Digital Safety Guide 2026: Complete Security Checklist

40+ actionable tips to lock down your digital life and protect yourself from every type of online threat.

15 min read Updated: July 2026 ScamSense Security Team

In 2026, the average person has dozens of online accounts, stores sensitive documents in the cloud, banks on their phone, and shops from multiple devices. Each touchpoint is a potential vulnerability. But digital security doesn't have to be complicated — these 40+ practical tips, organised into clear categories, will give you comprehensive protection without requiring technical expertise.

80% Of breaches involve weak or stolen passwords
99.9% Of attacks blocked by multi-factor authentication
$4.45M Average cost of a data breach (IBM 2023)

Why Digital Safety Has Never Been More Important

We have never been more digitally connected — or more exposed. The average person has 100+ online accounts, carries a device containing banking apps, personal photos, health data, and financial documents, and spends significant time on platforms that actively harvest personal data. Meanwhile, the tools available to cybercriminals — AI-generated phishing, deepfakes, automated credential stuffing — have never been more powerful or accessible.

The good news is that the vast majority of cyber incidents targeting individuals exploit a small set of well-known vulnerabilities: reused passwords, unpatched software, and susceptibility to social engineering. Addressing these three areas substantially reduces your risk. The checklist below is ordered by impact — start at the top and work down.

Do These 5 Things Today
  • Enable 2FA on your email account — your most important account
  • Install a password manager and change your most-reused passwords
  • Run Windows Update / check for iOS or Android updates
  • Check haveibeenpwned.com to see if your email was in a data breach
  • Download ScamSense to check any suspicious messages before responding

Device Security Checklist (10 Essential Steps)

1

Enable Automatic Software Updates

Every day you delay a security update is a day cybercriminals can exploit known vulnerabilities. Enable automatic updates for your operating system (Windows, macOS, Android, iOS), web browser, and all major applications. The 2017 WannaCry ransomware attack — which infected 300,000 computers and cost £92 million in NHS alone — exploited a Windows vulnerability that had been patched two months earlier. The victims simply hadn't updated.

2

Install Reputable Security Software

A good security app provides real-time protection against malware, ransomware, phishing sites, and malicious downloads. On Windows, Microsoft Defender (built-in) provides solid baseline protection. For additional coverage, consider Bitdefender or Malwarebytes. On Android, install Google Play Protect plus a security app. iPhones have strong built-in protection, but be cautious about phishing regardless of device.

3

Use a VPN on Public WiFi

Public WiFi networks — in cafes, hotels, airports, and libraries — are shared and potentially monitored. A VPN (Virtual Private Network) encrypts all traffic between your device and the internet, protecting your data from interception. Use a reputable paid VPN service (avoid free VPNs, which often monetise your data). Always connect your VPN before accessing banking, email, or any sensitive service on public networks.

4

Enable Full-Disk Encryption

If your device is lost or stolen, full-disk encryption prevents anyone from accessing your data without your password or biometric. On Windows, enable BitLocker. On Mac, enable FileVault. Android devices running Android 10+ encrypt by default. iPhones are encrypted when a passcode is set. This single step ensures that a stolen phone or laptop cannot expose your personal data, banking apps, or stored documents.

5

Set Up Biometrics and Strong Device PIN

Use facial recognition or fingerprint authentication to unlock your devices — it's both faster and more secure than typing a PIN for every unlock. Set a strong PIN (6+ digits, not a birth date) as the fallback. Enable auto-lock after 30 seconds or 1 minute of inactivity. This prevents anyone who picks up your unlocked phone from accessing your apps and data.

6

Review App Permissions Regularly

Apps frequently request far more permissions than they need. A flashlight app does not need access to your contacts, location, or microphone. Audit your app permissions quarterly: on Android, go to Settings > Privacy > Permission Manager. On iOS, go to Settings > Privacy & Security. Revoke any permissions that don't make sense for the app's function. This limits the data available if an app is compromised or sold to a malicious buyer.

7

Enable Remote Wipe

If your device is lost or stolen, remote wipe lets you erase all data remotely before it can be accessed. On iPhone, enable Find My iPhone. On Android, enable Find My Device. On Windows, enable Find My Device in Settings. Test that you can locate and remotely lock the device before you need to rely on it. This is especially critical for devices used for work or banking.

8

Secure Your Home Router

Your home router is the gateway to all your connected devices. Change the default admin password to something strong and unique. Enable WPA3 encryption if your router supports it (WPA2 at minimum). Disable remote management unless you specifically need it. Update the router firmware — most router manufacturers release security patches, but few routers auto-update. Consider a separate guest network for smart home devices and visitors.

