The internet is a wild place. Scammers and bad actors are everywhere. As a society, we’ve been thrust into chaos, with very little training on how to defend or protect ourselves.
If you have an email address, engage in online banking, or make even a single purchase online, the suggested steps below are for you. I figure if I want my mom or friends to protect themselves, the best chance I’ve got is to send them something I wrote.
While it’s easy to shrug off these suggestions and think you are too small a fish for someone to target, the reality is it’s more likely your info will be involved in a much larger data hack (e.g., Ticketmaster, Equifax, LinkedIn) and weak security in one place (or a reused password) can lead to a much worse problem for you.
Here are a few steps you could (and should) take to improve your privacy and safety on the internet.
Create strong and unique passwords
Petname_KidBirthday! is not a strong password. It’s even worse if you reuse it for your banking, email, and daily horoscope account.
Thus, when the inevitable data breach happens to one of your favorite websites, your information (and reused password and email address) will be tested by some enterprising cyber criminal at some point. Weak passwords that are too short, predictable, or re-used across multiple accounts cause 81% of data breaches.
So the first line of defense is at least using unique passwords. Please don’t reuse the same password for your banking, your email, and the random websites and stores you sign up for. I know my primary Gmail address has already been included in prior data breaches so I go as far as to use a unique email address only for financial accounts in my household to ensure that when my information appears in a breach there are two pieces of information (my email and my password) that someone needs to figure out to get into my financial accounts.
A password manager can help you generate and store strong and unique passwords (more details below), but even if you want to avoid using a password manager, you can use sites such as this 1password password generator to help you create strong and unique passwords for your most valuable accounts.
I also suggest using passkeys whenever possible. Passkeys are a new kind of login credential that replaces passwords and an increasing number of websites support them (Apple, Microsoft, and Google are already onboard). Passkeys will likely be more mainstream in a few years so it’s worth learning more and embracing them now.
Enable two-factor authentication (2FA)
Wherever possible turn on a second method of authentication.
This security method combines something you know (your username and password), and something you have (your phone, a USB drive, etc), or something you are (your fingerprint or biometric data such as a fingerprint) to make sure you are, in fact, you!
Imagine you want to enter a super secret bank vault like in the movies. To ensure only authorized individuals can enter the vault, they require a bank teller to enter a password into the keypad (something they know) and swipe a keycard (something they have). To enter the vault, both the password and the keycard must match. If the bank thief enters the wrong pin or doesn’t swipe the correct keycard, they won’t be able to enter the vault.
Enabling 2FA on your accounts in the digital world gives you similar protection to the hypothetical bank vault.
Here are a few resources on how to set up 2FA for popular accounts:
- Google (Gmail, Youtube)
- Yahoo mail
- Sofi Bank
- Microsoft (MS Office, Hotmail)
- Meta (Instagram, Facebook, WhatsApp)
- Apple (iPhone, App store)
Beyond using SMS text messages as a second method of authentication, you can also explore using authentication apps (I like Authy) and using dedicated hardware (Yubikey is my favorite) to add even further security to your digital credentials.
Use a password manager
I have nothing but love for the well-worn physical password book. For keeping track of a few items, that update infrequently, it’s hard to beat the convenience and relative security of just writing your passwords down.
Alas, the number of accounts we have online has exploded over the past decade, and unless you violate the ‘don’t reuse passwords” rule, that means you likely have hundreds of online accounts and hundreds of logins to keep track of.
A password manager is terrific for helping you create, store, and use unique strong passwords for all your online accounts. With a good password manager, your stored passwords, email addresses, and other private information are kept in an encrypted vault and you only need to remember one single password. Additionally, you typically can securely share passwords across family members (no more need to text the Netflix password).
I recommend 1password because a) it works across all the devices I need (Mac, Chrome, Firefox, Safari, iOS, etc), b) it’s super easy to use for newbies to password management, and c) their approach to security is that everyone (including them) should expect to get breached and thus have leveraged a “Secret Key” approach to protecting passwords which would be impossible to brute force hack with today’s technology.
I would NOT recommend Lastpass. Their approach to security feels lackadaisical at best and despite being the targets of multiple hacks over the past few years, they’ve been slow to innovate and stay at the forefront of cybersecurity.
If this step feels too hard at this time and you are an Apple user, it looks like they are releasing a new feature called “Passwords” in late 2024 which should be a native password manager for Apple devices.
Watch out for deceptive emails and texts (Phishing)
Scammers LOVE phishing. Phishing is a type of cyber attack where jackasses will attempt to deceive you into providing sensitive information (usually usernames and passwords) by pretending to be someone or some organization you already trust.
People use fake emails, websites, and text messages to try and convince you to take some action for malicious purposes (i.e., identity theft or stealing your credit card info). They will usually ask you to open an attached PDF (which might download malicious software onto your computer) or click a link (“URL”) to go to some website to enter your login info (where they will steal your credentials).
Scammers usually take a “spray-and-pray” approach, sending millions of these emails and texts out because, unfortunately, at least some folks will inadvertently fall for the ruse. Taking a moment to double-check that the sender’s information matches the content within the email or text will help prevent being tricked. You can also use tools such as Google Safe Browing to confirm if a URL is safe or contains suspicious content. Always be skeptical when you are asked to open a PDF or click a button to be taken to enter your login credentials when you didn’t request help.
This is an example of a phishing email I received. You can tell from the sending URL this is NOT from Sirius XM. This is not an email I’m going to click.

