Ngā tino tīwhiri mā te haumarutanga tuihono

Top tips for online security

Online security attacks are becoming more and more common over time – find out what steps you can take to reduce the risk of an attack.

Three young boys sitting on wicker chairs all on their devices

1. Back up your data

Small device icon

Backing up the data on your devices — by copying it to another, separate location — is one of the most important things you can do. 

Why it matters

If you’re targeted by an online attack you may not be able to access or use your computer, phone, or any of your other devices. But if you’ve backed your data up you will still have access to a copy, no matter what ends up happening to your device.

What to do

Back up your data regularly — for example, every week. You can:
get an external hard drive and do an 'offline' or 'cold' backup, and/or
sign up to a cloud-based service like Dropbox, iCloud, Google Drive or OneDrive and do a cloud backup.

Back up your data and devices

2. Update regularly

Small device with warning sign icon

When you’re alerted to an update for your device or one of your apps, don’t ignore it — install it as soon as possible.

Why it matters

Updates aren’t just about adding new features. They’re also about fixing vulnerabilities in a device or an app that attackers could find and use to gain access to your system.

What to do

Run updates when you're notified of them, or set your system preferences to update them automatically — then you don’t have to think about it.

If you don't use an app anymore, remove it from your devices.

If your device can’t receive security updates anymore, upgrade to a newer model as soon as you can.

Keep up with your updates

3. Use different passwords on everything

Laptop and small device icon

We know it's easier to use the same password for all of your accounts, or stick to two or three that you use in lots of places. But it opens you up to risk.

Why it matters

If an attacker gets access to one of your account passwords, it often gives them access to many of your other accounts as well. This can happen easily, whether it's from a company's data being breached, phishing attacks or if you share a password with someone.

What to do

Use a different password for every online account you create – this should be totally different, not just changing a symbol or number.
Try using a password manager, which will store and manage your passwords for you. The password manager will be the only account you need to remember login details for.

Think about using a short phrase or add a few random words together to create a passphrase, rather than a password.

Passphrases are usually stronger and easier to remember than passwords.

You can add a mix of letters, numbers and symbols to make your passphrase more complex, for example 'Wint3r here 1s warmer than Summ3r'.

Review the passwords for some of the accounts you’ve had for a while – they probably have weaker or reused passwords.

How to create good passwords

Keep your data safe with a password manager

4. Turn on two-factor authentication

Padlock icon

With two-factor authentication (2FA), you can choose to have a code sent or generated on your device, like your phone, that you can use to authenticate who you are every time you log in. This can also be called:

  • multi-factor authentication (MFA)
  • two-step verification
  • two-step authentication.

Why it matters

Even if someone gets access to the password for one of your accounts, they won't be able to access it if they don’t have your phone to receive the 2FA code.

What to do

Turn on two-factor authentication, especially for your important accounts, like your email and social media accounts.

If several types are available, choose the option that isn’t a text message, as texts are less secure types of 2FA – though they're still safer than no 2FA.

Use two-factor authentication to protect your accounts

5. Be creative with account recovery questions

Lightbulb icon

When you set up a new account online, you’re often asked for an ‘account recovery question’. These are used as a way to identify you if you forget your password and need a prompt. They’re often based on things that are easy for you to remember — like your mother’s maiden name, the name of your first pet or where you went to school.

Why it matters

Unfortunately, these are also easy things for an attacker to find out, and could be used to gain access to your accounts without your knowledge.

What to do

Be creative when setting answers to account recovery questions. Instead of being honest about what school you went to, for example, you could say 'Hogwarts' instead. As long as it’s something that you can remember, you can set any answer you like.

Don't do the quizzes that sometimes go around on social media asking personal questions – these are often ways for scammers to get information about you, to help them gain access to your personal accounts.

6. Take care on public WiFi networks

World and padlock icon

Using free public WiFi networks or hotspots, like in a cafe, can be convenient and help you save on data costs. But they're often not secure.

Why it matters

When a network’s unsecure, anyone can access it and get hold of your data. Doing private transactions in public also puts you at risk of people ‘shoulder surfing’ — looking over your shoulder to try to see the login details for your online accounts.

What to do

It’s ok to check the news or the weather on a public WiFi network, but try to keep more sensitive transaction use to a minimum.

Avoid doing online shopping or internet banking on free WiFi or an unsecure network.

If you need to check your email, make sure you have two-factor authentication set up first.

Use your own device where possible, not someone else’s.

