Guidance: For Individuals

🧾 What is it?

2-step login (also called two-factor authentication, or 2FA) adds a second layer of security to your online accounts.

Instead of just using a password, you'll be asked for something else — like a code sent to your phone, an app-generated code, or a fingerprint. This means that even if someone knows your password, they still can't get in without the second step.

🚨 Why it matters

Passwords can be guessed, stolen, or leaked in data breaches. It happens more than you think. 2-step login makes that password alone useless to a scammer.

That’s why most major services now offer it — and why we strongly recommend turning it on.

🧠 Common real-world examples

• You enter your Gmail password → then a 6-digit code is sent to your phone
• You log into your bank → then confirm with a code from an app or SMS
• You open Facebook → then approve the login through a mobile notification

📱 Types of 2FA (ordered best to worst)

1. Biometrics: Fingerprint, Face ID
2. Authenticator App: Apps like Google Authenticator or Authy
3. SMS Code: A text sent to your phone
4. Email code: A code sent to your email

Always enable 2FA on your email account first as it’s often used to recover other accounts.

Click here to head back to the top of our learn page.

📄 What is it?

Antivirus software helps protect your device from harmful software (known as malware) that can steal your data, damage files, or give someone remote access to your computer.

It checks files, websites, and downloads in the background — and alerts you if something seems dangerous.

🛡️ Why it matters

Even if you’re careful, mistakes happen. A single click on a bad link or download can install malware without you realising.

Antivirus gives you a second chance — catching threats before they cause harm.

Most antivirus tools also block phishing websites, scam pop-ups, and fake downloads.

💻 Common real-world examples

• You download a file, but it’s hiding a virus: Antivirus warns and blocks it.
• You visit a fake website pretending to be your bank: Antivirus stops the page from opening.
• A scam email tries to trick you into installing a “security tool”: antivirus catches it.

✅ Best practices

• Make sure antivirus is turned on. Don’t ignore system warnings
• Let it run automatic scans
• Keep it updated so it recognises new threats
• Don’t run two antivirus programs at the same time as they can clash
• If you get a warning from your antivirus, stop and read it carefully. Don’t rush to click past it.

Click here to head back to the top of our learn page.

📄 What is it?

A strong password is one that’s hard for someone else to guess — even if they know things about you.

It’s longer, more unique, and not based on names, birthdays, or simple words.

The best passwords often look strange, or are made of several unrelated words.

🛡️ Why it matters

Weak passwords are easy to crack. If someone can guess your password or it’s leaked in a data breach, they could get into your email, bank, or social media accounts.

🧠 Common real-world examples

• You use your pet’s name and birth year — someone close to you might guess it
• You reuse the same password across websites — if one gets hacked, they all do
• You pick something simple to remember — but so do millions of others
• Once someone has access to your email, they can reset other accounts too.

🔐 Tips for strong passwords

A strong password doesn’t have to be hard to remember! A password like “Yellowcandle-Horse-Bus1?” is better than “Summer2023!”

• Choose a password longer than 12 characters if you can
• Don’t use names, birthdays, or anything someone could guess
• Avoid common passwords like 123456, qwerty, or password1
• Use a password manager to help create and store your logins
• Never reuse passwords for important accounts like email or banking

Click here to head back to the top of our learn page.

📄 What is it?

Reusing the same password across multiple websites might feel convenient, but it’s one of the easiest ways to get hacked.

If one website is breached and your password is exposed, attackers often try it on other sites to see what else they can access.

🔓 Why it matters

Many attacks today don’t come from guessing your password, they come from using already leaked ones.

This is called a credential stuffing attack and it works when people use the same password everywhere.

Once someone has access to your email, they can take control of your other accounts, often without you noticing.

⚠️ Real-world example

1. A shopping website gets hacked. Your password from there also works for your email.
2. Using your email account, someone resets your Amazon password.
3. You don’t notice for weeks until an unexpected payment alerts you.

✅ What to do instead

• Use a different password for every important account
• Prioritise your email, banking, and social media first
• Use a password manager to keep track so you don’t have to (see our suggestions above)
• If you're not ready for a manager, use your browser’s built-in password saving

Click here to head back to the top of our learn page.

📎 What it is

Links, attachments, or pop-ups can look harmless but one careless click can lead to malware, scams, or stolen information.

❗ Why it matters

Most scams rely on you clicking before you’ve had time to think.

Even something as simple as a fake delivery text or “your account is locked” email can trick people into handing over passwords or downloading malware.

🧾 Real-world examples

• A fake email pretending to be from your bank asks you to “verify your details”
• A text claims your parcel is being held and links to a payment site
• A popup says you’ve won something or your device is infected

✅ What to do

1. Pause before you click. Was it expected? Does it feel urgent or odd?
2. Check the sender or link. Hover over it or long-press on mobile — does it match who it claims to be?
3. Don’t open attachments from strangers. Even if it says "Invoice" or "Job Offer"
4. When in doubt — don’t click. Ask someone, or go directly to the website instead

Click here to head back to the top of our learn page.

🛠 What it is

Device updates fix bugs and close security gaps. These updates come from the makers of your phone, computer, apps, or antivirus tools.

❗ Why it matters

Cybercriminals often look for devices that haven’t been updated — because they’re easier to break into.

Even small updates can fix serious flaws that hackers could use to steal your data or install spyware.

💡 Real-world examples

• A security hole in your phone lets someone track your activity
• An outdated web browser lets fake ads install malware
• A known bug in an app exposes your private info

✅ What to do

1. Turn on automatic updates wherever you can
2. Don’t ignore reminders — install updates when they appear
3. Restart your device after updating so changes take effect
4. Keep apps you use (especially browsers, banking, antivirus) up to date
5. Remove apps you don’t use anymore — they still collect data or pose risks

Click here to head back to the top of our learn page.

📎 What it is

Scammers and hackers can use personal details you share online, even small ones, to trick or impersonate you.

This includes things like your birthday, job, location, or family info.

🚩 Why it matters

The more someone knows about you, the easier it is to:

• Guess your passwords or security questions
• Pretend to be you (or someone you trust)
• Target you with believable scams

Even an innocent photo or comment can give away useful info.

💡 Real-world examples

1. A scammer sees a birthday post, then guesses your password.
2. Someone uses your pet’s name from Instagram to answer a security question.
3. A photo of your home reveals your address or car registration.

✅ What to do

1. Keep personal details private on social media (e.g., birthdays, schools, family names)
2. Avoid oversharing in public groups or comments
3. Think before you post pictures that show your location or valuables
4. Don’t use info you’ve shared publicly as your password or PIN
5. Review your privacy settings regularly

Click here to head back to the top of our learn page.

📎 What it is

Locking your device means adding a PIN, password, fingerprint, or face recognition to stop anyone accessing it without your permission.

It applies to your phone, laptop, tablet, or anything else that holds personal info.

🚨 Why it matters

If someone gets hold of your device and it’s not locked, they could:

• Read your messages and emails
• Access your saved passwords and accounts
• View personal photos, files, or notes
• Pretend to be you online
• Steal your identity

Even a short time with an unlocked device can do real damage.

💡 Real-world examples

• Your phone is stolen and the thief reads your saved 2FA codes.
• Someone picks up your tablet and buys items using autofill.
• You leave your laptop open — and someone accesses your work or private files.

✅ What to do

1. Always set a screen lock (PIN, password, fingerprint, etc.)
2. Make sure your device locks automatically after a short time
3. Don’t share your unlock code or pattern
4. Use fingerprint or face ID if available — it’s quick and secure
5. Enable device tracking (like Find My Phone) just in case

Click here to head back to the top of our learn page.