Total Defense

Security & Safety Resource Center

Learn about today's current internet threats and how to stay safe and secure.

Security Tip of the Day

Daily tips to create awareness of cyber threats and empower Total Defense users to be safer and more secure online with our security tips and resources..


July 2026
07.10.26

Use an external webcam for better privacy: A simple cybersecurity tip that gives you more control

Built-in laptop webcams are convenient, but convenience is not always the same as control. If camera privacy is a concern, using an external webcam can be a smart move because you can physically unplug it when you are done. That makes it much easier to know the camera is truly unavailable, instead of just hoping an app or operating system setting has turned it off correctly. Microsoft notes that camera access on Windows depends on privacy settings and app permissions, and CISA warns that apps with unnecessary permissions can record or livestream audio and video if you allow them.

Why can a built-in webcam be a privacy concern?

Any webcam connected to your device is part of your digital attack surface. If a malicious app, browser tab, or remote-access tool gains access, the camera may become a privacy risk. CISA says some apps can record and livestream audio and video when granted the right permissions, and Microsoft explains that Windows lets users decide which apps can access the camera because that access matters for privacy and security.

This is one reason camera settings should never be “set and forget.” It is worth reviewing which apps can use your camera and turning access off for anything that does not need it. Microsoft provides device-level and app-level controls for camera permissions, while CISA recommends removing apps you no longer use and denying access to functions you do not want an app to have.

Why is an external webcam a practical security upgrade?

The biggest advantage is physical control. When you unplug an external webcam, it is disconnected from the computer. That gives you a simple, low-tech privacy control that software cannot override while the device is unplugged. Even if you trust your laptop’s privacy settings, external hardware adds a second layer of certainty. Microsoft’s support guidance focuses on software permissions, which is useful, but a disconnected device removes the question entirely because there is no connected camera for an app to use.

That kind of simple control matters in today’s threat environment. According to the FBI’s 2024 Internet Crime Report, Americans filed 859,532 internet crime complaints in 2024, with reported losses exceeding $16 billion. That statistic is not webcam-specific, but it is a good reminder that reducing unnecessary exposure is still one of the smartest cybersecurity habits consumers can adopt.

Does an external webcam solve everything?

Not completely. Camera privacy is bigger than hardware alone. CISA says app permissions still matter, and Microsoft notes that desktop apps and browsers may need separate permission checks. That means you should still review camera access settings, keep software updated, and remove apps you do not trust.

An external webcam helps most when you pair it with good cyber hygiene.

How can you secure any webcam better?

Use this quick checklist:

  • Review camera permissions regularly and block apps that do not need access.
  • Remove apps you no longer use from your device. [
  • Keep your operating system and apps updated to reduce security gaps.
  • Unplug an external webcam when you are not using it.
  • If you rely on a built-in webcam, use your system’s privacy controls to limit access.

The bottom line

If you want a simple privacy win, an external webcam is worth considering. It gives you something built-in cameras cannot: the ability to physically disconnect the camera when you are finished. That does not replace software security, but it does give you more control over one of the most sensitive sensors on your device. Pair that with smart permission settings and regular app cleanup, and you have a much stronger camera privacy setup.

07.09.26

Why you should log out of websites and apps when you’re finished

Staying signed in is convenient, but convenience is not always the same as security. Logging out of websites and apps when you are done using them is a simple habit that can reduce the risk of account misuse—especially on shared devices, public computers, or public Wi‑Fi. The FTC specifically advises people not to stay permanently signed in to accounts and says that when you are finished using a site, you should log out.

This matters because active sessions are valuable to attackers. NIST explains that the ability to hijack a session is as damaging as an authentication failure, which is why session management and reauthentication matter so much in modern identity security.

What happens when you stay logged in?

When you log in to a website or app, the service usually creates a session token or cookie so you do not have to enter your password on every page. OWASP notes that once an authenticated session is established, the session ID effectively becomes temporary proof that you are the legitimate user. If that token is stolen or reused, an attacker may be able to impersonate you

That does not mean every saved login is automatically dangerous on a personal device. But it does mean longer-lived sessions create a bigger window for misuse if your device is lost, shared, infected with malware, or used on an insecure network. NIST says shorter and well-managed sessions reduce the risk that a device leaves your control and falls into an attacker’s hands.

Why is logging out a smart cybersecurity habit?

