Are you worried your ex might have invaded your Facebook account? That your computer is being held hostage by ransomware? Or that hackers are pillaging your bank account?
This manual explains how to protect yourself from hackers, in layman’s terms. Six professional hackers 👨💻 helped create this guide.
Watch Your Hack doesn’t guarantee complete and total safety. Such a thing doesn’t exist on the internet. You can, however, make life as difficult as possible for hackers and viruses by using these tips.
Now, before we start: don’t go cowering behind your computer. The chances of a hacker targeting you in particular are very slim. Most dangers stem from the fact that many people lack general knowledge about the internet and computers, which can be exploited. So let’s get you up to speed with the most important information. 👍
Hackers generally exploit vulnerabilities on the internet or in the devices we own. There are roughly two kinds of hackers: white hat and black hat. White hat hackers 🤠 seek out (and sometimes publish) vulnerabilities to get companies to fix them, making the internet a little bit safer, one discovery at a time.
When the media covers hackers, it’s usually black hat hackers 😈. The kind without good intentions, who might be looking for ways to steal money or gain access to devices to spy on people. They could also be interested in sensitive files, such as nude pictures or a copy of your passport.
There are also hackers who try to gain access to other people’s devices for, well, fun. These (mostly young) people think of hacking as mere mischief. They should still be taken seriously though, despite their seemingly innocent motives.
Finally, some hackers work on behalf of governments. Hackers employed by secret services 🕵️ or the police 👮 are the most dangerous kind, but pose no threat to most people. They usually hack terrorists, criminals and hostile regimes.
Hackers often start by stealing your password. Sometimes there just isn’t much you can do about this. If a website where you have a profile or account gets hacked, for instance, hackers could use your password and attempt to log into your other accounts, such as your Gmail.
You might have also given out your password by accident. This happens via phishing, which is a type of internet fraud that criminals use to try and get their hands on specific login information. You’ve likely received a phishing email before. This might have been a fake message about your bank account being blocked or a reminder about a non-existent bill you haven’t paid.
Hackers also use email attachments. When you open an attachment that contains a virus, your computer gets infected. This method is often used for spreading ransomware: a type of virus that renders your device inoperable by locking all of your files. The hackers will then demand money in exchange for handing over control of your files back to you.
Viruses - also referred to as malware - also spread through downloads such as torrents or installation files for a piece of software you want to use. You might think that you’re downloading a movie or some software that helps keep your computer fast and tidy, but in reality, you’re endangering yourself by reeling in a virus.
A virus could also just end up on your computer through online ads and websites that have been hacked. Even trusted websites can, unknowingly, spread viruses. If you don’t update your software and your computer, you’re at risk of being infected by these kinds of viruses.
Hackers can also infect your computer by using a flash drive. This method is less prevalent, but still poses a substantial risk. It could be a flash drive that you just ‘found’ on the street or that was given to you by someone. Anyone with harmful intent can just pop one into your computer if you’ve gone off for a quick toilet break.
Now that you know what hackers are and how they usually try to gain access, you can start applying some tips 💡. These are the basics: a simple list of measures everyone should take.
Lots of people consider updating to be time-consuming. In some cases that’s true, but it’s also the most important form of protection ❗ to employ against hackers. Many hacks are successful because they exploit out-of-date software. Those contain many vulnerabilities that get fixed through security updates.
The older the software, the easier it is for hackers to gain access.
Software runs on all kinds of devices: Windows or MacOS on your computer or laptop, and Android or iOS on your mobile devices. Even your router and other smart devices in your home run software. Make sure to check those regularly - once a week - in case there are updates available for your devices, and install them as soon as possible ⏰. In some cases updates can be installed automatically. Windows, MacOS and the Google Chrome internet browser support this feature.
It’s also important to update your apps and the software installed on your computer, such as your internet browser, PDF reader and Microsoft Office. You will often receive a notification if a new version is available.
Nowadays you need an account for practically every website or app, and all of them require passwords. As human beings we have trouble remembering lots of different passwords, so we often resort to using the same one for several accounts.
While that does make things a lot easier to remember, it’s also very very dangerous ⚠️. If a hacker gets a hold of your Spotify password, you wouldn’t want that hacker to be able to gain access to your bank account as well. And if you share your Netflix password with a friend, that person shouldn’t be able to use it to log into your Gmail or Facebook.
That’s why it’s very important to use a different password for each website, app and service. Simply changing one digit 1️⃣ or letter 🅰️ won’t do. Those kinds of variations are easy to guess. Thankfully there’s a handy solution for this problem: password managers.
A password manager stores all of your passwords in a digital vault 🔑 and secures them with one single master password. That way, you only have to remember one password to access all of your accounts. These apps can easily generate very complicated passwords, like
6ur7qvsZpb0ZkcuSW1u!V8ng!L^lb. A password like that can’t be guessed or cracked.
Password managers can also fill out your login information when you’re visiting a website for which you have a password stored. This alone protects you from a lot of attacks. If a website address is incorrect, such as
wellsfargo.mybanklogin.com, the password manager won’t fill out your Wells Fargo login information. You can also use a password manager to save notes 📓, such as login codes, secret keys and answers to secret questions.
Good password managers are LastPass, 1Password and KeePass. If you’ve never used a password manager before, trying the free version of LastPass is a great way to get started.
LastPass is a clean password manager with a lot of features, including an internet browser extension to generate passwords and enter your login information. Lastpass has good apps for basically operating system and works great even if you’re sticking to the free version. The paid version gives you one gigabyte of storage space for sensitive documents and the option to share passwords with other people.
1Password is known for its sleek design and is optimised for use on Apple devices, like your iPhone and Macbook. The app recently got a handy internet browser extension (1Password X) that generates passwords and fills them out for you when visiting websites you can log into. A 1Password subscription works with a special type of security (a secret key), requiring you to fill out dozens of numbers and letters to gain access to your account.
KeePass is viewed as the safest password manager, because many security experts use the app and draw on their expertise to make it even safer. The downside is that the app looks quite old-fashioned, like some ancient Windows XP software. Fortunately the KeePass community is full of passionate developers who make great looking apps for KeePass, such as MacPass for MacOS. A good alternative is KeePassXC, in many ways a better and more complete version of KeePass, which is also being updated by a group of enthusiastic developers.
