — because that's exactly what it is.
🌐 Network & Connection
🔐

8. Public Wi-Fi and VPNs

Public Wi-Fi is risky. Use a VPN to encrypt your connection.

Attackers can set up fake Wi-Fi networks and intercept your traffic. A VPN encrypts everything between your device and the internet.

Recommended VPNs

Mullvad Mullvad ProtonVPN ProtonVPN Free tier IVPN IVPN
❌ Don't
  • ❌ Use public Wi-Fi without a VPN
  • ❌ Auto-join open networks
  • ❌ Use free VPNs — they sell your data
✅ Do
  • ✅ Use Mullvad, ProtonVPN, or IVPN
  • ✅ Verify Wi-Fi names with staff first
  • ✅ Disable auto-join for public networks
🚨 If Something Goes Wrong
🚨

9. What To Do If You've Been Hacked

Your emergency checklist. Secure your email first — it's the key to everything else.

Don't panic — most account takeovers can be reversed if you act quickly and in the right order.

Signs you've been hacked

  • ❌ Your password suddenly stops working
  • ❌ Login alerts from places or devices you don't recognize
  • ❌ Friends receive strange messages "from you"
  • ❌ Password-reset emails you didn't request, or charges you didn't make

Recovery checklist — in this order

  1. Secure your email account first. Whoever controls your email can reset every other password. Change its password and sign out of all other sessions.
  2. Check your email settings for tampering — attackers add forwarding rules or filters to keep spying after you change the password (Gmail: Settings → Forwarding, and Filters).
  3. Change passwords on important accounts — bank, then anything using the same or similar password. Make each one new and unique.
  4. Turn on MFA on every account that offers it (see card 2).
  5. Sign out everywhere — most services have "log out of all devices" under security settings.
  6. Money involved? Call your bank's fraud line immediately and dispute the charges.
  7. Warn your contacts so they don't fall for messages sent from your account.
Check the damage: use the Scan tab above to see if your email appears in known data breaches — it tells you which other accounts to prioritize.
❌ Don't
  • ❌ Pay a ransom or reply to blackmail emails
  • ❌ Reuse a variation of the old password
  • ❌ Stop at one account — assume they tried others
✅ Do
  • ✅ Fix email first, then bank, then the rest
  • ✅ Take screenshots of evidence before deleting
  • ✅ Report identity theft to your local authority
Nice to Have
🛡 Device Protection
📱

10. Securing Your Phone

Your phone is the key to everything. Lock it well, find it when lost, and guard your SIM.

Your phone holds your email, banking, photos, and 2FA codes — it's the single most valuable thing a thief can grab. A few settings make it dramatically safer.

The essentials

  • Strong screen lock: use Face ID / fingerprint plus a 6-digit (or longer) passcode — not 4 digits, not a simple pattern.
  • Find My / Find My Device: turn it on now so you can locate, lock, or erase a lost phone (iPhone: Settings → your name → Find My. Android: Settings → Google → Find My Device).
  • Auto-updates on: phone updates patch security holes (see card 4).
  • Official app stores only: never install apps from links, QR codes, or "sideloading" — that's how phone malware spreads.

Protect your SIM (stops "SIM swapping")

In a SIM-swap attack, a scammer convinces your carrier to move your number to their SIM — then receives your 2FA codes. Call your mobile carrier and ask to add a PIN or password to your account so nobody can transfer your number without it.

App hygiene

  • Review permissions — does that game really need your location and microphone? (iPhone: Settings → Privacy & Security. Android: Settings → Privacy.)
  • Delete apps you no longer use — every app is a door into your phone.
📱 iPhone walkthrough
Set up Find My and check your privacy settings Coming soon
Settings → your name → Find My → enable Find My iPhone & Send Last Location
❌ Don't
  • ❌ Use a 4-digit PIN like 1234 or your birth year
  • ❌ Install apps from outside the official store
  • ❌ Leave Find My turned off "for privacy"
✅ Do
  • ✅ Use biometrics + a 6-digit or longer passcode
  • ✅ Add a PIN to your mobile carrier account
  • ✅ Review app permissions twice a year
🛡

11. Device Encryption

Scrambles your data so thieves can't read it. Already on by default on iPhone.