Logging out helps in a few practical ways:

  • It ends the active session instead of leaving it available for someone else to reuse.
  • It is especially important on public or shared devices, where the next user could access your account if you forget to sign out.
  • It reduces the risk tied to unsecured networks, where the FTC warns strangers may hijack your account if you use an unencrypted site on unsafe public Wi‑Fi.

How big is the online crime problem?

The bigger picture is worth remembering. According to the FBI’s official 2024 Internet Crime Report, Americans filed 859,532 internet crime complaints in 2024, with reported losses exceeding $16 billion. Logging out is not a cure-all, but it is one of the small behaviors that can reduce unnecessary exposure in a very active threat environment.

When should you log out right away?

Make it automatic to sign out when you are using:

  • A hotel business center, library, or airport computer.
  • A work-shared kiosk or borrowed device.
  • Public Wi‑Fi for anything sensitive.
  • Financial, email, shopping, healthcare, or social media accounts.

How do password managers make this easier?

One reason people stay signed in is simple: remembering passwords is annoying. The FTC recommends using strong passwords and notes that password managers can generate and store them for you. That means you can safely log out without worrying that sign-in later will become a hassle.

Best practices for safer sessions

Use this quick checklist:

  • Log out when you finish using important accounts.
  • Turn on two-factor authentication for sensitive accounts.
  • Use a password manager so re-login is fast and secure.
  • Avoid accessing sensitive accounts on public Wi‑Fi when possible.
  • Keep your browser, apps, and operating system updated.

The bottom line

Logging out is not old-fashioned—it is smart digital hygiene. It shortens the life of an active session, limits the chance that someone else can reuse your access, and is especially important when you are away from your own trusted device. Pair that habit with a password manager and two-factor authentication, and you get both convenience and stronger protection.

07.08.26

Should you sign in with your Google account? A smarter way to reduce passwords and protect your personal information

Using “Sign in with Google” is one of the easiest ways to create an account without filling out another long registration form or inventing yet another password. Google says this option lets people sign in to third-party apps and websites with the trusted security of a Google Account while reducing dependence on passwords.

That convenience can also be a real security benefit—if your Google account is well protected. Google explains that Sign in with Google reduces the number of apps where passwords need to be stored, securely transfers authentication information, and does not share your Google Account password with the app you are using.

Why can signing in with Google be safer than creating a new account?

Every time you create a brand-new account, you create another place where your information and password may be stored. Google says Sign in with Google can reduce password-related security risks by lowering the number of apps where passwords need to live.

That matters because password attacks still work. Microsoft says multifactor authentication can block more than 99.2% of account compromise attacks, which is a strong reminder that your Google account becomes much safer when you protect it with 2-Step Verification, passkeys, or other strong authentication tools.

What personal information does Sign in with Google share?

Google says the basic information shared at sign-in typically includes your:

  • Name
  • Email address
  • Profile picture

Google also says you can review and manage what data you share with linked apps, and that Google does not use Sign in with Google activity for ads or other non-security purposes.

Why does this help reduce data exposure?

The fewer websites that store your password and personal details, the fewer places there are for criminals to target. Google explicitly says Sign in with Google helps protect against third-party data breaches by limiting how many places your information is stored online.

That does not mean every third-party app is automatically trustworthy. Google also notes that once you consent to share data with a linked app, that developer becomes responsible for how the data is handled, which is why privacy policies still matter.

When should you use Sign in with Google?

It makes the most sense when:

  • The app or website is legitimate and well known.
  • You want to avoid creating and storing another password.
  • Your Google account is already protected with 2-Step Verification or a passkey.
  • You want more centralized control over connected apps.

What are the risks to keep in mind?

Single sign-on creates convenience, but it also means your Google account becomes more important than ever. If that one account is weakly protected, multiple linked services could be at risk. Google’s own security guidance emphasizes using stronger authentication tools like passkeys and 2-Step Verification to secure access.

Best practices before you sign in with Google

Before using it widely, make sure you:

  • Turn on 2-Step Verification.
  • Consider adding a passkey for stronger phishing-resistant protection. [
  • Review connected apps regularly in your Google account.
  • Only use Sign in with Google on sites you trust.

The bottom line

Signing in with your Google account can absolutely be a smarter, more secure option than creating a new password for every website—especially when it reduces password reuse and limits how many places store your information. But the real security benefit depends on one thing: how well you protect your Google account itself.