9

Avoid Public USB Charging Ports (Juice Jacking)

Public USB charging ports in airports, hotels, and shopping centres can be modified to steal data from connected devices — a technique called "juice jacking." In 2026, modified charging cables sold cheaply online pose a similar risk. Carry your own charger and use a mains socket whenever possible. Alternatively, carry a portable power bank. If you must use a public USB port, use a USB data blocker (power-only adapter) that blocks data transfer.

10

Enable Your Firewall

A firewall monitors and controls incoming and outgoing network traffic based on security rules. On Windows, ensure Windows Defender Firewall is enabled. On Mac, go to System Preferences > Security & Privacy > Firewall and turn it on. Your router also has a built-in firewall — ensure SPI (Stateful Packet Inspection) is enabled in router settings. Firewalls provide an additional barrier against network-based attacks.

Account & Password Security (8 Critical Steps)

11

Use a Password Manager

A password manager generates and stores unique, complex passwords for every site — you only remember one master password. This eliminates the practice of reusing passwords across multiple sites, which is how one compromised account becomes dozens. Bitwarden is free and open-source. 1Password and Dashlane are excellent paid options. Many now offer passkey support for even stronger authentication.

12

Enable 2FA on Every Important Account

Two-factor authentication requires a second proof of identity beyond your password. Start with your email (most critical), then banking, social media, and shopping accounts. Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) rather than SMS where possible, as SMS can be intercepted through SIM swap attacks. Store backup codes in a safe location offline.

13

Never Reuse Passwords

When a service you use is breached, your email/password combination is added to criminal databases and automatically tested against hundreds of other sites in "credential stuffing" attacks. If you use the same password on multiple sites, one breach gives attackers access to all of them. Password managers make unique passwords for every site effortless.

14

Use a Dedicated Email for Financial Accounts

Create a separate email address used only for banking, investment, and financial accounts. Never use this address for shopping, newsletters, or social media. This significantly reduces its exposure in data breaches and phishing campaigns, and makes it much easier to notice genuine banking communications versus spam.

15

Review Active Sessions and Connected Apps

Periodically check which devices are logged into your accounts (most email, banking, and social platforms show this under Security settings). Log out any sessions you don't recognise. Also audit which third-party apps have access to your accounts — revoke permissions from apps you no longer use. These background access points are often overlooked vulnerabilities.

16

Set Up Login Alerts

Enable email or push notification alerts for login activity on your important accounts, especially email and banking. Most platforms offer this under Security or Notifications settings. Immediate alerts let you respond quickly to unauthorised access — change your password and revoke the session before any damage can be done.

17

Check for Data Breach Exposure

Your email address may already be in criminal databases from past breaches. Visit haveibeenpwned.com and enter your email addresses to check. If your email has appeared in a breach, change the password for that service immediately and any other accounts using the same password. Sign up for alerts to be notified of future breaches.

18

Use Passkeys Where Available

Passkeys are the next generation of authentication — they replace passwords entirely with cryptographic keys stored on your device. They are phishing-resistant by design (they only work on the legitimate site), can't be stolen in database breaches (servers store only the public key), and are easier to use than passwords with 2FA. Enable passkeys on Google, Apple, Microsoft, and any other account that supports them.

Safe Browsing Habits (7 Steps)

19

Check URLs Before You Click or Enter Data

Phishing sites use URLs that look similar to legitimate ones: "paypa1.com," "amazon-security-center.com," "hsbc-online-banking.co.uk." Always check the full URL in the address bar, not just the page content or email link text. Hover over links before clicking to see the actual destination. When in doubt, navigate directly by typing the address.

20

Keep Your Browser Updated and Use Security Extensions

Your browser is the primary interface between you and the internet and a major attack vector. Always keep it updated. Install extensions like uBlock Origin (ad and tracker blocking) and a reputable password manager extension. Consider Privacy Badger for additional tracker protection. Be extremely selective about which extensions you install — malicious browser extensions are a significant threat vector.

21

Be Cautious with Email Attachments

Malicious email attachments are one of the most common malware delivery methods. Never open attachments from unexpected emails, even from known contacts (their account may have been compromised). Be especially wary of zip files, documents requesting you enable macros, and executable files. When in doubt, contact the sender through a separate channel to verify they sent the attachment deliberately.

22

Use ScamSense to Check Suspicious Links and Messages

Before clicking any link or responding to any unexpected message — especially those offering prizes, job opportunities, deliveries, or financial alerts — scan it with ScamSense. The AI analyses the content against thousands of known scam patterns and gives you an instant risk assessment. It's free, takes seconds, and can prevent a devastating mistake.

23

Enable HTTPS-Only Mode

HTTPS encrypts the connection between your browser and websites. Enable HTTPS-Only mode in your browser settings to automatically upgrade connections and warn you about unencrypted sites. While HTTPS is now nearly universal, unencrypted HTTP connections still exist and should be treated with extra caution, especially on public networks.

