Account Security (Critical)
Your first line of defense against account takeover
Enable Two-Factor Authentication (2FA/MFA) on ALL accounts
CRITICAL
Why:
Makes your account 99.9% less likely to be compromised even if password is stolen
How:
- Use authenticator app (Google Authenticator, Authy, Microsoft Authenticator)
- Hardware keys (YubiKey) are most secure
- Avoid SMS 2FA if possible (vulnerable to SIM swapping)
- Enable 2FA on: Email, banking, work accounts, social media, cloud storage
Use a Password Manager
CRITICAL
Why:
Enables unique, strong passwords for every account without memorization
How:
- Choose: 1Password, Bitwarden, LastPass, or Dashlane
- Generate 16+ character random passwords
- Never reuse passwords across sites
- Enable master password 2FA
Change All Reused Passwords
HIGH
Why:
One data breach compromises ALL accounts using the same password
How:
- Identify reused passwords (password manager can help)
- Change to unique passwords starting with most critical accounts
- Prioritize: Banking, email, work, healthcare, government
Why:
Get notified immediately if someone accesses your account
How:
- Enable email/SMS alerts for: New device logins, password changes, 2FA changes
- Available in most major services (Gmail, Microsoft, banks)
Review Active Sessions & Connected Apps
MEDIUM
Why:
Old sessions and forgotten apps are security risks
How:
- Log out of all devices you don't recognize
- Revoke access to apps you no longer use
- Check: Google Account → Security → Your devices
- Check: Microsoft Account → Security → Sign-in activity
Email Security
Protect your inbox and verify sender authenticity
Configure SPF, DKIM, and DMARC (Domain Owners)
CRITICAL
Why:
Prevents attackers from spoofing emails from your domain
How:
- Work with your IT team or email provider
- Set DMARC policy to 'quarantine' or 'reject'
- Monitor DMARC reports for spoofing attempts
- See our Authentication Explained guide for details
Enable Advanced Phishing Protection
HIGH
Why:
Catches phishing that basic spam filters miss
How:
- Gmail: Enable 'Warn for links to untrusted domains'
- Outlook: Enable 'External sender warning'
- Consider PhishCheck for automated email analysis
Create Email Filters for Common Scams
MEDIUM
Why:
Automatically flags or quarantines known phishing patterns
How:
- Filter emails with: 'urgent', 'verify account', 'suspended'
- Flag external emails claiming to be from executives
- Auto-delete obvious scams (foreign lottery, inheritance)
Disable Automatic Image Loading
LOW
Why:
Prevents tracking pixels and malicious image exploits
How:
- Gmail: Settings → Images → 'Ask before displaying external images'
- Outlook: File → Options → Trust Center → Automatic Download
Use Separate Email for Online Shopping/Signups
MEDIUM
Why:
Limits exposure if shopping sites are breached
How:
- Create secondary email for: Online shopping, forums, newsletters
- Use aliasing (name+shop@gmail.com) to track leaks
- Keep primary email private
Device Security
Secure the devices you use to access email
Keep All Devices & Software Updated
CRITICAL
Why:
Security patches fix vulnerabilities that attackers exploit
How:
- Enable automatic updates on: OS, browsers, apps
- Restart devices regularly to apply updates
- Check manually if auto-updates disabled
Install & Update Antivirus/Anti-Malware
HIGH
Why:
Detects and blocks malware from phishing attachments
How:
- Windows: Windows Defender is built-in and good
- Mac: Malwarebytes or BitDefender
- Enable real-time protection
- Run full scans weekly
Why:
Protects data if device is lost or stolen
How:
- Windows: Enable BitLocker
- Mac: Enable FileVault
- iPhone/Android: Usually enabled by default
Use Strong Device Lock Screens
MEDIUM
Why:
Prevents unauthorized physical access
How:
- Use 6+ digit PIN, pattern, or biometric
- Set auto-lock to 1-5 minutes
- Require unlock after restart
Why:
Browsers are the primary phishing attack vector
How:
- Use Chrome, Firefox, Edge, or Safari (stay updated)
- Review and remove suspicious extensions