07.07.26

Should you delete an unused Facebook account? A simple cybersecurity move that can reduce your risk

If you no longer use Facebook, it may be smart to do more than ignore the app—it may be time to delete the account. An old social media profile can still hold years of personal information, old photos, contact details, login history, and connected settings, even if you have not posted in ages. Meta says Facebook account deletion and data-download controls now live in Accounts Center, which also manages security settings like password and two-factor authentication.

Why can an unused Facebook account become a security risk?

Dormant accounts are easy to forget, and forgotten accounts are harder to monitor. If you are not checking login alerts, recovery settings, or suspicious messages, you may not notice if someone tries to access the account. The FTC warns that hacked social media accounts can expose personal information and can be used to scam other people, spread malware, or support identity theft.

The broader threat environment is real. According to the FBI’s 2024 Internet Crime Report, Americans filed 859,532 internet crime complaints in 2024, with reported losses exceeding $16 billion. That does not mean every unused Facebook account will be attacked, but it is a good reminder that old digital accounts still sit inside an active cybercrime landscape.

What information can still be tied to an old Facebook account?

Even an abandoned account may still include:

  • Photos and videos you uploaded over the years.
  • Contact details, birthday, and profile information.
  • Security settings, login activity, and recovery options.
  • Connected Meta experiences through Accounts Center.

That is why “I never use it” is not the same thing as “it no longer matters.”

Should you delete Facebook or just deactivate it?

If you might come back, deactivation can be the lighter option. Meta says Accounts Center gives you the choice to delete or deactivate your account, so you do not have to make an all-or-nothing decision right away.

If you know you are done with Facebook, deletion is usually the cleaner privacy and security move because it removes the old profile from active use instead of leaving it sitting unattended. Before you do that, though, save anything you care about. Meta says you can download your information from Accounts Center before deleting the account.

What should you do before deleting your Facebook account?

Use this quick checklist:

  • Download your photos, videos, and other account data first.
  • Review your password, two-factor authentication, and login activity before making changes.
  • Check recovery email addresses and phone numbers so nothing outdated is left behind.
  • If you are not ready to delete, deactivate the account instead of leaving it ignored.

How do you delete it?

Meta says you can manage deletion through Accounts Center help, where Personal details includes the option to delete or deactivate your account, and Your information and permissions includes the option to download your data first.

If Facebook is no longer part of your life, leaving an old profile unattended is usually not the safest option. Deleting or deactivating it, backing up what matters, and reviewing your security settings is a simple way to reduce unnecessary digital exposure. It is a small cleanup task that can make your online life a little tighter and safer.

07.06.26

Don’t click “unsubscribe” in a spam email: How to avoid phishing, malware, and inbox-targeting scams

That “unsubscribe” link at the bottom of a shady email can look harmless, but in the wrong message, clicking it can make things worse instead of better. Cybersecurity experts generally recommend a simple rule: if the email looks suspicious, don’t click anything in it — including unsubscribe links. The safer move is usually to mark the message as spam or junk and delete it. FTC phishing guidance NIST phishing guidance [consumer.ftc.gov], [nist.gov]

Why is the unsubscribe button risky in spam email?

In a legitimate marketing email from a company you recognize, the unsubscribe link is usually there because U.S. law requires commercial senders to offer an opt-out method. The FTC’s CAN-SPAM guidance says compliant commercial email must include a clear way to stop future marketing messages.

But spam and phishing emails are different. Attackers can use fake unsubscribe links to:

  • Confirm that your email address is active and monitored
  • Redirect you to a phishing page or malware-laced website
  • Trick you into entering your password or other personal information

That is why NIST specifically advises people not to click any link in a phishing email, including unsubscribe.

How common are phishing emails right now?

This is not a niche problem. According to the FBI’s 2024 Internet Crime Report, phishing/spoofing generated 193,407 complaints in 2024, making it one of the most reported cybercrime categories in the United States.

The FTC also says email was the top method scammers used to contact people in 2024, which is a good reminder that your inbox is one of the main places criminals try to trick you.

When is it okay to unsubscribe?

If the message is clearly from a business you know, expected, and trust — like a retailer you actually signed up with — unsubscribing can be reasonable. The FTC notes that legitimate commercial emails are supposed to include a working opt-out method.