Bitwarden has become very popular over the last few years. It’s a fully open service, there’s a good app for practically every platform and, last but not least, it can be used for free. You can even share passwords with your partner or a family member, a feature that you have to pay for in most other password managers. If you want to share passwords with more than one person, you have to pay 1 USD per month, which also gets you 1 gigabyte of storage space for your files. Technically savvy users can choose to manage their own Bitwarden cloud.
You might think: is a digital safe, well, safe? That’s a good question, and an understandable concern. LastPass has been hacked twice, for instance. Passwords have never been stolen though, because those are stored in a very secure digital vault.
Websites and apps often ask you to use a password with digits and numbers. But what’s a strong password? Many people consider
[email protected] to be one, but in reality it’s quite easy to crack 🔨 for hackers. That’s why you might want to consider thinking in passphrases instead of passwords.
Phrases are long but easy to remember, which are two prerequisites for a good password. A passphrase like
I eat 2 whole pizzas every week is easy to remember and quite difficult to crack. Don’t hesitate to use spaces in your passwords; an option that often gets overlooked.
It’s also possible to create a password by putting seemingly random words together. Use Diceware if you choose to do so. Diceware is currently the safest way to create a password you can actually remember.
20 characters or moreand let the password manager store these passwords for you.
The iCloud Keychain is a handy way to save passwords if you want to stick to using Apple products 🍏 . Keychain can generate passwords and automatically fill them out when you need them. The options are somewhat limited when compared to other password managers, but Keychain is a safe choice, if - and that’s a big if - you secure your iCloud account with a strong password and two-factor authentication.
Browsers like Chrome and Firefox offer the option to save passwords. It’s a pretty easy way to log into websites you use often, but the downside is that browsers usually generate weak passwords. A password manager is a better choice.
Pen and paper 📝 can also be used as a password manager. Make sure to use unique passwords and store them with care. And create a copy that you store in a physical vault, should you need a backup. When you’re expecting company - like friends, family, a mechanic or plumber - take extra care not to leave your list of passwords out in the open.
A useful tip is to have all of your passwords start with the same word, which you don’t write down in your password book. Simply remember it. If someone gets a hold of your password booklet, they still won’t be able to use any of the passwords you’ve written down, because they’re missing one essential component that’s safely stored in your brain.
No matter how strong your password is, it could still get stolen. That’s why it’s important to check whether your passwords have been stolen by hackers. The website Have I Been Pwned keeps track of hacked websites and warns you when your information pops up. With the single click of a button, you can see if any one of your accounts has been compromised. It’s recommended to do this every now and then, just to be safe.
If you sign up for Have I Been Pwned, you even get a notification 🔔 when the system detects your email address in stolen files. That way, you’ll know exactly which of your passwords has been stolen, based on the service or website it was taken from. If the site finds your email address amongst stolen files, you should immediately change the corresponding password. If you do that, the biggest threat - a hacker logging in using your password - has already been averted.
To limit the consequences of a stolen password, you can use two-factor authentication (2fa), which is a relatively new security method.
You can activate two-factor authentication via the services you use, if they support it. After logging in with your username and password, from now on you’ll have to complete a second step. Usually, the service will ask you to enter a code that’s been sent to your smartphone (using text messages or so-called authentication apps).
Why go through all this trouble? If a hacker manages to get your login information, that person will also need the code that is sent to your phone as soon as they try to log in. It’s highly unlikely that they can access your phone as well ⛔. Two-factor also alerts you to malicious login attempts, for instance when you receive a code out of the blue. That way, you’ll know someone else has tried to gain access. You can check which services, apps and sites support two-factor authentication on this website. Google, Apple, Facebook, Instagram, WhatsApp and Dropbox are just a few of the services offering two-factor authentication features.
Receiving login codes via text messages is easy: you link your phone number to an online service and enter the code that is sent to you to log onto the corresponding website or app. Hackers can get access to these login codes by intercepting your text messages 💬, but for most people this form of security is sufficient.
A safer way of two-factor authentication is to use an authenticator app. These apps let you scan a QR-code, which is like a barcode for your smartphone’s camera. The QR-codes are provided by the service that you want to secure. After you scan the QR-code, a security code appears on screen for 30 seconds, after which a new code will be generated. These random codes allow you to authenticate your login attempt, letting the online service know that it is really you who is trying to access your account. 1Password, LastPass Authenticator, Authy and Google Authenticator can all generate these codes. Take caution when using Google Authenticator, however. If you lose the phone on which you’ve installed the app, or if it gets reset, you will lose all of your login codes. The other authenticator apps mentioned above can synchronise codes across all devices on which you’re using them.
The lock 🔒 in the address bar of your internet browser shows that you’re using an encrypted connection. This means that the information that you’re entering on the website, like your password or credit card information, is being sent securely and can’t easily be intercepted by a hacker. Make sure you only enter sensitive information on websites that show this lock in the address bar. If the website address starts with https://, that also means it’s secure.
Also be aware that the lock icon doesn’t mean you can actually trust the website you’re visiting 🚫. Many phishing websites designed to steal your login information use the lock to try and gain your trust. Pay extra close attention to the website address, and check whether it’s correct or not.
https://www.facebook.com(facebook.com is the main domain)
https://www.facebook.tech(.tech is not the correct domain extension)
https://facebook.login.net(login.net is the main domain)
https://www.faceb00k.com(the two o’s have been replaced with two zeros)
A backup lets you access your files if something goes wrong. What if your computer breaks all of a sudden? What photos 📷, videos 📹 and documents 📃 do you really want to save, and which files do you need for your administration? Those are the files you should back up.
A backup safeguards your important files, even if your computer breaks down, your phone gets stolen or ransomware makes your computer inaccessible. A backup will get the show on the road again in no-time.
It’s recommended that you keep both online and offline backups. You can create online backups with a cloud-service ☁️ like Dropbox, and offline backups using an external hard drive. Make sure you check whether all saved files are still there and working properly every now and then.
Phishing attacks are usually easy to recognise. Take a fake email which was seemingly sent by Bank of America, for example. The email claims that your debit card has been blocked, even though you don’t have an account with Bank of America 🏦. Logical thinking goes a very long way when it comes to protecting yourself.
