10 tips to Stay Safe Online that anyone can use – Sophos News

The threat of ransomware and data theft continues to evolve. Adversaries are increasingly exploiting unpatched network-edge devices, and credential theft and social engineering techniques can turn everyday tools into attack vectors.  

That makes practical, prioritized defense matter more than ever.  

That’s why Cybersecurity Awareness Month is important across the globe. It allows everyday users to refocus their cybersecurity goals. This year, the National Cybersecurity Alliance’s Cybersecurity Awareness Month theme is “Stay Safe Online,” focusing on accessible habits anyone can take to boost online safety — small steps that compound into meaningful risk reduction for individuals, families, and businesses.  

In that same vein, we wanted to share 10 quick tips that anyone can implement today to boost their cybersecurity posture and stay safe online. Use this short checklist as a launchpad: adopt the basics consistently, strengthen the controls that matter most, and build routines that keep those protections current and effective. 

1. Face scans and fingerprints are safer
   Use features like Face ID or fingerprints to unlock your devices whenever possible. Biometrics are harder to steal than passcodes, and devices encrypt this data, so it doesn’t leave your phone and can’t be reused or phished. It’s a simple upgrade that makes breaking in a lot harder.   
2. Stick to trusted app stores
   Apps from unofficial sources, such as sketchy websites or unofficial stores, can hide malware and steal your data. Stick to the trusted sources like the Apple App Store, Microsoft Store or Google Play — they scan for harmful content and have security and privacy standards that can identify malicious activity. If an app isn’t listed there, only download the app from the developer’s official website or use the web version instead. 
3. Embrace polite paranoia  
   Cybercriminals use urgency to make you act before you think — like a fake “bank” call warning your account is frozen. Security expert Rachel Tobac calls the right response “polite paranoia:” stay calm, stay kind, but verify. Trusted institutions will never ask for sensitive info over the phone or text. If something feels off, control the channel — hang up and call the official number instead. A moment of polite skepticism can stop an attack before it starts.
4. Back up your data 
   While ransomware groups tend to target businesses that can pay big, individuals are not off the hook. If you have sensitive, important data, back them up — regularly and securely. Use a trusted cloud service or a removable storage device you can disconnect when the backup completes. The goal isn’t just to recover data, it’s to remove “paying the ransom” from your list of options entirely. 
5. Install the update
   Don’t swipe away those update reminders. They’re not just about new emojis or fancy features — they fix serious security holes that hackers love to exploit. Exploited vulnerabilities are the No. 1 initial infection vector for ransomware in our annual State of Ransomware report. So, when your phone, computer, smart speaker, game console — anything connected to the internet — asks for an update, say yes.  
6. Beware of AI-generated “deepfake” videos or phony celebrity endorsements
   With the rise of AI-generated video, bad actors are using celebrity deepfakes to spread fake news, “endorse” alleged giveaways and products, and otherwise sow chaos on the internet. Over the past year, there has been a spike in the number of deepfake videos popping up on users’ social media feeds, many of them AI-generated using celebrity likenesses. In one case, musicians Taylor Swift and Selena Gomez seemed to be endorsing Le Creuset cookware, which eventually pointed targeted users to a scam. Another featured comedian and game show host Steve Harvey urging American citizens to claim a “free” prize of $6,400. The quality of today’s deepfake videos can trick even the savviest of internet users, but there are still a few obvious giveaways to deepfakes, according to the MIT Media Lab, if you can spot them, including the amount of blinking the video subject does or doesn’t do, or if shadows appear correctly.  
7. Pause before you post
   Think twice before sharing personal details online. Cybercriminals can use even innocent bits of information — like your first car, your pet’s name or where you grew up — to guess passwords and answer security questions. Those “fun” quizzes and cute surveys? They can be data traps in disguise. Before you click, post or answer – ask yourself: could this help someone pretend to be me?  If the answer is yes, keep it private.
8. Use a password manager 
   Stop juggling dozens of passwords – or worse, keep using the same one everywhere. A password manager automatically generates and stores complex, unique passwords for each account you use, locked safely behind one strong main password, passkey, and/or multi-factor authentication (MFA). Free or paid, these tools are far more secure than ‘Password123’.  
9. Don’t take the bait
   We all have seen those texts or emails offering free Amazon gift card or PlayStation 5 if they just filled out a “quick survey” or call this number to provide some personal information. Ignore the link, delete the message, and move on. Your instincts are usually right. And if it sounds too good to be true, it definitely is.  
10. Move to a more phishing-resistant multi-factor authentication
    Use multi-factor authentication (MFA) whenever possible but go beyond the traditional apps and text message codes that you think of. Ideally, users should be using passkeys or a hardware token, which are both more resistant to phishing attempts that can be little more than a speed bump these dates for motivated adversaries. A passkey is a secure, password-free login method that uses cryptographic keys to authenticate your identity, making it easier to use and far more resistant to phishing and hacking than traditional passwords. Alternatively, a hardware security key is a physical device used for secure login that acts as a second factor of authentication, offering strong protection against phishing and unauthorized access by requiring users to tap or insert the key to verify their identity. 

Taking a prevention-first approach to cybersecurity, like many of the tips in this blog post, is the first and best way to prevent cyberattacks against any individual or business. If you’re looking to level up your cybersecurity game, visit sophos.com/prevention.