This is an example of a phishing text. You can tell from the sender info that this is not the USPS and the link they are asking me to follow is not the same as their official website (usps.com).

Beyond phishing, also be aware of Pig Butchering scams. “Pig butchering” refers to a sophisticated, long-term online scam where the scammer (the “butcher”) builds a relationship with the victim (the “pig”) over time to “fatten them up” before executing the scam and stealing large sums of money. There are some great examples of folks messing with scammers attempting this type of scam.
Below is an example of someone trying to build a relationship with me via random text. If an unknown number or email reaches out to you and tries to build a relationship, be skeptical.

The primary place Pig Butchers use to gather info on you is from Facebook so I highly recommend editing your Facebook privacy settings to only allow “Friends” to see your content at a minimum (vs. having it set to public for the whole internet to see). The best way to do this is to go through the Facebook Privacy Checkup process which you can access here (will require you to log into your own Facebook account).

Keep an eye on if your data’s been compromised
Even if you do things perfectly and you use strong passwords and 2FA, companies still get phished and hacked daily and your information will wind up public on the internet for scammers to find.
Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.

You can sign up to receive an email notification every time your personal information is found in a new data breach. Knowing your information has been involved in a breach will allow you to change your password (and perhaps change any other accounts where you reused that password).
If you are concerned financial data may have been compromised, you can always freeze (and then unfreeze) your credit with the big 3 credit agencies.
Set your Venmo transactions to private
Venmo is great for sending/receiving money quickly. But, I don’t think most people are aware that all transactions they make on it are public by default. So unless you change this setting, your friends can see who you paid and the comments you left in the transaction.
Scrolling my Venmo feed, I can not only see friends paying for babysitters and partners paying each other for dinner outings but I can also see people sharing the exact address of their home and where they pay rent, who still is paying their parents for their cell phone bill, and who likes to indulge in online gambling.
Unless you want this information to be public, take a moment and update your settings with the instructions below:

These steps are at least a starting point to improve your security and privacy on the internet in 2024.
I take the perspective that it’s impossible to prevent your data from being leaked online, so the best approach is to have the right protections to make sure one single breach won’t bring down your whole digital empire.
When in doubt that something feels sketchy on the internet, call a friend or feel free to email me. My hope is that no one else has to end up in a situation where they hand over $50,000 in a shoebox to a scam caller pretending to be a CIA agent.
(special thanks to Rosanna and Eiwe for reading drafts and giving feedback on this)