But phishing emails can also look very realistic. Therefore, it’s always a good thing to check the sender’s email address. If the sender uses
@bankofamerica.bankmailservice.com, you will know that the email wasn’t actually sent by Bank of America. If it was genuine, it should say
Pay attention to strange or incorrect use of language. Many phishing emails contain grammatical and spelling errors and they might address you with
Dear sir/madam. Most organisations know who you are and address you with your first name.
Often times phishing emails try to scare you 😨 by claiming that your bank account has been blocked or that you have outstanding debt that needs to be paid. They might even claim that you’ve won something 🤑. If you’re unsure about the nature of an email, call the organisation that allegedly sent the email. Don’t use the phone number listed in the email though! Look it up on the official website.
Before clicking a link in an email, always check its authenticity. You can do this by hovering your mouse 🖱️ over a link without clicking on it. The web page where the link wants to take you will appear on your screen. You should be able to see whether it is a valid link or a phishing attempt. On a mobile device, you can press and hold the link to copy it. Create a new email and paste the link into the body of the email to read the complete web address.
If you don’t trust an email or the links in it, use your internet browser to go to the website of the organisation the email claims to be from, and log in there. Usually, you’ll find all recent invoices and messages there. You can always call 📞 the organisation to ask whether an email you received is actually sent by them.
An important rule to live by:
If it seems too good to be true, it probably is.
If you have a Google account, Password Alert - an internet browser plugin - can be a big help. Password Alert sends you a warning when your Google password gets entered on a fake login page. Installing this official Google plugin can be a lifesaver, given how important Google and Gmail are to a lot of people.
It almost goes without saying that you shouldn’t just click on any link, even if it’s sent by a friend or colleague. This is good advice for whatever situation you’re in; whether you’ve received a link via email, through social media or in a text message. A smartphone can be hacked by pressing the wrong link.
This doesn’t happen often, so don’t get scared of every link you receive. But if you don’t trust it, inspect the link 👓 first using the methods described above.
It also pays to be wary of attachments in emails. Viruses often get spread this way, which can grant hackers access to your device. They’ll do this by hiding a virus in a seemingly innocent file, like a Word document.
Hackers also hide viruses in
EXE-files. The best course of action would be not to open Word- or Excel-files on your computer. Open them in the Google Docs website. If there’s a virus hidden inside, your computer will not get infected. It’s best to open PDF files in your internet browser, using the PDF Viewer extension.
If you don’t trust a file, you can download it ⬇️ to your computer, but don’t open it! After downloading the file, upload it to VirusTotal. VirusTotal is a website that analyses files and tells you if they contains viruses. Do take note that Google and VirusTotal will have access to your file after uploading it.
Public WiFi networks, such as
Starbucks WiFi, are not safe. Hackers can track your browsing habits and try to steal your login information. Use your 4G connection instead, or create a password protected hotspot on your phone. A hotspot (Android, iPhone) lets your laptop connect to the internet via your smartphone’s 4G connection.
If you insist on using public WiFi networks, make sure you only log in to websites that display a lock. Websites with a lock encrypt the information you enter, which prevents easy access by hackers. This advice also holds up for WiFi networks of restaurants 🍟 and hotels 🛏️. These might be password-protected, but are still being used by a lot of people.
Pay attention to welcome screens when connecting to public wifi networks. These pages may ask you to install an app, certificate or a piece of software. Connecting to the internet doesn’t require you to do this, so it might be sign of hackers trying to gain access to your smartphone or laptop. If you have doubts, ask the network provider if the request is legitimate.
Finally, it’s important to realise that a password-protected wifi network isn’t necessarily safe. These wifi networks can also be under a hacker’s control.
It’s also strongly recommended that you use a virtual private network - VPN for short - as soon as you connect to a public WiFi network. A VPN builds a digital tunnel for your data traffic. That way, others won’t be able to see what you do on the internet, protecting you against hackers.
Most people have heard of VPNs because of Netflix. A VPN allows you to trick the internet into thinking you’re in a different country 🌎. By connecting to American servers, users would also get access to the American version of Netflix, for instance.
A VPN also comes in handy if you don’t want your internet provider to know what you do online. You can keep a VPN connection running indefinitely. The one downside is that it can slightly lower your internet speed 🐢.
The best and easiest paid VPN services are Private Internet Access, NordVPN en Freedome, costing three, five and four USD per month respectively. AirVPN and Mullvad are aimed at more experienced users.
Never use a free VPN service. These services are known to sell your private information, like the websites you visit. If you’re short on cash, you can always create a free account on TunnelBear or WindScribe. These free services give you 500 megabytes or 10 gigabytes of data traffic per month, respectively. More than enough for those few occasions when you absolutely have to log onto a public wifi network.
This advice might seem somewhat obvious, but a lot of people leave their laptop open while they’re off using the toilet 🚽. Aside from the risk of your property being stolen, someone could also use your computer with criminal intent while you’re not around, especially when your laptop isn’t closed and locked.
Always set your laptop’s automatic lock to a very short period
(one minute). Your device will then lock itself if you have to leave it unattended. This isn’t a perfect safety measure, however. Always try to take your laptop with you if you need to leave your seat or spot. Even if it’s just for a moment.
Now let’s have a look at the device that’s easiest to hack: your computer 💻.
Most virus infections happen on Windows computers. These devices come equipped with a virus scanner called Defender. Defender is good, but Kaspersky Anti-virus and BitDefender (respectively 30 and 34 USD per year) easily rival Defender.
Defender has a feature that protects your most important folders against ransomware or other harmful software that messes with your files. This feature can be activated by going to
Virus & threat protection -> Ransomware protection -> Controlled Folder Access. You can also add extra folders there, such as a folder with important business documents or pictures of your family 👨👨👧.
The use of Hitman Pro.Alert (35 USD per year) is also recommended. You can run Hitman Pro.Alert alongside a virus scanner. It’ll protect you against malware that takes advantage of vulnerabilities in your computer to, for instance, track whatever you type on your keyboard ⌨️.
If you own a Mac computer, you don’t necessarily need a virus scanner. The Mac’s operating system makes it harder for malware to infect your computer. That’s why there aren’t a lot of viruses in circulation on Apple’s operating systems. If you still want a virus scanner, then Kaspersky Anti-virus (60 USD per year), BitDefender (20 USD per year) or ESET Security (30 USD per year) are solid choices.