A good test is this:

  • You recognize the sender and expected the email.
  • The email is not creating panic or urgency.
  • You can verify the company independently through its real website.

If any of those are missing, treat the email as suspicious.

What should you do instead of clicking unsubscribe?

If the message looks spammy or suspicious, do this:

  • Mark it as spam or junk so your email provider learns to filter similar messages.
  • Do not click links or download attachments in unexpected emails.
  • Report phishing emails to your provider or forward them to the Anti-Phishing Working Group if appropriate.
  • Delete the message after reporting it.

How can you reduce spam and phishing risk long term?

A few smart habits go a long way:

  • Use strong spam filters from major email providers.
  • Turn on two-factor authentication for important accounts.
  • Be skeptical of emails that ask you to act fast, log in, or “fix” an account problem
  • Visit companies directly through your browser instead of email links.

The bottom line

The unsubscribe button is fine in a real marketing email from a trusted sender. But in spam or phishing email, it can be a trap. If the message feels off, don’t interact with it. Mark it as spam, report it, and move on. That one small habit can help protect your inbox, your passwords, and your identity.

07.05.26

Sign in with Google or Facebook? Enable two-factor authentication immediately

Using your Google or Facebook account to sign in to websites and apps is incredibly convenient. Instead of creating a new username and password every time, you can simply click “Continue with Google” or “Continue with Facebook” and get instant access.

But there’s a catch.

When you use a Google or Facebook account as your primary login method, that single account becomes the key to dozens—or even hundreds—of other accounts. If a cybercriminal gains access to it, the damage can be significant.

That’s why enabling two-factor authentication (2FA) is one of the most important cybersecurity steps you can take.

Why is signing in with Google or Facebook so popular?

Single sign-on (SSO) services make online life easier by allowing you to:

  • Skip lengthy registration forms
  • Avoid creating new passwords
  • Sign in faster across websites
  • Reduce password fatigue
  • Manage fewer login credentials

From shopping sites and streaming services to productivity tools and mobile apps, many platforms now support Google and Facebook login options.

While convenient, this approach also creates a single point of failure if your primary account is compromised.

What happens if your Google or Facebook account gets hacked?

If attackers gain access to your Google or Facebook account, they may also gain access to connected services.

Potential risks include:

  • Account takeovers
  • Identity theft
  • Access to personal information
  • Unauthorized purchases
  • Social media abuse
  • Email compromise
  • Password reset abuse

Because many websites trust Google and Facebook identity verification systems, a compromised account can create a domino effect across multiple platforms.

What is two-factor authentication?

Two-factor authentication adds a second layer of security beyond your password.

After entering your password, you’ll be required to verify your identity using another factor, such as:

Even if a cybercriminal steals your password through phishing, malware, or a data breach, they still need the second factor to gain access.

Does two-factor authentication really work?

Yes.

According to Microsoft, more than 99.9% of compromised accounts do not have multi-factor authentication enabled, demonstrating the effectiveness of MFA in preventing account compromise. Microsoft’s security guidance also notes that MFA can block the vast majority of automated account attacks. Read more in Microsoft’s security documentation and blog guidance on MFA.

That makes 2FA one of the highest-impact security measures available to consumers.

How do you enable two-factor authentication on Google?

To enable 2FA for your Google Account:

  1. Open your Google Account settings.
  2. Select Security.
  3. Navigate to 2-Step Verification.
  4. Follow the setup instructions.
  5. Choose your preferred authentication method.

Google supports:

  • Authenticator apps
  • Security keys
  • Google prompts
  • Backup codes

Authenticator apps and security keys generally provide stronger protection than SMS-based codes.

How do you enable two-factor authentication on Facebook?

For Facebook:

  1. Open Settings & Privacy.
  2. Select Accounts Center.
  3. Choose Password and Security.
  4. Select Two-Factor Authentication.
  5. Complete the setup process.

Facebook supports multiple verification options, including authenticator apps and security keys.

Best practices for protecting single sign-on accounts

If you frequently use Google or Facebook login buttons:

✅ Enable two-factor authentication

✅ Use a strong unique password

✅ Watch for phishing emails and messages

✅ Regularly review connected apps

✅ Remove unused third-party access

✅ Keep account recovery information updated

✅ Monitor login activity

The bottom line

Signing in with Google or Facebook can make your online experience faster and more convenient. But because those accounts often unlock access to many other services, protecting them should be a top priority.

