staying safe on-line

This Web page outlines some of the most valuable and effective things you can do to stay safe on-line from viruses and fraudsters. They may also help protect your privacy from those who want to sell you things (including big corporations and their advertising agents) and from those who want to gather more information about you than you may wish to divulge.

The order of items below is very approximate, depending not only on the security value of each item but also on the ease of doing it. Remember that you can never become 100% secure but each extra item that you can do takes you closer to that goal.

Only do those items that you feel confident about completing successfully. You can always reverse the change or simply abandon doing it.

Where appropriate, make sure that you apply each item to all of your computers. This means desktop computers; laptops; tablets; and (very important) your smartphone. Smartphones usually run Google Android or Apple's iPhone iOS rather than Windows.

1. Absolute essentials: things to be aware of

The main message is that cyber-criminals are extremely clever and very convincing. Think twice about everything before you take action.

Be cautious with incoming e-mails

This item is at the top of the list for good reason. Fraudsters use "social engineering" to persuade you to do something against your own interests. Here are some examples:-

  • An e-mail purporting to be from one of your friends invites you to click on a link or to open an attachment. The link or attachment will then download a virus.
  • An e-mail apparently from a company you deal with asks you for payment by Internet Banking and quotes its Sort Code and Account Number. Phone the company to check if the e-mail is genuine. Then set up a payment for a nominal amount (say, £10); check safe receipt and then send the balance.

For every incoming e-mail:-

  • Check that it really comes from a known correspondent (name plus e-mail address). "From:" addresses are easily forged.
  • Are you expecting them to e-mail you?
  • Is the language, tone and content typical for that correspondent?
  • Don't click on suspicious links and don't open suspicious attachments.
  • If appropriate, phone the alleged sender to check whether they sent it.

Check your spam (junk) folder regularly. Your e-mail supplier probably has a spam filter but they are by no means accurate: "spam" can be mis-classified as "ham" (genuine e-mails) and vice-versa. However, anything marked as spam should sound warning bells. The best spam filters are those that you can teach when they mis-classify an e-mail. The more you teach them, the better they get, and they learn from the particular patterns of e-mails you receive. Unfortunately. they are uncommon. See our detailed advice on e-mail software; also advice on spam including spam filtering.

Although your e-mail address is not a secret, be selective about who you give it to. Use the "need to know" principle. Do companies and other organisations really need it? Sometimes yes, sometimes no. It's your decision, not theirs.

Beware of cold phone calls

Bear in mind that phone numbers of incoming calls can be spoofed. The fraudster may have gathered information about you to make themselves seem genuine. Your bank will never call you and ask you to take actions or divulge information. A computer manufacturer (such as Microsoft) or printer manufacturer will never call you, ever. When you buy a computer, you are a customer of the company selling it. You are not a direct customer of Microsoft, which knows nothing about you. It certainly doesn't know that you have (allegedly) got a virus.

Check that "secure" sites are secure

We're talking here about any Web site that requires you to enter sensitive, personal information. This includes on-line banking and shopping.

These sites should be secure, so that all information between your computer and the Web site is encrypted. The standard advice is as follows:-

  • The log-on and subsequent pages must begin "https://" ("s" for secure) in the address box.
  • Your browser should display a closed padlock icon to the left of the address box.
  • With most modern browsers you can click on the padlock to get further information. Don't worry about the technical details but look for "good words" rather than words like "insecure" or "unencrypted".

2. Absolute essentials: things to do

These should all be quite straightforward to do but will make a significant improvement to your security. Quick wins, if you like.

Install anti-virus software

The standard advice is to install anti-virus software (including on your smartphone). This is very sound advice but don't assume it's the only thing you need do or that it's 100% reliable. New viruses appear every single day and AV software has to run to keep up. Some viruses are known to disable anti-virus software. Remember that detecting viruses after they have arrived is right at the end of the chain.

Relying on AV software, with its database of virus definitions, is like having a broken window in your house and sitting inside armed with a set of photos of known local criminals. Doesn't it make better sense to fix the broken window?

Make sure that your AV software really is running (e.g. that its licence has not expired) and check that its virus definitions are updated automatically.

See our detailed advice on viruses.

Log on as a Limited User

When you buy a computer running Windows, it usually comes with a single User Account. There are two types of account: Administrator and Limited User. An Administrator Account can do everything, including updating and reconfiguring Windows itself and installing new software (including viruses!). A Limited User Account is blocked from doing these tasks but enables you to do all your day-to-day tasks, like access the Internet to look at Web sites; send and receive e-mail; do word processing etc.

There must be at least one Administrator Account, so your single account will be of this type. Whilst you are using such an account, any virus which runs therefore has the full rights of a system administrator to take over your entire computer. By contrast, if you are logged on with a Limited User Account, any virus that tries to run will not have these rights and so is significantly (although not entirely) thwarted from doing harm.