7. Install antivirus software and scan for viruses regularly

Laptop icon

Antivirus software can help you detect and remove viruses from your computer system before the virus has a chance to do any damage.

Why it matters

Viruses, ransomware and malware can destroy or lock you out of your devices. Antivirus software can notify you of them before they have a chance to go all through your system or network.

What to do

Install an antivirus program on your computer. If you’re not confident doing this yourself, a computer services company can do it for you.

Run it regularly, for example every week, and clean up any viruses it identifies.

Tell your IT person about any viruses you’ve found the next time you see them.

Supported versions of Microsoft Windows come with a free antivirus called Windows Defender. Otherwise, get a legitimate antivirus from a well-known, trusted company — your local computer services company can give you advice on what would work best for you.

Don’t just download any free antivirus software online, as many of the ones you see advertised for free are fake. They could download malware or adware onto your computer instead of helping you detect and remove it.

8. Be smart about social media

Small device with like buttons icon

We’re so used to sharing things online that we don’t really think about it anymore. Everyone knows your pet's name, where you went to school, where you work, and even when you’re away on holiday.

Why it matters

The information you post to your Facebook profile, your Twitter feed or your Instagram account to keep your friends and family up to date could be used to steal your identity, hack into your online accounts or see that you're on holiday and your house might be empty and easier to steal from.

What to do

Check the privacy controls on your social media accounts. Set them so only your friends and family can see your full details.

Don’t put too much personal information on your social media accounts.

Remember our tip about passwords. If you share pictures of your dog on Facebook, make sure you’re not also using your dog’s name as your password.

Staying safe on social media

9. Check who you're giving information to

If you're asked to give personal information or financial details online, always double check where the request is coming from.

Why it matters

Scams, fraud and phishing emails all attempt to trick you into giving away your personal information or your financial details — often by pretending to be a legitimate business, like a bank. Don’t give out personal information online unless you know who’s asking for it and why.

What to do

Stop and check before you give out any personal information. Make sure you know how the companies you deal with will contact you, and know what kind of information they’ll ask you for. For example, a bank will never email you with links to online banking and ask you to login.

If you’re not sure why you’re being asked for information, call the company directly to check what they want it for. Businesses are legally obliged to only ask for information they need.

If you get any requests via email or text message for personal or financial details that you're unsure about, do some checks before giving your information away. For example, if your insurance company asks you for information online, phone them or, if you can, visit your local branch to query their request first.

Protecting your privacy online

10. Check your bank statements

Documents icon

Keep an eye on your bank statements for suspicious activity, such as purchases or transfers between accounts that you aren’t expecting. If you see any unusual activity, contact your bank immediately.

Why it matters

Seeing someone else transfer funds in your bank account or making unexpected charges to your credit card could be the first tip off you get that someone has access to your accounts or credit card information.

What to do

Keep an eye on your bank accounts and credit cards — check your statements regularly.

Ring the bank and query any suspicious payments or withdrawals as soon as you see them.

11. Get a credit check

Credit card icon

A credit check gives you information about your financial history, such as bill payments, use of credit or any debt you've taken on. It's something landlords might check before renting you a house, or banks or car companies might look at to decide whether to let you borrow money.

Why it matters

Credit checks can also show you if someone else is using your personal details to get loans or credit for big purchases, like a car. Often, the first you’ll hear of this kind of activity is when you’re refused credit for something or when a debt collector turns up at your door. Keeping tabs on your credit record could alert you to unauthorised activity sooner.

What to do

Get a credit check done annually – you can request a free report from any of the three providers:

  • Centrix
  • Equifax
  • illion

If you see anything suspicious, follow it up straight away. Ring the bank or the finance company to let them know what’s going on and ask what they can do to help. You can also ask the credit report company to suppress your credit information while you get it sorted out.


Top 11 tips for online security: Infographic [PDF, 408 KB]

Translated resources

Top tips for online security: English [PDF, 99 KB]

Top tips for online security: Hindi [PDF, 177 KB]

Top tips for online security: Korean [PDF, 178 KB]

Top tips for online security: Māori [PDF, 156 KB]

Top tips for online security: Punjabi [PDF, 167 KB]

Top tips for online security: Samoan [PDF, 163 KB]

Top tips for online security: Simplified Chinese [PDF, 382 KB]

Top tips for online security: Tongan [PDF, 195 KB]

Top tips for online security: Traditional Chinese [PDF, 221 KB]