Internet Crimes

The Everyday
Security Checklist

30 things the average person should have locked down, but almost nobody does. No tech degree required.

SIM Swap Account Takeover Identity Theft Phishing Data Leaks Device Theft
0/30
Your protection score, tap items to check them off
Start below
01

Passwords & Accounts

🔑
You use a different password for every account
Reusing passwords means one breach equals every account compromised. In 2024, credential stuffing attacks hit 15B accounts using leaked password lists.
Critical
You use a password manager (Bitwarden, 1Password, or similar)
The only way to actually use unique passwords. Bitwarden is free and open-source. LastPass works but had a major breach, avoid for now.
5 mins
Your email password is 16+ characters and unique
Your email is the master key. Whoever controls it can reset every other password you own.
Critical
You've checked HaveIBeenPwned.com for your email
Free tool. Shows every known breach your email appeared in. If you haven't checked, go to hibp.com right now.
2 mins
You don't use pet names, birthdays, or family names as passwords
Attackers spend 10 minutes on your Instagram before guessing your password. Don't make it easy.
Easy fix
02

Two-Factor Authentication

📱
Your email account has 2FA turned on
Gmail, Outlook, Yahoo, all support it. Go to security settings now. Accounts with 2FA are 99.9% less likely to be compromised, per Microsoft.
Critical
You use an authenticator app, NOT SMS 2FA for important accounts
SMS 2FA can be defeated by a SIM swap. An attacker calls your carrier, ports your number, and your SMS codes go to them. App-based codes cannot be intercepted this way.
Critical
Your bank, Instagram, TikTok, and WhatsApp all have 2FA enabled
These are your highest-value targets. Any one of these compromised means serious damage to your finances or reputation.
15 mins
You have a PIN lock on your mobile carrier account
Call your carrier and ask them to add a port lock or account PIN. This stops anyone from porting your number without the PIN. Takes 5 minutes. Stops SIM swapping.
5 mins
03

Your Phone & Devices

💻
Your phone has a 6-digit PIN or biometric lock, not a 4-digit PIN
A 4-digit PIN has 10,000 combinations. A 6-digit PIN has 1,000,000. Shoulder surfing is real in crowded places.
Easy fix
Your phone's OS and apps are updated
Most attacks exploit known vulnerabilities that are already patched. "I'll update later" means "I'll leave the door open a bit longer."
10 mins
You don't charge your phone at public USB ports
Juice jacking uses public USB charging stations to transfer malware. Use your own charger and a power bank. Or use a USB data blocker, they cost next to nothing.
Awareness
You've audited your phone's app permissions this month
Go to Settings, Apps, Permissions. Does your torch app have access to your contacts? Your calculator have your location? Remove what doesn't make sense.
15 mins
Your laptop has full-disk encryption enabled
FileVault on Mac, BitLocker on Windows. If your laptop is stolen and unencrypted, every file is readable. Encryption means it's useless without your password.
30 mins
04

Online Behaviour

🌐
You verify links before clicking, especially in WhatsApp and email
Hover over links on desktop or long-press on mobile to see the real URL. "gtbank-secure.login-verify.com" is not GTBank. When in doubt, go directly to the official site.
Critical
You use a VPN on public WiFi (airports, hotels, cafés)
Public WiFi can be monitored or faked entirely via "evil twin" networks. A VPN encrypts your traffic so even if the network is compromised, your data isn't readable.
Habit
You don't share your OTP with anyone, ever, for any reason
Banks never ask for your OTP. Telecom companies never ask for your OTP. If someone asks, they are stealing your account. Full stop. No exceptions.
Critical
You've reviewed what's public on your social media profiles
Your public profile helps attackers guess security questions, find your phone number, or build a social engineering profile. "Your mother's maiden name" is often in your family photos.
20 mins
You don't use "Sign in with Google/Facebook" for sensitive accounts
Convenient, but it means a Google/Facebook compromise unlocks everything. Use it for throwaway logins, not for banking or anything financial.
Awareness
05

Money & Fintech

💳
You have transaction alerts turned on for every bank and fintech account
The first defence against fraud is knowing it happened. If you get an SMS 30 seconds after a transaction you didn't make, you can still act fast.
Critical
You've set daily transfer limits on your mobile banking app
Most banks let you cap daily outgoing transfers. Set yours to a realistic maximum. If someone gets in, they can only steal up to that limit before you notice.
10 mins
You never send money to someone you've only met online without verifying in real life
Romance scams, investment scams, "I'm stuck abroad" scams, they all move to money quickly. If you've never met them physically, treat any financial request as suspicious.
Critical
Your crypto (if any) is in a hardware wallet or reputable exchange, not a random app
"Not your keys, not your coins." If you hold any meaningful amount, a hardware wallet (Ledger, Trezor) protects it even if your computer is compromised.
If relevant
You've verified your bank's official customer service number before calling
Fraudsters create websites with fake "official" numbers. Go to the number on your debit card directly, not from a Google search or a message you received.
Habit
06

Data & Privacy

🛡
You use a secondary email for signups and apps you don't fully trust
Your real email stays clean and secure. Your junk email takes the spam, the breaches, and the inevitable data leaks from every app you try once.
Easy
You're careful about which apps get access to your government ID or biometrics
KYC data (passport, selfie, address) is a complete identity theft package. Ask yourself: does this app actually need my ID to function, or are they just collecting it?
Critical
Your browser isn't saving passwords, your password manager is
Browser-saved passwords are a known attack target, often synced to the cloud without strong encryption. Use your dedicated password manager exclusively.
5 mins
Your WhatsApp cloud backups are end-to-end encrypted
WhatsApp messages backed up to Google Drive were historically unencrypted. Go to WhatsApp Settings, Chats, Chat Backup, and enable end-to-end encrypted backup.
Awareness
You've told at least one family member about SIM swap and OTP scams
Scammers deliberately target people less familiar with these attacks. Your security is also their security. One conversation could save a family member everything.
Free
Internet Crimes Newsletter

The threats on this list are just
the beginning.

Every Monday I go deep on a real internet crime, data breach, or tech attack. Every Thursday, a sharp brief on what's moving right now. No jargon, no fluff, no vendor nonsense.

Monday Deep Dive Thursday Brief Real cases, plain language Free forever
No spam. Unsubscribe in one click.