Enabling two-factor authentication takes only a few minutes and can help prevent account takeovers, identity theft, and unauthorized access across your digital life.

07.04.26

Cybersecurity and July 4th: How to avoid travel scams, public Wi‑Fi risks, and phishing over the holiday weekend

July 4th is a time for road trips, cookouts, fireworks, and quick online bookings—but it also creates the kind of rushed, distracted moments scammers love. Federal agencies warn that travel, public Wi‑Fi, fake invitations, and oversharing on social media can all raise your cybersecurity risk when you’re away from home.

The threat is not hypothetical. According to the FBI’s 2024 Internet Crime Report, Americans filed 859,532 internet crime complaints in 2024, with reported losses exceeding $16 billion. The FBI also said phishing/spoofing was one of the top cybercrime categories, which matters during a holiday weekend filled with texts, emails, bookings, and account logins.

Why does July 4th create extra cybersecurity risk?

Holiday weekends usually mean people are booking last-minute rentals, connecting to hotel or airport Wi‑Fi, and checking messages from airlines, friends, or event hosts while on the go. CISA says travel increases exposure to cyberattacks, and the FCC warns that public Wi‑Fi and Bluetooth connections can expose sensitive information if users connect carelessly.

That mix of urgency and convenience is exactly what scammers exploit. The FTC recently warned about fake summer party invitations sent by text and email that try to steal email logins or passcodes, and the FTC also warns that fake rental listings can grab your money before you realize the property is not real.

How can you stay safer on public Wi‑Fi?

Public Wi‑Fi is convenient, but it is not always trustworthy. The FCC says cyber thieves can create imposter hotspots that mimic legitimate networks, while CISA recommends confirming the network name and login process with staff before connecting.

Use these quick habits:

  • Verify the hotspot name with staff before you connect.
  • Look for https on every page where you enter information.
  • Turn off auto-connect so your phone does not join unknown networks automatically.
  • Use a trusted VPN if you regularly rely on public Wi‑Fi.
  • Avoid online banking or purchases on public Wi‑Fi when possible; the FCC specifically recommends not using public Wi‑Fi to access bank accounts.

What July 4th scams should you watch for?

Be especially skeptical of messages that create urgency. The FTC says fake “You’re invited” texts and emails may impersonate real invitation platforms and ask for your email password or a special code to view event details.

Watch for these red flags:

  • A party invite that asks for your email password or login code.
  • A vacation rental that looks unusually cheap or pressures you to pay fast.
  • Requests to pay by wire transfer, gift card, or cryptocurrency.
  • A message that tells you to click now or lose a reservation, account, or deal.

Should you post your July 4th plans in real time?

Probably not. CISA advises people not to tell the social media world they are away from home, to disable geo-tagging, and to wait until they return to post travel photos. That guidance reduces the amount of location and timing data criminals can use against you.

Your July 4th cybersecurity checklist

Before the holiday weekend starts:

  • Update your devices and apps.
  • Enable multi-factor authentication on email, banking, and social media accounts.
  • Back up important data.
  • Verify bookings directly on official websites.
  • Use your mobile data instead of public Wi‑Fi for sensitive tasks.

The bottom line

Good July 4th cybersecurity is really about slowing down. If you verify networks, avoid suspicious links, protect your logins, and keep vacation details off social media until you get home, you can lower your risk and enjoy the holiday with a lot more peace of mind.

07.03.26

Let Google create unique passwords for you: One of the easiest ways to improve your online security

Creating strong, unique passwords for every account can feel impossible. Most people have dozens—if not hundreds—of online accounts, making it tempting to reuse the same password repeatedly.

Unfortunately, password reuse is one of the biggest cybersecurity risks consumers face today.

That’s where Google Password Manager can help. Built directly into Chrome and your Google Account, it can automatically generate strong passwords, save them securely, and fill them in when needed. The result is better security with less effort.

Why should you use unique passwords for every account?

When cybercriminals obtain your password through a data breach, they rarely stop at a single account.

Instead, they use automated attacks known as “credential stuffing” to test the same username and password combination on multiple websites.

According to Google’s Password Checkup research, the company has identified more than 4 billion usernames and passwords exposed through third-party data breaches, demonstrating just how widespread compromised credentials have become. You can learn more in Google’s official Password Checkup announcement.