Have a Limited User Account for day-to-day use. Have an Administrator Account to use only when necessary. There are two ways of doing this.

  1. Use your current, single, Administrator Account to create a second, Limited User, Account. Switch to using the new account for day-to-day use and check, over several days or weeks, that you can still do everything you need.
  2. If you have customised your existing single account, the new account above won't reflect these settings and preferences. You must either customise the new account or use the following method. Also, if you have created your own documents (e.g. word processing, spreadsheets, photos) you must use this method.

    Use your current, single, Administrator Account to create a second Administrator Account (you could call it "Admin"). Log on to this new account and use it to change your first account from the "Administrator" type to the "Limited User" type. This account, which you've been using until now, will have all its settings and preferences preserved plus access to all your documents.

Protect your router: strong password

If you use BT as your broadband supplier, your router is known as your BT Home Hub. Your router is the first point of entry of the Internet into your home, so it's important to make it as secure as possible. If no viruses could get past your router, you would be 100% safe and wouldn't need anti-virus software or anything else!

Read the router instructions on how to access its administrative interface using your browser. It usually involves typing in an address like "http://192.168.0.1". BT Home Hubs are usually "http://192.168.1.254". You will need an ID and password. The default values are often on a label on the back or bottom of the router. Some routers use "admin" as the ID and "password" as the default password (honestly). Change the password to a strong one. If you can, change the ID to something a little less obvious.

You will now be more secure from anyone logging on to your router and reconfiguring it. If your router is remotely hacked into it will put you at serious risk. Fraudsters can redirect your requests for genuine sites to very plausible fake ones. Fortunately, the solution above is quite simple.

Keep Windows and Apps up to date

Software companies update their products regularly to fix security flaws, either with new versions or via security "patches". Microsoft Update is usually set to download and install updates automatically and silently, not just for Windows but for other Microsoft software such as Office. Check that this is the case for you. This doesn't give you any control but at least you don't have to remember to do it.

Remember also to keep your apps (e.g. on your smartphone) up to date. On Android phones, go to Play Store. Click on your account. Choose Manage apps and device to see the list of available updates.

Choose strong passwords

Fraudsters don't guess passwords by hand. They hack into a customer database and use software to guess passwords at the rate of millions of guesses per second.

Different companies use different rules for the passwords they allow. Some will insist on a certain minimum length. Some will insist on at least one punctuation character whilst others will reject such characters!

It's hardly feasible to use a different password for each system, even though we're told we shouldn't reuse passwords. The best advice is to use a password manager, such as LastPass, Dashlane or KeePass. All are free. They will also help you to fill in on-line forms.

If you choose passwords manually, apply the following rules.

  • Use eight characters as an absolute minimum and preferably 9 or 10.
  • Don't use a word that might appear in any dictionary.
  • Don't make use of any word associated with you personally (e.g. your pet's name; a word in your address; mother's maiden name; any other family names; PIN; date of birth).
  • Include one or more characters from each of the following four categories : lower-case; upper-case; digits; punctuation (if allowed).

Two tips for constructing strong passwords (in addition to the above):-

  • Choose a line from a song (or hymn) or favourite passage and use its first letters, e.g. "To begin at the beginning: It is spring, moonless night" would supply "TbatbIismn".
  • Choose 2 or 3 completely unrelated words e.g. "brickunion" which could become "Brick&5Union".
Invest in a shredder

A nice low-tech quick win! We're probably slightly safer in our part of the country than in big towns and cities from people going through our rubbish to gather personal information. But it can easily happen. Buy a cross-cut shredder. The shreddings can be added, as "brown waste", to your "green waste" (vegetable peelings) in your compost bin. It's particularly satisfying to turn unasked-for junk mail into useful rich compost.

3. Slightly more advanced

Once you have done all of the items above, these items should still be quite straightforward to do.

Protect your router from remote access

Remote Management allows a user on the Internet to check the status of your router and (re)configure it. A fraudster could gain complete control of your Internet access. Switch it off, using your router's administrative interface. If ever you need to allow it, enable it temporarily. See the earlier item "Protect your router", where you will have set a strong password for the admin interface.

Some broadband suppliers (ISPs) provide you with their own router. They often grant themselves remote access to your router (for whatever reason) and so don't give you an option to disable it.

Keep your software up to date

Web browsers are updated regularly to fix security flaws. They are usually set to download and install updates automatically and silently. Check that this is the case for you. Run Qualys Browser Check to see if your browser is up to date. It's a very good idea to set your browser's preferences not to show a video unless you tell it to. This known as "click to play".

You may want to check that other software that you use is also up to date.