Paying for virus scanners pays off. Paid versions of virus scanners are often better and more expansive. If you’re not in a position to pay for virus scanners, your best bet is to download and install the free version of Avast or AVG.
As you might have guessed already: it’s important to update your devices. That’s why we recommend installing updates automatically. Windows and MacOS support this feature, but recently software like Google Chrome have introduced similar options.
If software that doesn’t support automatic updates notifies you of a newly available update, check the legitimacy ✅ of the notification first. Viruses are often spread using fake notifications, like an update for Adobe Flash Player. These usually appear as pop-ups on a website. If you want to make sure the notification is legitimate, then open the software in question and manually check to see if there’s an update available.
Currently, Google Chrome is the safest and most user-friendly internet browser. Firefox, Safari and Edge or also solid choices, as long as you avoid using Internet Explorer. Also make sure to install the following three extensions:
Adblocker uBlock Origin is a free extension that blocks ads and trackers on the internet. It protects you from so-called malvertising: viruses that spread through online ads. It also locks out organisations and companies that spy on your browsing habits. Contrary to Adblock and Adblock Plus, uBlock Origin doesn’t have a questionable business model. Do note that by using an adblocker, you’re depriving websites of their much-needed revenue. By whitelisting your favourite websites, you’re still allowing a company or person to profit from your visit.
HTTPS Everywhere forces a secure connection when possible. If a hacker attempts to intercept your connection to try and send you to a website with an unsecure connection, HTTPS Everywhere will block the attempt. This extension can be downloaded for free.
Criminals like to hide malware in PDF files, because Adobe Reader (the software that allows you to read PDF files) often has security leaks. That’s why it’s better to open PDF files in your internet browser. You can use PDF Viewer specifically for this purpose. The extension comes as a free download for Chrome. Firefox has an option to automatically open PDF files in your internet browser.
Pay attention to which extensions you install and don’t install too many. Browser extensions can have quite far-reaching permissions and, in some cases, even see what you type while using your internet browser. Thankfully, you can view which permissions each extension has.
A firewall, on the other hand, should be turned on. It’ll protect you from external attacks. Do this on MacOS and preferably also on your router. Windows’ firewall is turned on by default. If you want some extra protection, take a look at Little Snitch for MacOS and GlassWire for Windows. These apps keep an eye 🔎 on what software connects to the internet.
Flash used to be an important technology for watching videos and playing games in your browser 🎮, but the software is wildly outdated by now, making it dangerous. The best option is to simply avoid Flash altogether. Many browsers already have it turned off by default and require you to manually turn it on. Only turn on Flash when a website you trust completely asks you to do so.
Most websites use better technology nowadays, such as HTML5, to display interactive elements like videos and games. Flash creator Adobe will officially discontinue the software in 2020 and already recommends to stop using it right now.
Many people have trouble configuring their router, the device that lets you access to the internet. That’s understandable: routers are tricky to operate 😕. Every router works differently, so you’ll have to search online to find the corresponding manual. Those manuals can help you implement the following tips.
WPA2-AESprotection option, use a long password or passphrase and turn off WiFi Protected Setup
UPNP. This technology is unsafe and allows for easier access to your network and connected devices.
The Johnsons, for instance.
port forwarding: only forward ports that are absolutely necessary.
A well-known hacker trick is to let a victim insert an infected flash drive into their computer, after which the device is breached. Always be careful with flash drives, whether you find a stick on the street or someone hands it to you as a gift 🎁. If you don’t trust a flash drive, have a professional look at it or throw it out.
You might also want to think about how much you really need all those smart devices. Do you really need a rice cooker 🍚 that can connect to your WiFi network? Is it really that important that your child’s action figure has a camera that connects to the internet? All of these smart devices are potential access points which hackers can use to breach your network. They can even take over these devices entirely. Only buy smart devices you really need and preferably use well-known brands.
Some people are scared to do their banking online. No need: online banking has become very safe in recent years. You can use your bank’s website or mobile app to transfer payments 💵. In most cases, the app is the safest option. It’s hard for hackers and criminals to hijack these apps on recent versions of Android and iOS.
Removed files can often be recovered using special software 🧐. Use BleachBit to protect yourself. This application for Windows completely removes your files from your hard drive. You can use BleachBit on MacOS using a workaround, but the free Permanent Eraser application is a better option.
Criminal hackers can watch you using your webcam. A hacker might blackmail you using intimate pictures and videos of you. For instance, you could be secretly filmed while undressing, masturbating or having sex 🍆🍑. By simply covering your webcam with a piece of tape, you render your webcam useless to any intruder. There are also more elegant options, like CamHatch (11 USD) or Soomz (10 USD for three covers). You can also find many cheap webcam covers on the Chinese web shop AliExpress.
Also take note of your surroundings if you’re using your laptop on a train or in a coffee shop ☕. Can anyone see what you’re typing? Are you sure no one can see personal information on your screen, like a password, home address or phone number? Be aware of the situation you’re in when you’re using your devices in a public space.
If you’re not tech-savvy and just want to be able to browse the web, send emails and watch videos, then a Chromebook might be the way to go. This laptop is cheap and very secure, because it only runs Google’s Chrome internet browser. This makes it hard for hackers to infect your computer with viruses. This laptop lets you do everything you normally do in a browser. If you have a higher budget, an iPad with a keyboard is a good way to go too.
Try reinstalling your computer once every three years. That means backing up your files 📂, completely deleting your hard drive and reinstalling the operating system (Windows, MacOS). It makes your computer faster and removes any redundant and potentially harmful software.
The smartphone 📱 is the most important device in many people’s lives, which is why it’s incredibly important to make sure it’s properly secured, whether you own an Android or iPhone.
Okay, that might sound a little blunt, but iPhones are generally more secure than Android phones. That’s why people who might be at risk of being hacked, like lawyers 👨💼 and politicians 👴 usually have an iPhone. iPhones are also guaranteed to receive updates for five years after they have been released.
The safest Android phones are Pixel phones (formerly known as Nexus), made by Google. Google is working hard to develop Android so phone manufacturers like Samsung, Huawei and OnePlus can release (security) updates a lot faster.
This recurring tip is still high on the list: always update your mobile devices as soon as you can ⏰. Updates fix security vulnerabilities that allow hackers to infiltrate your smartphone or tablet. Also regularly update your apps. These can contain security vulnerabilities too, giving hackers access to your private information.