Using a different password for every account dramatically reduces the impact of a breach because one compromised password won’t unlock multiple accounts.

How does Google’s password generator work?

Google Password Manager can automatically create a long, random password whenever you sign up for a new account.

Instead of trying to invent a secure password yourself, Google generates one that is:

  • Strong
  • Unique
  • Difficult to guess
  • Saved automatically for future use

Google then securely stores the password in your Google Account so you don’t have to memorize it.

How do you enable Google’s password-saving feature?

The feature is usually enabled by default, but you can check your settings:

  1. Click your profile picture in Chrome.
  2. Select Passwords or Google Password Manager.
  3. Turn on Offer to Save Passwords.
  4. Visit a website where you’d like to create an account.
  5. Click inside the password field.
  6. Select Use Suggested Password when prompted.

If the suggestion doesn’t appear:

  • Right-click the password field.
  • Choose Suggest Password.

Google will automatically save the new password for future logins.

Is Google Password Manager safe?

Google designed Password Manager to help users avoid common password mistakes like reuse and weak credentials.

In addition to generating passwords, it can also:

  • Identify compromised passwords
  • Detect reused passwords
  • Flag weak passwords
  • Recommend security improvements

Google recommends changing passwords immediately if they are identified as compromised.

Should you still use two-factor authentication?

Absolutely.

Strong passwords are important, but they should be combined with multi-factor authentication (MFA) whenever possible.

MFA adds an extra layer of protection by requiring:

  • A password
  • A second verification step

Examples include:

  • Authentication apps
  • Security keys
  • Push notifications

Even if an attacker obtains your password, MFA can help prevent unauthorized access.

Best practices for password security

For maximum protection:

✅ Use a unique password for every account

✅ Let Google generate strong passwords

✅ Enable multi-factor authentication

✅ Regularly review compromised password alerts

✅ Avoid sharing passwords

✅ Update passwords after a data breach

✅ Keep your Google Account secure

Managing dozens of passwords doesn’t have to be difficult. Google’s built-in password generator makes it easy to create strong, unique credentials for every account without memorizing them all.

When combined with multi-factor authentication, this simple feature can significantly reduce your risk of account compromise, credential stuffing attacks, and identity theft.

07.02.26

Change your passwords after a data breach notification: What to do immediately to protect your accounts

Receiving a data breach notification can be alarming, but ignoring it can be even more dangerous.

When a company notifies you that your information may have been exposed, there’s a good chance cybercriminals have access to at least some of your account data. One of the most important steps you can take is changing your password immediately—and if you’ve reused that password elsewhere, updating those accounts too.

Good password hygiene remains one of the most effective ways to protect your digital life.

What should you do after a data breach notification?

The first priority is determining what information was exposed.

A breach may involve:

  • Usernames
  • Passwords
  • Email addresses
  • Payment information
  • Personal data
  • Security questions

If passwords were part of the breach, assume the exposed password is no longer safe to use.

Security experts recommend changing affected passwords as soon as possible and reviewing other accounts that may be using the same credentials. Google similarly advises users to change compromised passwords immediately when detected through Password Checkup.

Why is changing your password so important?

Once credentials appear in a breach dataset, cybercriminals often use automated tools to test those usernames and passwords across hundreds of websites.

This attack method is known as credential stuffing.

According to Google’s Password Checkup initiative, the company has identified more than 4 billion usernames and passwords exposed through third-party data breaches, highlighting the enormous scale of compromised credentials circulating online. You can read more in Google’s official Password Checkup resources and guidance.

The longer you wait to update exposed credentials, the greater the chance attackers will try to access your accounts.

Should you change all your passwords?

If you reuse passwords, the answer is yes.

Many consumers unknowingly use the same password for:

  • Email accounts
  • Shopping websites
  • Streaming services
  • Social media platforms
  • Banking accounts

If one account is breached, attackers may gain access to several others using the same login information.

Start by updating:

  • Your email account
  • Financial accounts
  • Password manager account
  • Social media profiles
  • Cloud storage services

These accounts often provide access to additional personal information.

How do you create a strong password?

A strong password should be:

  • Long and unique
  • Difficult to guess
  • Different for every account
  • Random whenever possible

Avoid using:

  • Birthdays
  • Pet names
  • Common words
  • Reused passwords

The easiest solution is to use a trusted password manager that can generate and store unique credentials for every account.

