1. Back up your data
Backing up the data on your devices — by copying it to another, separate location — is one of the most important things you can do.
Why it matters
If you’re targeted by an online attack you may not be able to access or use your computer, phone, or any of your other devices. But if you’ve backed your data up you will still have access to a copy, no matter what ends up happening to your device.
What to do
Back up your data regularly — for example, every week. You can:
get an external hard drive and do an 'offline' or 'cold' backup, and/or
sign up to a cloud-based service like Dropbox, iCloud, Google Drive or OneDrive and do a cloud backup.
2. Update regularly
When you’re alerted to an update for your device or one of your apps, don’t ignore it — install it as soon as possible.
Why it matters
Updates aren’t just about adding new features. They’re also about fixing vulnerabilities in a device or an app that attackers could find and use to gain access to your system.
What to do
Run updates when you're notified of them, or set your system preferences to update them automatically — then you don’t have to think about it.
If you don't use an app anymore, remove it from your devices.
If your device can’t receive security updates anymore, upgrade to a newer model as soon as you can.
3. Use different passwords on everything
We know it's easier to use the same password for all of your accounts, or stick to two or three that you use in lots of places. But it opens you up to risk.
Why it matters
If an attacker gets access to one of your account passwords, it often gives them access to many of your other accounts as well. This can happen easily, whether it's from a company's data being breached, phishing attacks or if you share a password with someone.
What to do
Use a different password for every online account you create – this should be totally different, not just changing a symbol or number.
Try using a password manager, which will store and manage your passwords for you. The password manager will be the only account you need to remember login details for.
Think about using a short phrase or add a few random words together to create a passphrase, rather than a password.
Passphrases are usually stronger and easier to remember than passwords.
You can add a mix of letters, numbers and symbols to make your passphrase more complex, for example 'Wint3r here 1s warmer than Summ3r'.
Review the passwords for some of the accounts you’ve had for a while – they probably have weaker or reused passwords.
Keep your data safe with a password manager
4. Turn on two-factor authentication
With two-factor authentication (2FA), you can choose to have a code sent or generated on your device, like your phone, that you can use to authenticate who you are every time you log in. This can also be called:
- multi-factor authentication (MFA)
- two-step verification
- two-step authentication.
Why it matters
Even if someone gets access to the password for one of your accounts, they won't be able to access it if they don’t have your phone to receive the 2FA code.
What to do
Turn on two-factor authentication, especially for your important accounts, like your email and social media accounts.
If several types are available, choose the option that isn’t a text message, as texts are less secure types of 2FA – though they're still safer than no 2FA.
Use two-factor authentication to protect your accounts
5. Be creative with account recovery questions
When you set up a new account online, you’re often asked for an ‘account recovery question’. These are used as a way to identify you if you forget your password and need a prompt. They’re often based on things that are easy for you to remember — like your mother’s maiden name, the name of your first pet or where you went to school.
Why it matters
Unfortunately, these are also easy things for an attacker to find out, and could be used to gain access to your accounts without your knowledge.
What to do
Be creative when setting answers to account recovery questions. Instead of being honest about what school you went to, for example, you could say 'Hogwarts' instead. As long as it’s something that you can remember, you can set any answer you like.
Don't do the quizzes that sometimes go around on social media asking personal questions – these are often ways for scammers to get information about you, to help them gain access to your personal accounts.
6. Take care on public WiFi networks
Using free public WiFi networks or hotspots, like in a cafe, can be convenient and help you save on data costs. But they're often not secure.
Why it matters
When a network’s unsecure, anyone can access it and get hold of your data. Doing private transactions in public also puts you at risk of people ‘shoulder surfing’ — looking over your shoulder to try to see the login details for your online accounts.
What to do
It’s ok to check the news or the weather on a public WiFi network, but try to keep more sensitive transaction use to a minimum.
Avoid doing online shopping or internet banking on free WiFi or an unsecure network.
If you need to check your email, make sure you have two-factor authentication set up first.
Use your own device where possible, not someone else’s.
7. Install antivirus software and scan for viruses regularly
Antivirus software can help you detect and remove viruses from your computer system before the virus has a chance to do any damage.