Encryption ensures that your data, such as your messages and pictures, are saved in a digital vault 🔑. All iPhones and most Android phones have encryption turned on by default, but some Android phones require you to manually turn on encryption. The option to turn on encryption can be found by going to
Settings > Security.
What if, for instance, someone happens to find your phone and connects it to a computer? Encryption ensures this person won’t be able to see all your chat logs and pictures. These can only be viewed if the correct passcode is entered, which is the key to your own digital vault. That’s why using a passcode to lock your mobile devices when you’re not using them is very important.
By using a passcode, you prevent others from accessing your phone or tablet. Choose a six-digit passcode that only you know and don’t pick a standard code like
1-1-2-2-3-3. It’s also not recommended to use your birth date 🎂, just like any other combination based on personal information. iPhones and some Android phones also allow you to turn on an option that completely erases all contents from the phone if the wrong code is entered more than ten times. This can function as an extra security method, but it can also be quite risky if you don’t have a backup of your device.
In many cases, using the fingerprint scanner is easier. It works faster and is safer because someone can’t just copy your fingerprint to unlock your phone. If you want to temporarily turn off your fingerprint scanner, turn your device off and on again. It’ll prompt you to enter your passcode to access your device. If you don’t have a fingerprint scanner on your Android phone, you can also create a pattern to unlock it.
Your SIM card also has a passcode. You can edit this code and change it to a six-digit code in your smartphone’s settings, instead of using the standard
0-0-0-0. It’s a good idea to move all your contacts to your phone and remove them from your SIM card. If you happen to lose your phone, your contacts’ personal information can’t be extracted from the SIM card.
Most phones that contain malware are infected through apps that were not installed using the official app stores. This usually happens when people want to install a paid app or game for free. That ‘free’ app may have malware hidden inside, used for stealing credit card 💳 information. This goes for both Android and iOS phones.
Android poses another risk: there are lots of apps in the Google Play Store that might seem legitimate, but contain malware anyway. Make sure you do your research before downloading any app. Google the name of the app, read reviews and check to see how many times the app has been installed so far. In short: don’t just install any app on your Android phone or tablet.
It’s also important to check an app’s permissions. A flashlight app 🔦, for instance, shouldn’t require access to your contacts. You can check and edit the permissions of apps on both iOS and Android. For Android, go to
Settings > Apps, and for iOS go to
Settings > Privacy.
Third parties can follow you using WiFi and Bluetooth. They could track the route you take to the bus stop, for instance. If you don’t need WiFi or Bluetooth when you’re on the go, it’s a good idea to temporarily switch them off using your device settings. You’ll also protect yourself from attacks via WiFi and Bluetooth.
If you’ve connected to a WiFi network in the past, your mobile device will automatically connect to that network when you’re nearby. This poses some risk. Hackers often create fake WiFi networks with names that are the same as networks you might’ve been connected to before, like
Starbucks WiFi or
McDonald's Free WiFi. Because your mobile device recognises these networks, it’ll attempt to automatically connect with them. It’s just another way for criminals to try and monitor what you do on the internet while attempting to intercept passwords and other personal information.
It’s wise to clean up your list of trusted WiFi networks from time to time. If you connect to a hotel’s WiFi network 🏨, for instance, remove the network from your device’s memory afterwards. Do this by opening your device’s settings and pressing forget after selecting the WiFi network in question. You can also set your Android and iOS device to not automatically connect to individual WiFi networks in the WiFi settings.
Notifications can contain sensitive information 🙈, like a password a friend sent you using WhatsApp, or login codes sent via text messages. By hiding notifications in the lock screen (Android, iOS) no one will be able to see the contents. Only after unlocking your phone will you be able to see what the notifications say.
Backups are incredibly important. Should your phone get stolen, you can always restore the backup on another phone. Google and Apple offer features that completely back up your phone. For many users, pictures are the most important thing on their phone. Back these up with services such as iCloud, Google Photos and Dropbox. Don’t forget to turn on two-factor authentication for these services.
We share a large part of our lives on social media 🤳. Sometimes a little too much. That may sound like an open invitation for hackers. This method of data collection is also referred to as Open Source Intelligence (OSINT), which can be used in a cyber attack.
People often post pictures of their passport, driver’s licence and concert tickets on social media. You might think gosh, that’s pretty dumb, and you’d be right. It still happens a lot, though 🤦. The barcode on your concert ticket can be used by anyone, and with a picture of your passport or driver’s license, someone could open a loan in your name.
So be cautious of what you do and post on social media. Do you have an annoying ex who’s keeping tabs on you? Don’t post on social media about where you are at any given time. Waiting for something you ordered online 📦? A hacker could call you, acting as an employee of the web shop in question, to ‘check your information’. It’s mostly a matter of realising what the risks are to you.
Many companies only require a name, date of birth and address to verify that you are who you say you are. This information is easily found online. People celebrate their birthdays 🎈 on social media and indirectly say where they live, by posting an Instagram picture of their new home 🏠, for example.
Using this method, one hacker has already managed to fool a telecom provider into registering someone else’s phone number to his name. This also granted him access to the victim’s WhatsApp messages. This method of hacking is also known as social engineering; a form of cyber attack that requires manipulation.
The answers to your secret questions can often be found online too. It might be the name of your first pet 🐱 or your mother’s birthplace. Be aware of this fact. It’s better to generate random passwords as answers to these secret questions. You can save the passwords using a password manager.
What does a hacker do when they want to collect information about a target? That’s right: google the target’s name. Google yourself regularly to know what personal information is available for anyone to see. You could, for instance, set up a notification that emails you every time your name comes up in Google. In some cases, it’s even possible to have information removed from the search engine.
We post a lot on social media. That’s why it may be wise to set your profiles to private. Do you share a lot of your private life on Facebook and Instagram? Then set your Facebook profile to private (click here to see what that would look like to anyone who isn’t your friend) and lock your Instagram account 🔒, requiring users to ask for your permission if they want to follow you. The same goes for Snapchat.
Twitter is a different story altogether. A lot of users use Twitter to reach as many people as they can. If you have a public Twitter profile, pay extra attention to what you post, from your location to your private information. And log out of Twitter when necessary — especially when you’re using a public computer or a friend’s laptop.