- Enable 'Safe Browsing' or equivalent
- Clear cache/cookies regularly
- Consider uBlock Origin for malicious ad blocking
Network Security
Protect your internet connection
Secure Your Home Wi-Fi
HIGH
Why:
Unsecured Wi-Fi allows attackers to intercept your email
How:
- Change default router admin password
- Use WPA3 or WPA2 encryption (not WEP)
- Create strong Wi-Fi password (20+ characters)
- Disable WPS (Wi-Fi Protected Setup)
- Update router firmware
Use VPN on Public Wi-Fi
HIGH
Why:
Public Wi-Fi is easily intercepted by attackers
How:
- Never access banking/email on public Wi-Fi without VPN
- Use: NordVPN, ExpressVPN, ProtonVPN, or Mullvad
- Enable VPN kill switch
Why:
Blocks unauthorized incoming connections
How:
- Windows: Built-in firewall (usually enabled by default)
- Mac: System Preferences → Security & Privacy → Firewall
- Enable on all devices
Awareness & Behavior
Your most important security control
Always Verify Unexpected Requests
CRITICAL
Why:
90% of breaches involve human error
How:
- Call the person using a known phone number (not from email)
- Use a different communication channel to verify
- If CEO emails asking for wire transfer, CALL THEM
- If bank emails about suspicious activity, go to their website directly
Hover Before You Click
CRITICAL
Why:
Link text can lie, the actual URL doesn't
How:
- Hover mouse over links to see real destination
- Look for misspellings (paypa1.com instead of paypal.com)
- Type known URLs directly instead of clicking
- Check domain carefully (paypal.com.verify.tk is NOT PayPal)
Never Download Unexpected Attachments
CRITICAL
Why:
Malicious attachments are the #1 ransomware delivery method
How:
- Verify with sender before opening unexpected attachments
- Never open: .exe, .scr, .zip, .js, .vbs files from email
- Be suspicious of: Office docs asking to 'Enable Macros'
- Scan attachments with antivirus before opening
Be Skeptical of Urgency
HIGH
Why:
Urgency is the #1 phishing tactic
How:
- Banks/companies rarely demand 'immediate action'
- Threats of account closure are usually fake
- Take time to verify - real problems won't disappear in minutes
- High-pressure tactics = red flag
Learn to Recognize Red Flags
HIGH
Why:
Education is your best defense
How:
- Review our comprehensive Red Flags guide
- Take phishing awareness training
- Stay informed about current scams
- Share knowledge with family/colleagues
Business/Organization (IT Admins)
Enterprise security controls
Implement Email Authentication (SPF, DKIM, DMARC)
CRITICAL
Why:
Prevents domain spoofing and protects brand reputation
How:
- Configure SPF record listing authorized mail servers
- Enable DKIM signing for outbound mail
- Set DMARC policy to 'quarantine' then 'reject'
- Monitor DMARC reports for spoofing attempts
Deploy Advanced Email Security Gateway
HIGH
Why:
Catches sophisticated phishing that basic filters miss
How:
- Consider: Proofpoint, Mimecast, Barracuda, or similar
- Enable: URL rewriting, sandbox analysis, impersonation detection
- Integrate with threat intelligence feeds
Require 2FA for All Employees
CRITICAL
Why:
Single most effective control against account compromise
How:
- Enforce 2FA via Azure AD, Google Workspace, or Okta
- Provide hardware tokens for high-risk users
- Monitor compliance
Conduct Regular Phishing Simulations
HIGH
Why:
Trains employees to recognize real attacks
How:
- Use: KnowBe4, Cofense, or Proofpoint Security Awareness
- Test quarterly minimum
- Provide immediate feedback to clickers
- Track metrics over time
Implement Email Banner for External Emails
MEDIUM
Why:
Visual warning prevents executive impersonation
How:
- Add '[EXTERNAL]' to subject or banner to body
- Available in: Exchange, Gmail, most email gateways
- Helps catch CEO fraud / BEC attacks
Establish Incident Response Plan
HIGH
Why:
Fast response limits damage from successful attacks
How:
- Define roles and escalation procedures
- Document steps for: Phishing, BEC, ransomware, data breach
- Include law enforcement contacts (FBI IC3)
- Test plan annually