24

Shop Only on Established, Verified Retailers

Fake online shops are a growing problem. Before purchasing from an unfamiliar retailer, verify: the company has a real, verifiable address; genuine contact details including a phone number; clear returns and refund policies; and positive reviews on independent platforms (not just their own site). Pay by credit card for the strongest fraud protection, and be especially sceptical of deals offered through social media ads.

25

Clear Cookies and Cache Regularly

Cookies track your browsing behaviour across sites and can accumulate sensitive session data. Clearing cookies and cache regularly reduces tracking, removes potentially exploitable stored data, and resolves some security risks from compromised sessions. Set your browser to clear these on exit, or schedule a monthly manual clear.

Public WiFi Warning

Never access banking apps, online shopping, or email on public WiFi without a VPN. Even in legitimate businesses like hotels and coffee shops, public networks can be monitored. "Evil twin" attacks create fraudulent WiFi networks with legitimate-sounding names to intercept traffic. When you must use public WiFi, a VPN is essential.

Social Media Safety (6 Steps)

26

Restrict Profile Visibility to Friends Only

Set all social media profiles to private or "Friends only." Scammers mine public profiles for personal details — date of birth, employer, family names, location, upcoming holidays — used to craft convincing personalised scams. Your birthday should never be publicly visible: it's a key identity verification question for many financial institutions.

27

Don't Accept Connections from Strangers

Romance scammers, investment fraudsters, and data harvesters frequently initiate contact through friend requests or connection invitations. Before accepting, check how many mutual connections you share, whether their profile looks genuine (photos, consistent history, realistic connections), and whether you have any real-world reason to know them.

28

Don't Post About Upcoming Travel

Announcing holiday plans before or during your trip tells opportunistic criminals that your home is unoccupied. It also provides social engineering ammunition: "Your son is in Spain right now, isn't he?" Share travel memories after you return, or restrict visibility to a small trusted circle.

29

Enable Login Approvals on Social Accounts

Social media account takeover is increasingly common and used to scam your friends — the compromised account sends fraudulent investment or emergency money requests to all contacts. Enable login approvals (2FA) on Facebook, Instagram, Twitter/X, LinkedIn, and TikTok. Also enable alerts for logins from new devices or locations.

30

Be Sceptical of Social Media Quizzes and "What's Your X?" Posts

"What's your porn star name? Your first pet + your mother's maiden name." These viral posts are often designed to harvest common security question answers. Never participate in quizzes that ask for information matching typical security questions (mother's maiden name, first car, childhood school, first pet).

31

Verify Charity Fundraising Before Donating

Social media fundraising pages can be fraudulent, particularly in the wake of disasters and emergencies. Verify charity registration through the Charity Commission (UK) or Charity Navigator (US). Donate through established platforms with identity verification rather than direct bank transfers to individuals.

Financial Security Online (6 Steps)

32

Enable Transaction Alerts on All Bank Accounts

Set up instant push notification or email alerts for every transaction on your bank accounts and credit cards. This lets you spot fraudulent charges immediately — giving you the best chance of recovery. Most banks offer free real-time alerts through their mobile apps. Set the threshold as low as possible (£1 or equivalent).

33

Check Your Credit Report Regularly

Request your credit report from all three major agencies (Experian, Equifax, TransUnion in the UK; Equifax, Experian, TransUnion in the US) at least once a year. Look for accounts you didn't open, credit inquiries you didn't make, or addresses you don't recognise — these can indicate identity theft. Many banks and credit card providers now offer free credit monitoring.

34

Pay by Credit Card Online

Credit cards offer stronger fraud protection than debit cards for online purchases. In the UK, Section 75 of the Consumer Credit Act protects purchases between £100-£30,000 — making your credit card company jointly liable with the merchant. Use a dedicated credit card (not debit) for all online purchases and set a low credit limit to minimise exposure.

35

Verify New Payees Before Transferring Money

Before making any bank transfer to a new payee — for a purchase, rental deposit, invoice payment, or any other reason — triple-check the account details are correct. Invoice fraud involves intercepting legitimate invoices and changing the bank details. Always call the recipient on a known number to verbally confirm account details before a significant transfer.

36

Verify Investment Platforms with Financial Regulators

Before investing any money through an online platform, verify it is registered with the FCA (UK) at register.fca.org.uk or the SEC (US) at investor.gov. Unregistered platforms have no regulatory oversight and no obligation to return your funds. Also search for the platform name plus "scam" or "complaint" to check for victim reports.

37

Use Virtual Card Numbers for Online Shopping

Many banks and services (including Apple Card, Privacy.com, and certain UK banks) offer virtual card numbers — temporary or merchant-specific card numbers linked to your real account. If a virtual card number is stolen, you simply cancel that number without affecting your actual card or account. This significantly limits the damage from e-commerce data breaches.