Why it matters
Viruses, ransomware and malware can destroy or lock you out of your devices. Antivirus software can notify you of them before they have a chance to go all through your system or network.
What to do
Install an antivirus program on your computer. If you’re not confident doing this yourself, a computer services company can do it for you.
Run it regularly, for example every week, and clean up any viruses it identifies.
Tell your IT person about any viruses you’ve found the next time you see them.
Supported versions of Microsoft Windows come with a free antivirus called Windows Defender. Otherwise, get a legitimate antivirus from a well-known, trusted company — your local computer services company can give you advice on what would work best for you.
Don’t just download any free antivirus software online, as many of the ones you see advertised for free are fake. They could download malware or adware onto your computer instead of helping you detect and remove it.
8. Be smart about social media
We’re so used to sharing things online that we don’t really think about it anymore. Everyone knows your pet's name, where you went to school, where you work, and even when you’re away on holiday.
Why it matters
The information you post to your Facebook profile, your Twitter feed or your Instagram account to keep your friends and family up to date could be used to steal your identity, hack into your online accounts or see that you're on holiday and your house might be empty and easier to steal from.
What to do
Check the privacy controls on your social media accounts. Set them so only your friends and family can see your full details.
Don’t put too much personal information on your social media accounts.
Remember our tip about passwords. If you share pictures of your dog on Facebook, make sure you’re not also using your dog’s name as your password.
9. Check who you're giving information to
If you're asked to give personal information or financial details online, always double check where the request is coming from.
Why it matters
Scams, fraud and phishing emails all attempt to trick you into giving away your personal information or your financial details — often by pretending to be a legitimate business, like a bank. Don’t give out personal information online unless you know who’s asking for it and why.
What to do
Stop and check before you give out any personal information. Make sure you know how the companies you deal with will contact you, and know what kind of information they’ll ask you for. For example, a bank will never email you with links to online banking and ask you to login.
If you’re not sure why you’re being asked for information, call the company directly to check what they want it for. Businesses are legally obliged to only ask for information they need.
If you get any requests via email or text message for personal or financial details that you're unsure about, do some checks before giving your information away. For example, if your insurance company asks you for information online, phone them or, if you can, visit your local branch to query their request first.
Protecting your privacy online
10. Check your bank statements
Keep an eye on your bank statements for suspicious activity, such as purchases or transfers between accounts that you aren’t expecting. If you see any unusual activity, contact your bank immediately.
Why it matters
Seeing someone else transfer funds in your bank account or making unexpected charges to your credit card could be the first tip off you get that someone has access to your accounts or credit card information.
What to do
Keep an eye on your bank accounts and credit cards — check your statements regularly.
Ring the bank and query any suspicious payments or withdrawals as soon as you see them.
11. Get a credit check
A credit check gives you information about your financial history, such as bill payments, use of credit or any debt you've taken on. It's something landlords might check before renting you a house, or banks or car companies might look at to decide whether to let you borrow money.
Why it matters
Credit checks can also show you if someone else is using your personal details to get loans or credit for big purchases, like a car. Often, the first you’ll hear of this kind of activity is when you’re refused credit for something or when a debt collector turns up at your door. Keeping tabs on your credit record could alert you to unauthorised activity sooner.
What to do
Get a credit check done annually – you can request a free report from any of the three providers:
- Centrix
- Equifax
- illion
If you see anything suspicious, follow it up straight away. Ring the bank or the finance company to let them know what’s going on and ask what they can do to help. You can also ask the credit report company to suppress your credit information while you get it sorted out.
Resources
Top 11 tips for online security: Infographic [PDF, 408 KB]
Translated resources
Top tips for online security: English [PDF, 99 KB]
Top tips for online security: Hindi [PDF, 177 KB]
Top tips for online security: Korean [PDF, 178 KB]
Top tips for online security: Māori [PDF, 156 KB]
Top tips for online security: Punjabi [PDF, 167 KB]
Top tips for online security: Samoan [PDF, 163 KB]
Top tips for online security: Simplified Chinese [PDF, 382 KB]
Top tips for online security: Tongan [PDF, 195 KB]
Top tips for online security: Traditional Chinese [PDF, 221 KB]