Why should you enable two-factor authentication?

Changing a password is important, but adding two-factor authentication (2FA) provides another layer of protection.

With 2FA enabled, attackers typically need:

  1. Your password
  2. A second verification factor

Examples include:

  • Authentication apps
  • Security keys
  • Push notifications

Even if a password is exposed in a breach, 2FA can significantly reduce the risk of unauthorized access.

How can you check whether your accounts have been exposed?

Several tools can help identify compromised credentials, including:

  • Google Password Checkup
  • Password manager security reports
  • Breach monitoring services

Regularly reviewing account security helps you catch potential problems before criminals exploit them.

Data breach response checklist

If you receive a breach notification:

✅ Change affected passwords immediately

✅ Update any reused passwords

✅ Enable two-factor authentication

✅ Review account activity

✅ Monitor financial statements

✅ Update security questions if necessary

✅ Use a password manager going forward

The bottom line

A data breach notification should never be ignored. While you can’t control whether a company experiences a breach, you can control how quickly you respond.

Updating passwords, eliminating password reuse, and enabling two-factor authentication are among the most effective steps you can take to protect your accounts and reduce your risk of identity theft or account takeover.

07.01.26

Don’t access your banking app on public Wi‑Fi: How to protect your money while traveling

Public Wi‑Fi is everywhere—airports, hotels, coffee shops, restaurants, and shopping centers. While these networks are convenient, they can also expose you to cybersecurity risks if you’re not careful.

One of the safest habits you can adopt is avoiding online banking and other financial activities while connected to public Wi‑Fi. If you need to check your bank account, transfer funds, or pay bills, it’s best to use a trusted cellular connection or a secure VPN.

Is it safe to use online banking on public Wi‑Fi?

The answer depends on the network and your security practices.

The Federal Trade Commission (FTC) notes that public Wi‑Fi security has improved significantly because most modern websites and apps use encryption. However, scammers continue to exploit public networks using fake hotspots, malicious websites, and phishing techniques designed to steal sensitive information.

Even if your banking app encrypts your data, connecting through an untrusted network can increase your overall risk.

What are the risks of using banking apps on public Wi‑Fi?

Cybercriminals frequently target travelers and remote workers using public hotspots.

Potential threats include:

  • Fake Wi‑Fi networks that mimic legitimate hotspots
  • Phishing pages designed to capture usernames and passwords
  • Malware downloads from malicious websites
  • Session hijacking attacks
  • Credential theft through unsecured connections

The FCC warns that public Wi‑Fi networks can expose sensitive financial information if users are not careful about how they connect and what information they transmit.

How do hackers create fake Wi‑Fi networks?

One common tactic is the “evil twin” attack.

A cybercriminal creates a hotspot with a name similar to a legitimate network, such as:

  • Airport_Free_WiFi
  • HotelGuestWiFi
  • CoffeeShop_WiFi

Unsuspecting users connect to the fake network and unknowingly expose browsing activity, login credentials, and other sensitive information.

The FCC specifically recommends verifying hotspot names before connecting.

What should you do instead?

If you need to access financial information while away from home:

Use your mobile data connection

A cellular network is generally safer than an unknown public hotspot because it is managed by your mobile carrier and is less vulnerable to local network attacks.

Use a trusted VPN

A Virtual Private Network (VPN) encrypts traffic between your device and the internet, providing an additional layer of protection when using public networks. The FCC recommends considering a VPN when regularly using public Wi‑Fi.

Enable multi-factor authentication

Protect banking, email, and financial accounts with multi-factor authentication (MFA). Even if a password is compromised, MFA can help prevent unauthorized access.

How can you stay safe on public Wi‑Fi?

Follow these cybersecurity best practices:

  • Verify the network name with staff.
  • Use websites and apps that utilize HTTPS encryption.
  • Keep devices updated.
  • Avoid logging into financial accounts when possible.
  • Turn off automatic Wi‑Fi connections.
  • Use strong, unique passwords.
  • Enable MFA on important accounts.
  • Disconnect from Wi‑Fi when you’re finished using it.

The bottom line

Public Wi‑Fi isn’t always dangerous, but it’s not the ideal place to access sensitive financial information. If you need to use your online banking app in public, protect yourself with a trusted VPN or use your cellular network instead.

A few extra precautions can help keep your money, personal information, and financial accounts safe from cybercriminals.