How to enable it

  • iPhone/iPad: Already encrypted by default with a passcode.
  • Mac: System Settings → Privacy & Security → FileVault → Turn On.
  • Windows: Settings → Privacy & Security → Device Encryption (or BitLocker).

Encrypted messaging

Signal Signal iMessage iMessage WhatsApp WhatsApp

Regular SMS is not encrypted and can be intercepted. Use these apps for private conversations.

❌ Don't
  • ❌ Leave FileVault / BitLocker off
  • ❌ Use SMS for sensitive conversations
  • ❌ Forget to save your recovery key
✅ Do
  • ✅ Enable FileVault (Mac) or BitLocker (Windows)
  • ✅ Save recovery key in your password manager
  • ✅ Use Signal, iMessage, or WhatsApp
🗃

12. Backups

The 3-2-1 rule: 3 copies, 2 storage types, 1 offsite.

Ransomware encrypts your files and demands payment. A good backup means you can wipe and restore without paying a cent.

The 3-2-1 rule

  • 3 copies of your data
  • 2 different types of storage
  • 1 copy offsite (iCloud, Backblaze)
❌ Don't
  • ❌ Keep files on only one device
  • ❌ Assume cloud sync = backup
  • ❌ Pay ransomware — just restore
✅ Do
  • ✅ Follow 3-2-1: 3 copies, 2 types, 1 offsite
  • ✅ Use Time Machine (Mac) or File History (Win)
  • ✅ Add cloud backup (iCloud, Backblaze)
🌐 Safe Browsing & Shopping
🌐

13. Browser Security

Check for the padlock, block trackers, and don't trust "private mode" too much.

Your browser is the door to almost everything you do online, so a few small habits go a long way.

Quick habits

  • Check for the padlock / https:// before entering any password or payment info.
  • Keep your browser itself updated — Chrome, Firefox, Safari, and Edge all patch security holes quickly.
  • Install an ad/tracker blocker like uBlock Origin — it also blocks a lot of malicious ad-based scams.
MythReality
"Private/Incognito mode keeps me anonymous"It only stops your browser saving history locally — your network, employer, or the websites you visit can still see you.
❌ Don't
  • ❌ Enter passwords on a page without https://
  • ❌ Rely on incognito mode for privacy
  • ❌ Ignore "Not Secure" browser warnings
✅ Do
  • ✅ Look for the padlock before logging in
  • ✅ Install uBlock Origin
  • ✅ Keep your browser auto-updating
🛒

14. Safe Online Shopping

Spot fake shops before you pay, and use payment methods you can dispute.

Fake online shops are designed to look real long enough to take your money and your card details.

Red flags

  • Prices far too good to be true, with countdown timers pushing you to "buy now"
  • Only a contact form — no real phone number or address
  • A domain that was registered very recently

Pay safely

Prefer Apple Pay, Google Pay, PayPal, or a credit card over a debit card — these make disputing fraudulent charges much easier.

Check before you buy: search the shop's name plus "reviews" or "scam," and look up how old the domain is with a free WHOIS lookup. Brand-new domains running "huge sales" are a classic red flag.
❌ Don't
  • ❌ Pay by bank transfer to an unfamiliar shop
  • ❌ Ignore a missing phone number or address
  • ❌ Rush because of a countdown timer
✅ Do
  • ✅ Pay with a credit card or Apple/Google Pay
  • ✅ Search "[shop name] scam" before buying
  • ✅ Check how old the website's domain is
🤖

15. Safe AI Chatbot Use

Chatbots are useful — but treat everything you type as potentially stored. Never paste secrets.

AI chatbots (ChatGPT, Claude, Gemini, and the assistants built into apps) are genuinely helpful — but many people paste things into them they'd never post online. Treat a chatbot like a very smart stranger: great for advice, wrong place for secrets.