It’s definitely possible to create a safe digital copy of your passport, driver’s licence 🚗 or any other form of identification. The Dutch government even released an app to help you do just that. It’s called KopieID(CopyID). The app allows you to redact sensitive information, like your Citizen Service Number or Social Security Number. You can add a watermark, describing the purpose of the copy, such as copy for
stay at hotel name on date such and such. Don’t worry: the important parts of the app are in English.
Are you aware of all the devices you have used to access your accounts? And did you remember to log out when you stopped using certain devices, like a friend’s tablet or a public computer? To be sure, check the overview of active sessions which Google, Facebook and WhatsApp - among others - provide, and deactivate the ones you don’t recognise.
Many companies offer the option to go over your security settings, like Google, Facebook and Twitter. You can see on which devices you are logged in, and which other services have access to your information. If you check your security settings regularly, you’ll usually come across a device or service that doesn’t require access 🛑 to your account anymore.
We send lots of messages 💬 and still call ☎️ from time to time. Let’s try to do that as safely as we can. This chapter is about how you can communicate without anyone listening in or reading your messages.
Communication has become a lot safer since April 2016, which is when WhatsApp introduced end-to-end encryption. This ensures that only the sender and receiver can read the messages sent between them. If someone were to intercept end-to-end encrypted messages, all they would see is gibberish.
You can compare it to sending a postcard. You write something on the back and put a stamp on it. With normal encryption, the postman (in WhatsApp’s case) can read what you wrote on the postcard. With messages sent through end-to-end encryption, you’re basically putting the postcard in a sealed envelope ✉️. That way, only the recipient can read what’s on the postcard.
End-to-end encryption doesn’t just work with sending messages. It also works with sending and receiving pictures, videos, documents and location information. You can also secure phone calls and video calls with end-to-end encryption.
WhatsApp is owned by Facebook; a company that makes its money by collecting as much information about its users as it can. Because of end-to-end encryption, Facebook doesn’t know what kind of messages or pictures you’re sending. Facebook can monitor who you’re communicating with. This type of information is known as metadata.
What chat app you use is a very personal choice. Some people value ease of use, while others prefer apps that focus more on protecting their privacy. These are five alternatives to WhatsApp.
Signal is the safest and most privacy-friendly chat app. Just like with WhatsApp, the app can be used on a computer and it’s possible to have it automatically remove messages after a specified period of time (from a few seconds after being sent to a week). Signal also hardly saves any information about its users. The app doesn’t look very nice, however, and has fewer features than its competitors.
Telegram is not a safe choice, because it saves messages in the cloud. Some people like this, because if you switch phones you can start chatting exactly where you left off. Saving all your messages, pictures and videos in the cloud is very risky, however. Please be aware of this if you use Telegram. The reason why people choose to use Telegram is because it’s one of the most user-friendly chat apps out there.
Apple’s chat app only works with iPhones and iPads. Messages are encrypted with end-to-end encryption and you can also use your MacBook or iMac to send and receive messages. iMessage also supports a lot of other apps, letting you easily order an Uber or share a navigational route, for instance. Note that Apple does save metadata for up to a month.
The Swiss Threema is a favourite among journalists, because you only share a username to communicate with each other. Journalists don’t have to give out their phone number to use Threema. The app has a fancy design and lots of features. There’s one downside: Threema costs 3 USD. As a result, it doesn’t have as many users as the free apps.
Wickr Me is comparable to Threema: you don’t need a phone number or email address to create an account. You can set messages to be automatically removed after a specified amount of time, use the app on multiple devices and create groups. Contrary to Threema, Wickr Me is free.
The Swiss Wire garnered a lot of fans in a short period of time, which isn’t strange given its features and design. The app bases its encryption method on Signal and combines a sleek design with Telegram’s flexibility. That means you can chat from your smartphone, computer and via your internet browser. Video calls, file sharing and sending gifs are all protected by end-to-end encryption.
Hackers can’t steal what you don’t have. That goes for chat messages too. If you’re having sensitive conversations, make sure those messages are automatically removed 🗑️. Signal, Telegram, Wickr Me and Wire support this feature, amongst others.
You can use WhatsApp, Signal and FaceTime, amongst others, to make end-to-end encrypted calls. This means that the service you use to make the call can’t see or hear you. These apps are recommended when you make a call to discuss sensitive topics. If you want to Skype with your cousin from Australia every now and then, its lack of end-to-end encryption won’t matter much.
A regular old phone call is a safe communication method for most people. A hacker can’t easily hack your phone call 📶. That would require a targeted attack, carried out by an intelligence agency, for instance. We’ll talk more about that later.
Email 📨 isn’t safe, contrary to many chat apps. Email in 2018 consists of several different technologies cobbled together to make it all work. That doesn’t make it safe or reliable. We use email in business situations and because it’s commonly accepted, but send as little sensitive information through email as you can.
Hats off to you for making it this far 👏! Your knowledge of cyber security has already increased exponentially. In this chapter, you’ll find numerous advanced tips to ward off online surveillance and persistent hackers.
It’s important to consider which risks apply to you. Are you a woman 👩 using the internet? Odds are you’ve had to protect yourself against harassment by men. Are you a journalist? Then it’s possible that the government is trying to keep tabs on you. Do you own a computer and a bank account? You get the picture: anyone can be a target, but certain targets face bigger risks.
Take appropriate measures that correspond to your personal risk level. This guide offers a lot of advice that everyone should follow, because many dangers apply to, well, everyone. But for an active feminist 💪 with a Twitter account, it’s even more important to keep your home address and phone number hidden from most people.
Every situation is different and thus requires a different approach. If you suspect your violent spouse is reading your e-mails and Whatsapp messages, you can use the chat function of a video game, such as Words With Friends, to inform a friend of your situation. It’s unlikely your spouse is keeping track of those conversations as well.
We’ll start with the hardest piece of advice, because spear phishing is notoriously difficult to recognise. Spear phishing is a form of phishing where the person trying to trick you will send you a message that is made to fool you specifically. A hacker could, for instance, gather information from your social media profiles to provide the spear phishing message with credible information.
Let’s say your flight with Delta Airlines ✈️ has been delayed by an hour and you post about it on Facebook. A hacker could use that information to send you an email, detailing a ‘compensation offer’ from Delta. All you need to do is log in (which gives the hacker your password) and fill out a form. All the while said hacker is keeping track of what you’re typing.