Building a Family Digital Safety Plan

Digital security is most effective when the whole family is aligned. A single compromised account or device can expose everyone's data. Here's how to build a family safety framework:

1

Establish a family code word for emergency verification

Create a unique word or phrase that family members use to verify emergency calls. If you receive a panicked call from someone claiming to be a family member in crisis, asking for the code word will immediately reveal whether the call is genuine or a scam (such as the grandparent scam using AI voice cloning).

2

Set up parental controls for children

Use built-in parental controls on devices to restrict exposure to inappropriate content, limit screen time, prevent app installations, and monitor activity. On Android, use Google Family Link. On iPhone, use Screen Time. Most routers also offer DNS-based filtering that can block malicious domains for all devices on the network.

3

Help elderly relatives with their digital security

Set up 2FA on a trusted elderly relative's email and banking accounts during a visit. Install ScamSense on their phone and show them how to use it. Add yourself as a trusted contact on their bank account (with their permission) so you can help if they're targeted. Have regular conversations about any suspicious contacts they've received.

4

Create a shared "suspicious contact" reporting system

Establish a family group chat or regular check-in where anyone can share suspicious messages or contacts they've received. This collective awareness means the family learns quickly about new scam tactics targeting your household, and no one faces potential fraud alone.

Key Takeaways
  • Enable 2FA on your email account first — it's the master key to everything else
  • Use a password manager with unique passwords for every account
  • Keep all software, apps, and operating systems updated automatically
  • Never use public WiFi for banking without a VPN
  • Set all social media profiles to private and avoid posting personal details
  • Enable transaction alerts on all bank accounts and credit cards
  • Establish a family code word for verifying emergency calls
  • Install ScamSense to check any suspicious message before responding

Frequently Asked Questions

Do I need antivirus software on my smartphone?
While Android and iOS have built-in security features, a reputable mobile security app adds meaningful protection against malicious apps, phishing links, and unsafe WiFi networks. For Android, Google Play Protect provides baseline scanning, but dedicated apps like Bitdefender Mobile Security offer additional layers. iPhones have strong baseline protection, but phishing remains a threat on any device.
Is two-factor authentication really necessary?
Yes — extremely. Microsoft security research shows that enabling 2FA blocks 99.9% of automated account compromise attacks. Even if a scammer steals your password through a data breach or phishing, they cannot access your account without the second factor. Enable it on every account that offers it, especially email and banking.
What is a password manager and is it safe?
A password manager is software that generates unique, complex passwords for every website and stores them securely behind a single master password. Leading options like Bitwarden (free) and 1Password use military-grade encryption. They are significantly safer than reusing passwords, which enables credential stuffing attacks when one service is breached.
How do I know if my phone or computer has been hacked?
Signs of compromise include: unexpected battery drain or data usage, apps you didn't install, accounts receiving password reset emails you didn't request, contacts receiving messages from you that you didn't send, or your device becoming unusually slow. Run a security scan and change your passwords immediately if you suspect compromise.
Is public WiFi safe to use?
Public WiFi is inherently risky for sensitive activities. On an unprotected network, other users can potentially intercept traffic. Use a VPN to encrypt all your data when connecting to public WiFi. Avoid accessing banking, email, or entering payment details on unsecured networks.
What is juice jacking?
Juice jacking is an attack where a public USB charging port has been compromised to steal data from connected devices. Use your own charger and power adapter, carry a portable power bank, or use a USB data blocker if you must use public charging ports.
How often should I change my passwords?
Current security guidance advises against forced regular changes — they lead to weaker passwords. Change a password when you know or suspect it has been compromised, when a service notifies you of a breach, or if you used the same password across multiple sites. Use haveibeenpwned.com to check breach status.
What should I do if I receive a data breach notification?
Change the password for the breached service immediately. Change the password on any other account where you used the same password. Enable 2FA on the breached account. Monitor your financial accounts and credit file for suspicious activity.
How do I create a family digital safety plan?
A family digital safety plan should include: a family verification code word for emergency calls, agreed rules about sharing personal information online, age-appropriate parental controls for children, regular check-ins about suspicious messages, and at least one designated trusted adult children can approach if they encounter something concerning online.
What is the most important thing I can do to stay safe online today?
The single highest-impact action is to enable two-factor authentication on your email account. Your email is the master key to all your other online accounts. Download an authenticator app, go to your email security settings, and enable 2FA right now.

Your First Line of Digital Defence

ScamSense is the AI tool that checks suspicious messages, links, and screenshots before they can harm you. Free, instant, and private.

Download ScamSense Free

Related Guides