Never paste these into a chatbot

  • ❌ Passwords, recovery codes, or 2FA codes
  • ❌ Credit card or bank account numbers
  • ❌ Photos of your ID, passport, or medical documents
  • ❌ Confidential work documents or client data

Good habits

  • Assume it may be stored. Conversations can be kept and, on some free services, used to train future models or reviewed by staff.
  • Check the data settings. Most chatbots let you turn off "use my chats for training" and delete your history — do both if you're unsure.
  • Remove details before asking. "Review this contract" works just as well with names, addresses, and amounts blanked out.
  • Use official apps only — fake "AI" apps in search results are a common way to steal data and money.
  • Double-check important answers. Chatbots sound confident even when wrong — verify medical, legal, or financial advice with a real source.
Scammers use AI too. Voice cloning and AI-written messages make scams more convincing — another reason to verify unexpected calls and texts the way cards 5–6 describe.
For the Pro's
🌐 Network & Connection
🌐

16. Custom DNS

Stop your ISP from tracking every website you visit.

Recommended DNS providers

ProviderAddressBonus
Cloudflare1.1.1.1Fastest, privacy-focused
Quad99.9.9.9Blocks malware domains
NextDNSCustomConfigurable ad/tracker blocking
📱 iPhone walkthrough
How to set up Cloudflare DNS on iPhone Coming soon
Download the free 1.1.1.1 app → tap to enable → done
❌ Don't
  • ❌ Use your provider's default DNS
  • ❌ Use random "free DNS" services
✅ Do
  • ✅ Switch to Cloudflare, Quad9, or NextDNS
  • ✅ Install the 1.1.1.1 app for easy setup
📶

17. Router & Home Wi-Fi

Change the default password, use WPA2/WPA3, and put smart devices on a guest network.

Your router is the front door to every device in your home — phones, laptops, smart TVs, cameras, and any "wifi button" style smart-home gadgets that connect to it.

Lock it down

  • Change the default admin password — many routers ship with a password that's publicly known for that model.
  • Use WPA2 or WPA3 encryption for your Wi-Fi network, and avoid the old, broken WEP standard.
  • Put smart-home devices on a guest network so a compromised camera or plug can't reach your laptop or phone.
  • Install firmware updates a few times a year — check your router app or admin page.
❌ Don't
  • ❌ Leave the router's default admin password
  • ❌ Mix smart-home gadgets onto your main network
  • ❌ Skip firmware updates for years
✅ Do
  • ✅ Set a unique admin password
  • ✅ Use WPA2/WPA3 with a strong Wi-Fi password
  • ✅ Create a separate guest network for IoT devices
🕵 Digital Identity
🔍

18. Privacy Audit

Review app permissions, check for data leaks, clean up old accounts.

Checklist

  • Review app permissions — does that flashlight app really need your contacts?
  • Run Google's privacy checkup at myaccount.google.com/privacycheckup
  • Set social profiles to private and remove your phone number
  • Delete old accounts you no longer use
  • Use a privacy browser — Firefox, Brave, or Safari
Check if your data has been leaked: Visit haveibeenpwned.com and enter your email address.
❌ Don't
  • ❌ Give apps unnecessary permissions
  • ❌ Keep old unused accounts around
  • ❌ Leave social profiles fully public
✅ Do
  • ✅ Revoke unneeded app permissions
  • ✅ Run Google's privacy checkup
  • ✅ Check haveibeenpwned.com for leaks

19. Email Aliases

Use fake forwarding addresses so your real email stays private.

Aliases are unique forwarding addresses that all deliver to your main inbox. If one gets spam, disable it.

Options

Apple Hide My Email iCloud+ SimpleLogin SimpleLogin Free Firefox Firefox Relay
❌ Don't
  • ❌ Give every site your real email
  • ❌ Use one email for everything
✅ Do
  • ✅ Use Hide My Email or SimpleLogin
  • ✅ Create a unique alias per service

Quick, free checks you can run right now. The password check runs entirely in your browser — your password is never sent anywhere.

📧 Has my email been in a data breach?

Check your email address against known public data breaches (powered by Have I Been Pwned).

🔑 Has my password been leaked?

Checked locally in your browser using a one-way hash — your actual password is never transmitted.

🔗 Is this link safe?

Paste a suspicious link to scan it with VirusTotal before you click it.

🧰 More security tools