Thankfully most people won’t ever have to deal with spear phishing. Spear phishing usually happens to those who have a high risk of being targeted, such as politicians, lawyers and journalists. It still pays to keep your guard up. If you don’t trust something, find the company or organisation that supposedly sent you the message by googling them, and call them to ask whether the message you received is legitimate or not.
You can encrypt MacBooks and iMacs with the click of a button by turning on FileVault. It’s incredibly simple and ensures that whoever finds or steals your laptop doesn’t have access to your private files. Don’t wait: turn this feature on right now.
Windows is a completely different story. Microsoft has kept its encryption service Bitlocker exclusive to the Pro versions of Windows. That just happens to be the version that consumers hardly ever use 🤷.
Thankfully there are some good alternatives to consider. Veracrypt is the safest and most reliable option. Make sure to back up your files before encrypting your hard drive. The encryption process can take hours and could go wrong in some cases. With a backup, you’ll ensure the safety of your files.
While we’re on the subject: you can encrypt backups too. Consider encrypting your external hard drive with Veracrypt, for instance. Another good app is Cryptomator, which immediately encrypts your files and uploads them to the cloud. Take extra care of your password, however. Lose your password, and you lose access to your files.
The Diceware method is used by experts to create extremely strong passwords. Diceware uses a random dice throw 🎲 and a long list of words to generate passwords. Here’s a list (pdf) of English words you could use.
You start by rolling dice. Do this five times in a row and note the value of each throw. You’ll end up with a five-digit series of numbers that correspond with a word from the list. For instance, if you throw
3-6-4-5-5, the word it corresponds with is
Repeat this process seven times to make sure it’s absolutely safe. You’ll get a series of seven completely random English words, such as
limbo krebs hoyt ember cometh swipe zaire. The Diceware method is currently the best way to create a strong password that you can remember.
Experts recommend using a physical usb key - also known as a security key - for two-factor authentication. Connect your security key to services such as Google, Facebook, Twitter and Dropbox and the next time you want to log in, you’ll be prompted to use your usb key.
Insert the usb key into your computer and connect it to your smartphone to authenticate your login attempt. The online service will check 👮 if the usb key is linked to your account, and the usb key detects whether you’re logging onto the correct app or website ✅. This protects you against phishing attempts and fake websites, because the login attempt can only be successful if both your key and the online service are valid.
It’s recommended that you purchase two security keys: one to keep on your person at all times and another to put away safely as a backup. Link both usb keys to the services for which you want to enable two-factor authentication. And don’t forget to turn off the other forms of two-factor authentication you may have enabled for these services, such as login codes via a text message.
The Swedish company Yubico offers good security keys. The best option is the blue security key, which is compatible with all major online services. Two keys cost 36 USD. The Yubikey Neo (with nfc capabilities, 50 USD) works with Android smartphones, but has limited iPhone compatibility. There’s also a version for USB-c ports (50 USD).
Some password managers offer the option to automatically fill in your passwords on websites. This is not secure. A hacker could fool your password manager with a fake page. That’s why you should turn off this option, for instance in LastPass.
It’s also smart to have your password manager lock itself automatically if you haven’t used it for a certain period of time. That will keep your digital vault, filled with your passwords, from being exposed any longer than necessary.
Smartphones are ideal devices for spying. Intelligence agencies 🕵️ can tap your phone and request its location, or hackers can break in and turn on your microphone and camera. Be aware of this.
Android and iOS keep track of where you’ve been 🔍 by default, and this sensitive information could be shared with third parties. Both Android and iOS allow you to turn off this feature, after which your phone won’t constantly keep track of your location. This doesn’t prevent a hacker or intelligence agency from tracking your location using your smartphone, however.
One extreme measure is turning your phone off and keeping it in a Faraday-cover (which you can make yourself) or putting it in a microwave (which you should never turn on if your phone is in there). That’s the only way to be absolutely sure that no one can track your location.
Many chat apps offer the option to save your chats in the cloud ☁️, via Google Drive or iCloud. Be cautious of this. All messages are encrypted with end-to-end encryption as soon as they’re sent, but they lose their encryption as soon as the messages reach your phone, otherwise you wouldn’t be able to read them. If you choose to back up your messages, they’ll be uploaded to the cloud without encryption. An intelligence agency could request your chat history. Also note that your messages can be backed up unencrypted by the people you’re chatting with.
It’s important to protect your phone number, because it provides access to login codes or password reset options. Hackers can call your provider and pose as you to acquire sensitive information. In some cases, they can even take control of your phone number 📱. Ask your provider to require a customer service password. The provider will then ask you (or someone pretending to be you) to provide said password before assisting on customer service requests.
When you use your smartphone to take a picture 🖼️, it stores all sorts of extra information, such as the date, time and the exact location 🏘️ of where the picture was taken. This information is also referred to as EXIF-data. When you share these pictures on Facebook, Twitter, Instagram or WhatsApp, the EXIF-data is removed automatically. However, when you upload a picture to your website, or email it, the information can still be accessed by others. If you want to make sure that the EXIF-data is removed, then use the website ImgClean.io before uploading or emailing your pictures. ImgClean strips images of this extra information and lets you download a clean version that is safe to distribute.
If you want to call someone without the risk of having your call tapped 👂 and your conversation being listened in on, it’s recommended that you use Signal. Signal encrypts calls with end-to-end encryption. For many people this measure might be excessive, but for people at risk like journalists and lawyers, it might be necessary from time to time.
Calling via Signal (and WhatsApp) also protects you from IMSI-catchers. These devices imitate telephone masts to tap your phone calls and messages. IMSI-catchers are mostly used by intelligence agencies, but can also be made by hackers.
ProtonMail is one of the most user-friendly services when it comes to sending and receiving encrypted emails. The end-to-end encryption only works when both the sender and receiver are using ProtonMail, however. With other email addresses, such as Gmail or Outlook, ProtonMail asks you if you want to password-protect the emails you send to them. The recipient then needs the password to open the email. ProtonMail does this to add an extra layer of security. An account with 500MB is free, but if you want more storage capacity and added features, you have to pay from 5 to 20 USD a month.