Because most people keep Windows up to date automatically, fraudsters have turned their attention to exploiting security flaws in other widely used software which may not be up to date. Flash is one example; Adobe Reader is another. Adobe Reader is used to display PDF files, which are often found on Web sites. It's a huge and rather slow program, with frequently discovered security flaws. A lightweight, effective and fast alternative is Sumatra PDF. If all you want to do is download, read and perhaps print PDF files, then Sumatra is both effective and secure.

Block Web site adverts and tracking

Adverts appear frequently on many Web sites. Apart from being annoying, they slow down the downloading and display of Web pages.

Many Web sites contain hidden components called trackers. They track and analyse your browsing behaviour primarily for advertising purposes. They add this information to a unique profile held about you which is sold to companies to display their adverts. Google is the main player. About 80 per cent of Web sites contain Google's trackers.

Removing (or reducing) trackers will help to safeguard your personal information and privacy which in turn will improve your on-line safety and security.

To reduce adverts and tracking, you can use a Web browser that has a built-in ad and tracker blocker. We strongly recommend switching to Vivaldi as your main Web browser.

An alternative is to install a browser extension that blocks ads and trackers, such as Ghostery. Ghostery's primary function is to protect your privacy by blocking trackers and it will therefore block adverts which track you.

AdBlock is another well-reputed browser extension.

For further information on Vivaldi, Ghostery and AdBlock, see our detailed advice on advertising and tracking.

4. Yet more advanced

These items require a little more knowledge and confidence. Even so, some of them just involve running a report and you don't have to take any actions unless you're sure.

Stop unwanted devices from being added to your broadband

UPnP (Universal Plug and Play) allows the barriers in your router's firewall to be overridden so that devices can attach themselves automatically to your router and broadband. For example, you might want to add broadband access from your smartphone. UPnP  was only intended for devices to be added to a local network (e.g. your home network) but many home routers wrongly extend it to the Internet so that fraudsters can add remote devices to your router.

You can usually switch it off without problems although you might have to keep it enabled if you use a Sky box; or if you use Skype; or if you use BitTorrent or play on-line gaming. When you need to add new devices, you can do so manually. Switch off UPnP using your router's administrative interface (see the earlier router item).

Block malicious Web sites using DNS

If you want to visit the GOV.UK Web site, you enter "www.gov.uk" or just "gov.uk" into your Web browser, or you click on a link with this address. But your browser doesn't immediately go to the GOV.UK site: it goes first to a special Internet computer, called a Domain Name Server (DNS), which looks up the "gov.uk" domain name and returns the real address of the Web site (the IP address "151.101.0.144").

The simple reason for this look-up is that domain names are much more human-friendly than their numeric equivalents.

Your Internet Service Provider (Broadband provider) sets up your computer and router to use its own Domain Name Servers. Many tablets and smartphones use Google Android as their operating system and therefore use Google's DNS. Google therefore records every Web site you visit.

You can use any DNSs you choose.

A few Internet security companies have set up DNSs that block malicious (and optionally adult) Web sites. If, for example, you receive a malicious e-mail and click on a disguised link that actually goes to "www.maliciousvirus.com" then the DNS won't return its IP address to your browser but will say that the domain name doesn't exist. The (huge) list of malicious Web sites is constantly updated. DNS servers usually come in pairs for reliability.

Cloudflare has a guide to changing your DNS servers. The guide explains how to make the change for your operating system (e.g. Windows, MacOS or Android). Use Cloudflare's test pages to make sure the blocking is working. If not, it's probable that the setting is being overridden by your router. Cloudflare gives instructions for changing your router's DNS settings.

Another organisation is Quad 9, which block malicious (but not adult) Web sites.

Qualys SSL Client Test: check your browser's security support

You can run the Qualys SSL Client Test to reassure yourself that your browser satisfactorily supports secure Web sites (just read the top of the report).

Firewall: check its effectiveness

Operating Systems (such as Windows and iOS) usually include a firewall, which goes some way to protect you from attack over the Internet. Your router may also act as a firewall.

The Gibson Research Corporation has a comprehensive on-line tool called ShieldsUP for checking your firewall's effectiveness.

CCleaner: clean up your computer

CCleaner is a well-reputed program for routine cleaning-up of your computer. It has a couple of facilities related to security and privacy. Firstly, you can use it to clear your browser cache (containing recently-visited pages) and your browsing history. Secondly, it lists some of the programs that are launched when you start Windows (Tools – Startup). You can see if there are any programs that you don't want to run in this way and can disable them.

CCleaner is available for Windows and Mac.

5. Further help and advice

Action Fraud is the place to report fraud in the UK of any kind (the local police will generally not take fraud reports but will refer you to Action Fraud). It has some useful general advice too.

Get Safe Online contains a wealth of information and advice – more than can be absorbed in less than several visits, so use it for selective reference.