The Tor internet browser sends your internet traffic through numerous computers. This protects your privacy, because websites can’t find out where you’re from and your provider won’t be able to see what you’re doing on the internet. That might be handy for some people, but it can be an actual lifesaver for others in countries like Iran and Russia. Tor also lets you visit blocked websites, which is especially useful in a country like Turkey.
Tor also offers access to the dark web, which is the part of the internet that you can’t visit with a normal internet browser. On the dark web you’ll mostly find marketplaces for drugs and weapons, websites that share child pornography and nazi communities.
The downside of Tor’s anonymity is that it can also be used with nefarious intent.
Make sure you really need the Tor internet browser. Are you leaking confidential information to the media? Then use Tor in a public coffee shop with WiFi to maximise your anonymity. The internet is a lot slower using Tor, however, so don’t use it to stream Netflix 📺. Websites can also see that you’re using Tor to browse the web, which sometimes prompts them to prevent your login attempts. Therefore, it’s not recommended to use Tor to conduct online banking, for instance.
PGP, which stands for Pretty Good Privacy, is used to encrypt the contents and attachments of emails with end-to-end encryption. It’s been one of the best ways to encrypt your emails for years, but it’s also very complicated to use. Think about whether you really need PGP 🤔. It’s easier to use Signal.
If you need PGP but don’t know how to set it up yourself, then check out Keybase first. Keybase is a social network that allows you to encrypt messages with PGP quite easily. Do you need more PGP features, such as file encryption? Reach out to an expert for assistance.
A lot of manufacturers stop updating their routers after a certain time. Therefore, it’s advised to install OpenWrt. The software is available for all sorts of routers and is regularly updated to fix security vulnerabilities 🐛.
OpenWrt doesn’t work with WiFi modems that are provided and managed by your internet provider. You can, however, buy your own router and connect that to your internet provider’s modem. Set your wifi modem to
Bridge/DMZ mode, so the device only forwards the internet connection.
Off The Record (OTR) is a safe way to chat with people, just like Signal. OTR is used with an email address and an app on your desktop (Adium for MacOS and Pidgin for Windows and Linux) or smartphone (Conversations for Android and ChatSecure for iOS). These apps let you chat with other OTR users, but most people would still prefer Signal.
If you’re technically savvy, you can take matters into your own hands and run your own VPN. The easiest option is Algo, which you install on your - preferably new - server. You’ll manage your own secure internet connection and can connect all your devices to it. Because Algo is easy to configure, you can also use it to set up a temporary VPN.
NSA whistleblower Edward Snowden worked on Haven, which is a free Android app that turns your old smartphone into a smart security camera. This won’t be useful unless you think a hacker is trying to physically access your devices to obtain your information, by connecting a malware-infected flash drive to your laptop, for instance.
Haven uses the cameras, microphones, light sensors and accelerometer of a phone to monitor movement and sound. Put the old smartphone in your hotel room, and you’ll be alerted as soon as someone enters the room. Haven also makes pictures and records videos of the intruder. Snowden also refers to Haven as a portable digital watchdog 🐶.
Smartphones are constantly connecting to cell towers to receive phone calls, texts and data. That leaves one heck of a trail of (meta)data, which intelligence agencies can abuse. People at risk, such as journalists, lawyers and politicians, need to be aware of this. An iPod Touch with Signal is a safe way to communicate in such situations. Apple’s music player uses the latest version of iOS, has access to the App Store and allows wifi-calling and messaging via Signal. To create a Signal account, you need a (temporary) phone number. Buy a prepaid SIM card or register a VoIP number. This tip applies to iPads (without LTE functionality) too, although those won’t fit your pocket so easily.
Hackers sometimes try to install their own certificates on your computer, smartphone or tablet, which allows them to keep track of what you’re doing, even when you’re using https-secured websites. Usually, a victim is lured into installing a certificate on their device to gain access to a public WiFi network. In general, people shouldn’t ever have to install a certificate, so be extra cautious when you’re being asked to do so. If necessary, ask whoever it may concern whether the requested installation is legitimate.
A privacy screen is a screen-film you place on your smartphone, laptop or tablet screen. These screens block viewing angles, except for when you’re looking straight at your screen, making sure that no one can see what you’re doing 👀 on your devices. If your phone is lying face-up on a table, you’ll have to pick it up and look straight at it to be able to read or see anything. Fellowes sells good privacy screens, from 30 to 70 USD.
Yup, ‘USB condom’ sounds pretty gross, but the SyncStop does exactly what that implies: it doesn’t transfer any data, only electricity, when you’re charging a device via the USB port on your computer. This prevents any malware from getting installed on your smartphone or tablet. If you want to charge your device using an unfamiliar computer, the SyncStop prevents all malware attacks.
These two operating systems are for experts only, because they’re difficult to operate. Both Tails and Qubes run from a flash drive that you connect to your computer. Disconnect the flash drive from the computer and your PC will have no recollection of what you’ve done on it in the meantime. Tails protects your privacy and offers all sorts of apps to do so, like Tor, Thunderbird and PGP. Qubes offers the best protection and is used by people who are targeted by (state-sponsored) hackers.
But remember: if you lack technical knowledge, using one of these operating systems can reduce your online security. Sometimes it’s better to stick to devices and services that you’re comfortable with. Don’t use them just because you think it’s safer. And with that important piece of advice, this expansive manual comes to a close.
This expansive manual was created with the help of six professional hackers: Maarten van Dantzig, Rik van Duijn, Melvin Lammerts, Loran Kloeze, Sanne Maasakkers and Sijmen Ruwhof. The wonderful illustrations are made by Laura Kölker. Copy editor Marcel Vroegrijk made sure that everything reads well. The original Dutch version of Watch Your Hack was lovingly translated into English by Kevin Shuttleworth and, once again, edited by Marcel Vroegrijk.
Do you know anyone that could use some security tips and tricks? Send them a link to this website. You could, for instance, use email, Twitter, Facebook and WhatsApp to share the link. Do you have any comments or suggestions? Let me know via Twitter (@danielverlaan) or send me an email.
You can also donate 💰 to support Watch Your Hack. Buy three or more stickers or wire an amount of your choosing via PayPal or iDeal. A donation of 5 USD will take care of the monthly server costs, or I can buy myself a craft beer 🍺. Cryptocurrencies are also accepted: