DigitalHygiene

Secure your technology, your finances, and your personal privacy in a connected world.

By: Mykolas Lundqvist

To the Reader

You have now received the book Digital Hygiene by Mykolas Lundqvist. This book is designed to give you the tools and security awareness needed to navigate our increasingly connected world. This course is placed on a single page because it is just a introduction course before you take some of our more advanced courses.

What is digital hygiene?

Digital hygiene can be compared to regular personal hygiene. Just as we learn to wash our hands to stay healthy, digital hygiene is about developing good habits that protect your technology, your finances, and your personal privacy. By making security awareness a part of your daily routine, you reduce the risk of falling victim to fraud and data breaches.

Book contents

In this book, you will learn how to handle security from several different perspectives, without needing to be a technical expert. Here is a summary of the areas covered:

Protecting your devices: Practical instructions on how to secure smartphones, tablets, and computers through screen locks, disk encryption, and important system updates.
Password management and 2FA: How to create strong passwords of at least 16 characters, use password managers, and activate two-factor authentication (2FA) to create an extra lock on your accounts.
Seeing through scams: Learn to recognize phishing, phone scams (vishing), and social engineering where scammers use psychological manipulation to access your information.
The smart home: How to secure your router—the bouncer to your digital home—and protect smart gadgets like cameras and voice assistants.
Your digital privacy: Understanding your digital footprint, how cookies are used for tracking, and how to manage privacy on social media.
Source criticism and AI: Tips for safe information searching, how to fact-check content, and what to consider when using AI tools and chatbots.
Safety for family and online shopping: How to protect children online through conversation and technical tools, as well as how to make secure purchases online.

Remember that security is not a one-time event, but a result of conscious choices and regular maintenance. Good luck with your reading!

Author Mykolas Lundqvist

Chapter 1: The Basics of Digital Hygiene

In an increasingly connected world, it is crucial to understand how we protect ourselves and our information. Digital hygiene is not just about technology, but about developing a security awareness that protects our devices, our finances, and our personal privacy. This course gives you the tools needed to navigate safely on the internet.

What is digital hygiene?

To understand the concept of digital hygiene, we can use a simple analogy from everyday life. Since childhood, we have been taught to brush our teeth morning and night. This is a basic rule for personal hygiene that helps us keep our teeth healthy. Over time, these rules become habits that we perform without thinking. Digital hygiene can be defined similarly: it is the rules and habits that help us improve security when using tech gadgets and the internet. By making security thinking a part of your daily routine, you reduce the risk of suffering from fraud and data breaches.

Central learning objectives

Protect devices such as smartphones, computers, routers, and smart home products.
Create strong passwords and manage two-factor authentication (2FA).
Identify and manage risks when using public Wi-Fi networks.
Protect children and loved ones through parental controls and education.
Recognize and thwart phishing, malicious software, and phone scams.

Threat landscapes in the digital environment

The internet holds many opportunities, but also various types of digital threats. These threats are constantly evolving and becoming increasingly sophisticated.

Common methods of attack

Attackers often use a combination of technical tools and psychological manipulation (social engineering) to reach their goals:

Phishing: Scammers send messages that appear to come from legitimate sources to steal login credentials.
Malware (Malicious software): Programs like trojans can be installed on your device to spy, steal files, or encrypt data for extortion purposes.
Phone scams and spam: Unwanted calls where scammers try to lure out sensitive information or money.

Consequences of a lack of security

If an unauthorized person gains access to your device or your accounts, the consequences can be severe:

Financial loss: Theft of bank details, unauthorized purchases, or loans taken out in your name.
Identity theft: Personal information can be used to create fake accounts or ruin your credit rating.
Privacy violation: Private material, such as pictures and conversations, can be spread or used for blackmail.
System damage: Malicious software can make your device unusable or extremely slow.

The golden rules of digital hygiene

Use security software: Install comprehensive protection on both computers and mobile devices. Ensure the program is always active and updated.
System updates: Update operating systems and apps regularly. Updates often contain critical security fixes.
Strong passwords: Create unique and complex passwords for each service. Preferably use a password manager.
Two-factor authentication (2FA): Always activate an extra layer of protection where possible.
Critical review: Be restrictive about clicking on links in emails or messages and never share sensitive information with unknown parties.

Summary

Digital hygiene is the foundation for a safe stay online. By developing good habits like updating software and using strong passwords, you protect not only your own finances and data, but also the privacy of your loved ones. In a digitized world, security is the key to both peace of mind and comfort.

Reflection questions:

What digital habits do you have today that resemble your daily personal hygiene?
In what way can a simple system update prevent a complex cyberattack?
What would be the first step you take if you suspect your smartphone has been hacked?

Chapter 2: Protecting your mobile everyday life - smartphones and tablets

In today's digital society, our mobile devices, whether a smartphone or a tablet, are essentially an extension of ourselves. We use them for everything: photos, videos, contacts, banking, social media, and work. Since the security principle is the same for both phones and tablets, we will use the term "mobile device" in this chapter to include both.

In this chapter, you will learn why it is critical to protect your devices, what rules apply for safe use, how to act if the device is stolen, and how to protect yourself against malicious code.

Why do mobile devices need to be protected?

The reason is simple: most of your life is stored digitally. If an attacker gains access to your device, they also gain access to your home address, your financial situation, your private conversations, and your pictures. This information can be used for identity theft, fraud, or extortion. To prevent this, there are a number of important security measures you should take.

Basic security settings

1. Activate screen lock
This is your first and most important defense. Without a screen lock, anyone holding your phone has direct access to everything. Use a password, pattern, fingerprint, or facial recognition. Set a short time for automatic locking (inactivity timeout) so the screen locks as soon as you put the device down.

2. Protect important apps with a password
Many devices have built-in features to lock specific apps (e.g., banking apps or photo galleries) with an extra password or biometrics. This provides an extra layer of protection even if someone manages to unlock the phone itself.

3. Back up your data (Backup)
If your device is damaged, lost, or you accidentally delete something important, a backup is the rescue. Configure automatic synchronization to a cloud service. Remember to protect your cloud account with a strong password and two-factor authentication (2FA).

4. Hide notification previews
By default, many phones show the content of SMS and messages even when the screen is locked. This can include sensitive verification codes from banks or authorities. Set your device to hide sensitive content on the lock screen.

Communication and source criticism

Email, SMS, and social media are the most common ways for scammers to attack. They can pretend to be known companies, colleagues, or even government officials.

Be skeptical: Never click on suspicious links or download files from unknown senders.
Double-check: If you get a strange message from an acquaintance or a company, contact them via another, secure channel (e.g., call an official number) to verify the information.
Use call filters: There are services and settings in most operating systems that can identify known scam calls and block spam.

Technical maintenance

Update regularly: Every update of the operating system or your apps often contains important security patches against recently discovered threats. Make sure to have automatic updates enabled.
Use a security solution: Install a reliable security program (antivirus/anti-malware). These can scan apps for malicious code, warn of phishing, and help you find the device if it's lost.
Lock the SIM card: Set a PIN code on your SIM card. This prevents someone from moving your SIM card to another phone and using your number to call, send SMS, or receive verification codes.

If the device is lost or stolen

Even with the best preparations, accidents can happen. If your device is stolen, you should do the following:

Block the SIM card: Contact your mobile operator immediately.
Remote wipe: Use services like "Find My Device" to delete all data on the device remotely. This requires you to have activated the feature in advance.
Change passwords: Change passwords on all accounts you were logged into (bank, email, social media). Log out from all active sessions remotely if possible.
Inform loved ones: Tell friends and family that your phone is gone so they don't fall for scam attempts that look like they come from you.

Protection against malicious code

Criminals use malicious code to steal money or spy. You reduce the risks by following these rules:

Avoid "Jailbreaking" or "Rooting": Bypassing the manufacturer's security barriers makes the device extremely vulnerable as it removes the built-in protection mechanisms.
Download only from official sources: Use only established app stores or the manufacturers' own websites. Check reviews and developer information before installing a new app.
Be careful with public Wi-Fi: Turn off Wi-Fi when you are not using it. Hackers can create fake networks with names similar to well-known networks to intercept your traffic. Preferably use password-protected networks or a VPN.

Password management

The password for your lock screen should be at least six characters long, but for services and apps, at least 16 characters are recommended.

Variation: Use a mix of uppercase and lowercase letters, numbers, and special characters.
Illogical combinations: Avoid personal information or common words. Use random word combinations that are hard for computers to guess but easy for you to remember.
Use a password manager: It is impossible to remember unique, strong passwords for every service. A password manager encrypts your passwords and syncs them between your devices.

Summary

By combining technical settings (screen lock, encryption, updates) with critical thinking, you can significantly reduce the risks in your digital everyday life. Remember that security is not just about protecting a machine, but about protecting your privacy and your finances.

Reflection questions

What information on your mobile device would be most critical if it fell into the wrong hands? Justify your answer.
Review your current settings. Have you activated the screen lock, hidden notifications on the lock screen, and set a PIN code on your SIM card? If not, why?
Why is "jailbreaking" or "rooting" considered a security risk, even though it gives the user more freedom to customize their device?
Describe how you would go about creating a password that is both secure and easy to remember without using personal information.
If you receive an SMS from your "bank" saying your account has been blocked and you must click a link to identify yourself—what warning bells should ring and what is the safest way to act?

Chapter 3: Protecting your computer - desktop and laptop

Welcome to Chapter 3. In this learning module, we will go through how to protect your desktop and laptop computers. These devices are today an integral part of our lives. We use them for work, studies, communication, and entertainment.

They store large amounts of information: work material, personal documents, videos and photos, login details for social media and messaging services, payment details, and much more. Naturally, all this information needs to be protected.

After studying this chapter, you will have knowledge of:

How to create secure login methods on the computer.
How to protect yourself against malicious software.
How to recognize and avoid phishing.
How and why you should back up your data.
What actions to take if your computer is stolen.

To avoid problems, we will now take a closer look at how we protect ourselves against cyber threats through eight concrete recommendations.

1. Install a comprehensive security program

The first recommendation is to install a full-fledged security program to protect your device. A good security program helps you keep your data as safe as possible by actively searching for and blocking threats. Many modern solutions also contain features to improve device performance and monitor your home network.

2. Activate disk encryption

Disk encryption is a way to protect all information stored on your computer by locking it with a special digital key. If your device is lost or stolen, no one can access your files without the correct password or recovery key. You usually find this setting under the computer's system settings for security and privacy. By following the instructions to turn on encryption, the computer handles the rest in the background. This is a simple step that makes your personal data significantly safer in the event of a physical loss of the computer.

3. Use secure passwords

If your password is weak, it is easy to guess. An attacker can then easily gain full access to your computer and subsequently to your social accounts and other services. Once inside, an attacker can steal payment details and personal information.

To avoid these problems, it is important to use secure passwords. Here are the basic rules:

Always have a password: Make sure your computer requires a password upon startup and when it wakes from sleep mode. This is set under account or security settings.
Make the password complex: Use a mix of uppercase and lowercase letters, numbers, and special characters.
Length matters: Create a password that is long, preferably over 16 characters.
Avoid personal information: Do not include birth dates, your name, names of pets, children, or favorite artists. Criminals can often find information about you in advance and use it to guess your password.
No logical meaning: Ideally, a password should have no linguistic meaning. It should be impossible to guess, even if an attacker knows your personal details.
Unique passwords: Use different passwords for different devices, websites, services, and applications. If an attacker gets hold of the login details for one service, they should not be able to access the others.

To handle all unique and complex passwords, it is strongly recommended that you use a password manager. It is a secure digital vault that stores your passwords encrypted and can help you generate strong passwords.

Two-factor authentication (2FA)
We also strongly recommend that you use two-factor authentication for email, social networks, banking apps, and other important services. The meaning of two-factor authentication is that you must confirm your identity in two different ways to log in (e.g., your password plus a code sent to your phone). This makes your account much harder to hack.

4. Protect data and devices from malicious software

Malicious software (malware) are applications intentionally developed and spread by attackers. Their goal is to harm users and companies, access confidential data or money, conduct espionage, and more. Some applications affect computer performance, while others steal personal information, such as bank card details.

Follow these guidelines to prevent your devices from becoming infected:

Download only from official sources: Do not download apps or software from unofficial websites. Use official developer websites or established app stores. Free software on third-party sites often contains malicious code.
Be careful with USB flash drives: Do not insert unknown USB flash drives or external drives you got from strangers into your computer. They may contain malicious software that installs automatically.
Do not click on suspicious links: Avoid clicking on links in suspicious messages via email, SMS, or social networks.
Do not download unknown files: If someone you do not know sends an attachment (e.g., a zipped file or a document) and insists that you open it, don't. Do not let yourself be influenced by urgent or threatening wording; the attachment most likely contains malicious software.

5. Watch out for phishing

Phishing is a type of online fraud aimed at obtaining users' login details, credit card numbers, bank accounts, and other confidential information.

Follow these rules to avoid becoming a victim of phishing:

Do not leave information on suspicious pages: Never enter personal or payment details on websites that feel unfamiliar or suspicious. Criminals often create fake online stores that lure with unnaturally low prices to steal card details.
Log in only via official routes: Never enter your username and password for social networks or other services anywhere other than on the services' official websites and apps. Scammers can lure users to fake login pages to steal account details, sometimes by asking you to verify yourself with a code.
Scrutinize bait: Attackers use different methods. It can be fake polls, offers, or warnings that your account is locked. Once they gain access to your account, it can be used to steal data, for extortion, or to forward scam messages to your contacts.

6. Secure your network connection

To protect your home network, you should use a strong and unique password for your Wi-Fi. This reduces the risk of an attacker gaining access to the network and the traffic sent there. Also make sure a firewall is enabled on your computer. A firewall acts as a filter between the computer and the network. It checks incoming and outgoing data to ensure it is safe and prevents malicious activity from hackers.

Public Wi-Fi networks
When outside the home, you should try to avoid connecting to open, public Wi-Fi networks, as these can be insecure. If you must use a public network, connect only to reliable access points (e.g., official networks at airports or cafes). Remember that even when connected to a network that requires a password, you should be careful about handling confidential information like banking details.

7. Update software and operating systems regularly

Applications and operating systems that are not updated can contain security holes (vulnerabilities) that attackers can exploit to get into your computer.

To prevent this, you should:

Not turn off automatic updates: Let the system handle updates automatically as soon as they are available.
Update manually if necessary: If automatic updates are not possible, make sure to regularly search for and install updates for both the operating system and all installed programs.

8. Back up your data (Backup)

Backing up your data means making a copy of your files and storing it in another location. This protects your information if the computer crashes, is stolen, or if you accidentally delete something.

There are several ways to back up:

Method 1: External hard drive or USB flash drive: Connect an external storage device to the computer and copy the files or folders you want to save to the external device.
Method 2: Cloud storage: Register for a cloud storage service. Install the service's program on the computer and select which files should be synced and saved in the cloud.
Method 3: Automatic backup tools: Most modern operating systems have built-in tools for backup (e.g., features called "File History" or equivalent). Configure these tools to make automatic copies to an external drive according to a schedule.

If you lose your computer or it is stolen

If an accident happens and your computer goes missing, take the following actions immediately:

Report the theft to the police: File a police report immediately. If it involves a work computer, immediately contact your manager or IT security department.
Change passwords: Change passwords for all important accounts you have accessed via the computer (email, bank, social media, etc.).

Summary

To protect your desktop or laptop computer in the best way:

Install a security solution.
Activate disk encryption.
Use strong and unique passwords (and preferably a password manager).
Protect yourself against malicious software by being source-critical.
Be vigilant against phishing.
Use a secure network connection and firewall.
Update software and operating systems regularly.
Back up your data.

Remember: Protection is the foundation for digital stability and security.

Reflection questions

Analyze your current password behavior: Do you use the same password in several places? Are your passwords longer than 16 characters and do they contain a mix of character types? Based on what you learned in this chapter, what specific changes do you need to make in how you handle your login details?
Identify potential phishing attempts: Think back to emails or texts you received that felt "weird." What warning signs (e.g., urgent tone, strange sender address, unlikely offers) can you now identify as typical for phishing? How would you act differently next time you see such a message?
Evaluate your backup strategy: If your computer is stolen or breaks today, what information would you lose permanently? Do you have a working backup that is not physically connected to the computer all the time? If not, which backup method (external drive or cloud service) best suits your needs to fix this?

Chapter 4: Protect your smart home and your router

In today's connected world, most of us use smart devices that simplify everyday life or offer entertainment. This can range from smart locks and robot vacuums to voice assistants and smart TVs. There is also more advanced technology, such as delivery robots and self-driving vehicles, already moving in our big cities.

But "smart" unfortunately does not always mean "secure." Smart devices often have built-in vulnerabilities, or the user themselves creates security gaps through weak settings. If cybercriminals exploit these flaws, the consequences can be severe. In this chapter, we will go through how to protect your smart devices and your router, and what the risks are if you don't.

What is a router?

A router is the device that makes internet connection possible in your home. It connects your local network with the global internet. The router's task includes assigning addresses to all devices on the network.

You can compare it to a map: to reach a destination, we need an address. On the internet, an IP address is required to show the way for data transfer or commands. It is thanks to the router that all your devices—mobiles, computers, baby monitors, and smart doorbells—can cooperate. Since all traffic in your home passes through the router, it acts as a bouncer. If someone manipulates the router, they can redirect traffic, steal data, or send fake commands to your devices.

Why are smart devices a security risk?

Standard devices like laptops and smartphones are often more resistant to attacks because they are updated regularly and can be protected with security programs.

Manufacturers of smart gadgets (like refrigerators or vacuums) unfortunately often cut back on security costs. Updates are rarely released, and there is usually no antivirus program that can be installed directly on the device. It is therefore difficult to detect if a smart device has been infected. An attacked device can:

Spy on you: Via cameras or microphones.
Steal data: Access documents, photos, or emails.
Be used as a platform: To attack other, more secure devices on your network.
Act as a "proxy": Criminals use your device to send spam or execute attacks against others, making the traces lead back to you instead of them.

Security experts have analyzed popular smart pet feeders and found vulnerabilities that make it possible for outsiders to not only control the feeder but also use its camera to spy on the owner.

How to protect your router

Since the router is the gateway to your digital home, it is the most important to secure. Follow these steps:

Name your devices: Give all devices on the network clear names in the router settings. Check the list regularly. If you see an unknown device—block it and change the password.
Update firmware: Firmware is the software that controls the router. Check the manufacturer's website at least once a month to see if there are new security updates, if your router does not do this automatically.
Change the default password: Never use the password that was on the box or label. Create a unique and strong administrator password.
Disable remote access: Ensure the router settings cannot be accessed from the internet, but only when you are connected at home.
Configure Wi-Fi correctly: Use strong encryption (like WPA3 or WPA2). Disable the WPS function, as it is known to have weak security.

How to protect your smart devices

Before buying a new smart gadget, you should ask yourself: Do I really need this function? If the answer is yes, follow this advice:

Do research: Look for information on whether the device has been subject to attacks before and how quickly the manufacturer fixed the flaws.
Read reviews: Don't just look at features; see if other users have reported security problems.
Change the password immediately: If the device requires a password, change the default password immediately. If it's not possible to change the password, you should consider not using the product.
Review network functions: Does your coffee maker really need access to your contact list? Turn off functions that are not necessary.
Buy official products: Avoid buying smart devices from unverified private sellers, as they may contain modified and malicious software.
Consider physical security: For example, never install a smart lock on a child's room if there is no mechanical way to open the door. In the event of a technical failure or a hack, the door could otherwise be completely blocked.

Summary

Your router is the hub of your smart home, but also an attractive target for hackers. By being meticulous with passwords, updating software, and choosing manufacturers that prioritize security, you can significantly reduce the risks. Remember that security is not a one-time event, but a result of conscious choices and regular maintenance.

Reflection questions

Inventory: How many devices in your home are connected to the internet right now? Which of them do you think are most vulnerable?
Password management: Why is it dangerous to keep the preset password on a router or a smart camera?
Convenience vs. security: Many smart functions exist to make life easier. Where do you draw the line? Would you forgo a function if you knew it involved a certain security risk?
Updates: When did you last check if your router or smart TV had the latest software installed? Why are these devices often forgotten compared to mobile phones?
Responsibility: Who bears the greatest responsibility for security in the smart home—the manufacturer who builds the product or the user who installs it? Justify your answer.

Chapter 5: The art of creating and managing strong passwords

In this chapter, we will take a closer look at what actually constitutes a strong and hack-resistant password. We will also learn how to create them and, equally important, how to store them safely.

Today we use apps and services for almost everything. Every day we share personal information with online stores, social media, and messaging services. If this information is not properly protected, it can easily end up in the hands of cybercriminals. To keep your accounts safe, two things are primarily required: a strong password and two-factor authentication (2FA).

How do hackers crack passwords?

Before we go through how to create good protection, we must understand how attackers work. Here are the most common methods:

Brute force attacks: The attacker uses powerful computers and special programs that automatically test all imaginable combinations of characters until the right password is found. The shorter and simpler the password, the faster it goes.
Dictionary attacks: Here the hacker tests lists of common words and the most popular passwords (like "123456" or "password") until they find a match.
Social engineering: This is about tricking people into revealing their passwords themselves, for example through fake websites or scam calls.
Malware (Stealers): Programs that infect your device can be programmed to steal login details directly from your browser or your system.

How to create a strong password

A strong password is your main barrier against intrusion. Here are the most important guidelines:

Length is crucial: Aim for at least 16 characters. The longer the password, the harder it is to crack with brute force.
Vary the characters: Use a mix of uppercase and lowercase letters, numbers, and special characters (e.g., !, #, &, ?).
Avoid the obvious: Do not use your name, birth year, or common words. Also avoid simple substitutions like typing a zero instead of the letter O, as modern hacking programs are prepared for this.
Never reuse passwords: It is convenient to have the same password everywhere, but it is extremely risky. If a single account is leaked, hackers can use the same details to take over all your other accounts.

Tip: The "Phrase Method"
A good way to create a long but memorable password is to base it on a sentence or song lyric. Example: Start from "The little frogs, the little frogs are funny to see" (Små grodorna, små grodorna är lustiga att se). Turn into password: SmGrod!2026!LuStIgA#Se This password is long, contains different characters, and is hard for a machine to guess, but easy for you to remember.

Safe storage of passwords

Even the world's best password is useless if it is stored insecurely. Here is what you should NOT do:

Do not write down passwords on notes or in notepads.
Do not save them in unprotected notes apps on your mobile.
Do not give out your passwords to anyone else.

Use a password manager

The best way to handle your passwords is to use a password manager. It is an app or program that stores all your login details in an encrypted format.

You only need to remember one single password—your Master Password.
The program can generate extremely complex passwords for you.
Your details are securely synced between your computer and your mobile.
Many managers also warn you if any of the services you use have been subject to a data breach.

Summary

Security is about the choices you make. By using unique, long passwords for each service and storing them in a secure password manager, you make it extremely difficult for cybercriminals to access your digital life.

Reflection questions

Vulnerability analysis: Go through your most important accounts (email, social media, bank). How many of them have the same password? What would happen if one of these was leaked?
Password strength: Why is it no longer enough to just replace an "S" with a "$" in a common word to make it secure?
The master password: If you use a password manager, how should you think when creating your Master Password? Why is that particular password more important than all the others?
Two-factor authentication: The chapter mentions that passwords are only half the protection. Why do you think two-factor authentication (e.g., a code via SMS or an app) is so effective even if a hacker managed to guess your password?
Behavior: Many save their passwords directly in the browser. What pros and cons do you see with that compared to using a dedicated password manager?

Chapter 6: Two-factor authentication - An extra lock for your accounts

In this chapter, we will delve into two-factor authentication (2FA), a method that dramatically increases the security of your digital accounts. We will look at what it is, why it is needed, and how you can easily set it up to keep hackers out.

The foundation: Login and password

To understand why we need an extra layer of protection, we must first look at how a standard login works. Most services require two things:

A username (Login): This identifies who you are in the system (e.g., your email address or mobile number).
A password: This acts as proof that it is actually you logging in.

If we compare the internet to border control, the username is your passport, and the password is the secret phrase that proves the passport is yours. The problem is that passwords can be guessed, stolen via scam sites, or cracked by powerful computers. If a scammer gets hold of your details, they can spread your private pictures, read your messages, or trick your friends out of money by pretending to be you.

What is two-factor authentication (2FA)?

The solution to this problem is called two-factor authentication. It simply means that you must confirm your identity in two different ways to get into a system.

These "factors" are usually divided into three categories:

Something you know: Your regular password or a PIN code.
Something you have: A one-time code via SMS, a special security key (USB token), or a code in an authentication app on your mobile.
Something you are: Biometric data like your fingerprint or facial recognition (FaceID).

Why is it safer? Even if a hacker manages to steal your password, they cannot log in because they do not have access to your physical mobile phone or your fingerprint. It's like having both a key and a code for a security door.

Where should you use 2FA?

We recommend that you activate two-factor authentication on all services that offer it. However, it is extra important for services containing personal or financial information:

Email: Your most important account, as it is often used to reset passwords for other services.
Social media and messaging services: To prevent someone from hijacking your identity.
Banking services and payment apps: To protect your money.
Cloud services: Where you save documents and private pictures.

How to get started

Activating 2FA is usually quick and requires just a few clicks:

Go to settings: Look for tabs called "Security", "Privacy", or "Login".
Find two-factor authentication: Sometimes it is also called "Two-step verification" or "Login approval".
Choose method: You can often choose between receiving a code via SMS or using an authentication app. Such an app generates unique one-time codes that are replaced every 30 seconds.
Save backup codes: Many services give you a list of one-time codes you can use if you lose your phone. Write these down and store them in a safe place (not on the computer!).

Summary

No system is 100% secure, but two-factor authentication is currently one of the most reliable ways to protect yourself against cyber threats. It requires a little extra effort when logging in, but the security it provides is well worth the extra second.

Reflection questions

Vulnerability: If someone were to get the password to your email today, what other accounts could they take over through the "forgot password" function?
The different factors: Which method for the second factor do you think feels safest: a code via SMS, an app on your mobile, or a fingerprint? Why?
Physical access: What happens if you lose your mobile phone and you have 2FA activated on all your accounts? How can you prepare for such a situation?
User-friendliness: Many find 2FA cumbersome because it takes longer to log in. How would you explain to a friend that the extra time is a good investment?
Risk analysis: Why do you think email and social media are considered "high-risk services" that require the strongest protection, just like your bank?

Chapter 7: Your digital footprint and online security

Every time you use the internet, your digital footprint grows. You might not think about it, but the data you leave behind tells a lot about who you are, what you do, and what you are interested in. In this chapter, we will go through what a digital footprint actually is, why it matters, and how you can manage it to protect your personal privacy.

What is a digital footprint?

A digital footprint is the collection of data created when you interact with digital services. It consists of information from websites you visit, emails you send, posts on social media, and much more.

Examples of activities that create footprints:

Shopping in online stores.
Subscribing to newsletters.
Using social media (publishing photos, likes, check-ins).
Logging into websites via other accounts.
Using fitness apps or reading news.

Since these everyday activities constantly expand your footprint, it is important to periodically analyze what information is available about you.

Analyze and clean up

By regularly reviewing your digital footprint, you can understand who has access to your data. A good tip is to search for your own name in search engines and on social media. Review your accounts and look for sensitive information you might have shared by mistake, for example:

Pictures of ID documents.
Home address or phone number.
Private email addresses.

Recommendation: Delete accounts you no longer use. If you find personal data about yourself on a website where you did not post it yourself, you have the right to contact the administrator and ask to have the information deleted.

Cookies - The key to tracking

Cookies are small text files saved on your device when you visit a website. They act as an identifier for your browser and have primarily two purposes:

Functionality: They help the website remember you and your settings, such as not having to log in every time or keeping your items in the shopping cart.
Tracking and advertising: Companies use cookies to collect data about your behavior to show targeted advertising.

Third-party cookies are cookies that do not come from the website you are visiting, but from partners (often ad networks). These have given cookies a reputation for being surveillance tools. Although cookies themselves are not harmful, they can be exploited by malicious code to take over accounts if your device is infected.

Tip: You do not have to accept all cookies. By going into the browser's privacy settings, you can choose to only allow necessary cookies and block those used for tracking.

Six rules for safer digital hygiene

To protect your footprint and identity, follow these basic rules:

Use strong and unique passwords: Never use the same password in multiple places.
Use a password manager: Preferably use a standalone application to save your passwords rather than storing them directly in the browser. This provides an extra layer of protection if your device were to be attacked.
Activate two-factor authentication (2FA): This means you must confirm your identity in two different ways (e.g., password + a code via text or app) to log in.
Update software regularly: Hackers often exploit security holes in old program versions. Ensure both the operating system and apps are always updated.
Review your privacy settings: Go through settings on social media. Decide who gets to see your posts, your profile info, and who can contact you.
Be restrictive with sharing: Every time you fill out a form or tag a location, your footprint increases. Think before: Does this service really need to know where I am or what my phone number is? Also, be careful about sharing information about loved ones and children.

Protection when connecting

Be careful with public Wi-Fi networks (like at cafes or airports). Do not use banking services or other important services when connected to an open network. Rather use your mobile network or a comprehensive security program that protects your data traffic.

Summary

Your digital footprint is created by almost everything you do online. By being aware of what traces you leave, managing your cookies, and using tools like two-factor authentication and password managers, you can significantly reduce the risks of your data falling into the wrong hands.

Reflection questions

When you think about your activity over the past week, what types of digital footprints do you think you have left behind?
Why can it be problematic to use the same password on social media as on your email or bank?
Many accept all cookies on a website because it's fast. What risks and disadvantages exist in not reviewing these settings?
How would you explain the concept of "two-factor authentication" to someone who has never heard it before, and why is it so important?
Reflect on the concept of "oversharing" (sharing too much). Is there information about yourself or others that you feel in hindsight you shouldn't have published? Why?

Chapter 8: Safe information searching and source criticism

Searching for information on the internet is something we do daily. It is a fantastic resource, but it also involves risks. Firstly, it can be difficult to distinguish between true and false information, and secondly, we risk revealing a lot about ourselves through the searches we do—our interests, our character, and our daily routines.

In this chapter, we will go through how you search for information safely, how to critically review information, as well as how neural networks (AI) work and how these can be abused.

The browser and your data

Let's start with the technology. A web browser is the program or app you use to view pages on the internet, search for information, and access online resources.

When you use a browser, it often collects information about your search history, your interests, and personal data. You have probably experienced searching for a specific product, only to see ads for similar products on almost every website you visit afterward. This is because your search data is analyzed and used for targeted advertising, which is a major source of income for many tech companies.

To reduce your digital footprint and protect your privacy, it is important to apply good digital hygiene when searching for information.

Secure connections and phishing

Before going into settings, it is important to understand the difference between a secure and an insecure connection.

Encryption of network connection: This is a process where data is transformed using algorithms so it can be transmitted securely over the network. It acts like a coded message that only the intended recipient can read.
Cryptographic key: A secret data sequence used to lock (encrypt) and unlock (decrypt) the information.

Even though encryption is standard in most browsers today, it does not guarantee that a website's content is reliable. Criminals can create fake versions of legitimate websites, such as online stores, banks, social media, or email services. This is called phishing. If you enter your login details or card numbers on such a site, the criminals can take over your accounts or steal money. Therefore, you must always examine the website for suspicious details before entering sensitive information.

Rules for safer browsing

Here are a number of rules and tools you can use to protect your data when searching for information.

1. Clear history and cache regularly
The browser saves data to make your experience smoother:

Cache: Stores images and other elements from websites so they load faster the next time you visit them.
Cookies: Small data files websites use to remember you, for example, that you are logged in.
History: A list of the websites you have visited.

You can set most browsers to automatically delete cookies and temporary files when you close them. Keep in mind, however, that you may then need to log in again on websites you visit frequently. To manage this securely, using a password manager is recommended.

2. Use incognito mode (Private browsing)
This mode provides a certain level of privacy, especially if several people use the same device. In incognito mode, the browser does not save visit history, cookies, or form data. It is important to note, however, that this does not provide total anonymity online; your internet service provider or the websites you visit can still see your activity.

3. Block trackers and use safe extensions
You can use tools and browser extensions that block web trackers, which map your behavior online. When installing extensions (plugins), consider the following:

Install only from official "stores".
Read reviews and check the developer's reputation.
See when the extension was last updated. Outdated extensions can have security holes.
Use an updated security program that scans the system for malicious code.

4. Use a VPN connection when necessary
A VPN (Virtual Private Network) creates an encrypted tunnel between your device and a VPN server. This protects your data from prying eyes, which is especially important on open, public Wi-Fi networks. Remember, however, that a VPN does not protect against phishing or malicious code if you download it yourself. Choose a reliable VPN provider, as free solutions are often financed by collecting and selling user statistics.

Source criticism: How to review the information

It is not enough to browse technically safely; you must also be critical of the information you find. Use these tips to fact-check content on the internet:

Review the source: Look at the web address (URL). Does it contain typos or strange top-level domains? If unsure, look for an "About us" section on the website.
Assess the author: Is it a real person? What reputation do they have? What is the author's expertise and, above all, what is the motivation behind the text (to inform, sell, persuade, or scare)?
Check other sources: Are other independent and respected media reporting the same thing? Does the article refer to credible sources?
Think critically: Is the information biased to evoke strong emotions? Does it urge you to act quickly or click further?
Check facts and dates: Does the text contain concrete facts, statistics, or expert quotes? Is the information current, or is it an old news story being spread again?
Is it a joke? Satirical websites are common. Check if the website generally publishes joking or fabricated news.
Verify images: Images on social media can be manipulated or taken out of context. Look for signs of editing (strange shadows, bent lines in the background). You can use a reverse image search engine to see where the image originally came from.

Neural networks (AI) and information searching

Today, neural networks, a form of artificial intelligence (AI), are often used to search for and generate information. Advanced chatbots work by processing enormous amounts of data from the internet to generate answers to the user's questions.

While these tools are useful, there are risks:

Data reliability and "hallucinations": AI models can sometimes provide logically incorrect answers with great conviction. They can "hallucinate" facts. Therefore, do not trust them blindly on important issues (e.g., medical or legal) and always double-check the information.
Data access and privacy: Studies have shown that neural networks can sometimes reproduce exact copies of images or data they were trained on. This means that if you enter personal or sensitive information into an AI service, there is a risk that this information could leak or be used to further train the model. Never share personal data with these services.
Deepfakes: These are convincing fakes of images, videos, or audio created using neural networks. Criminals can use these techniques to imitate, for example, a relative to trick you out of money. Even though live voice scams are still rare, the technology exists. If you receive a suspicious call or message, contact the person via another, trusted channel to verify their identity.

Summary

To search for information safely, you should manage your temporary browser files, use incognito mode when necessary, block trackers, and be careful with which browser extensions you install. Always be critical of the information you find online and review sources carefully. Use AI tools reasonably, verify their answers, and never share sensitive data with them.

Reflection questions

In what way can your everyday search routines constitute a privacy risk if you do not use incognito mode or clear your data?
Describe the concept of "phishing". What signs would you look for to determine if a website for an online store is fake or real?
When you read sensational news on social media, what are the first three steps you should take to critically review it before sharing it further?
What are the biggest risks of using AI chatbots to search for information about, for example, health or finances?
How can the technology of "deepfakes" be used for fraud, and how can one protect oneself against it?

Chapter 9: Safe use of mobile apps

In today's digital society, we can handle almost everything via apps on our mobile—from ordering food and booking doctor appointments to paying bills and studying. We entrust these apps with large amounts of personal data, often without reflecting on whether all the information is really necessary for the app to function.

To protect yourself against mobile threats, you need to understand the risks and follow basic security rules.

Risk 1: Suspicious permission requests

When you install an app, it often asks for access to various functions on your phone. These are called permissions. Many permissions are necessary (for example, a map needing your location), but sometimes apps ask for more information than they need to function. Scammers can use these accesses to monitor your location or access your camera and microphone.

Warning sign: It is suspicious if a simple app, like a flashlight, asks for access to your contacts, your pictures, or your history.

How to check permissions:

For Android devices:
- Open Settings.
- Go to Apps or Manage apps.
- Select the specific app you want to check.
- Look for the Permissions section. Here you see what the app has access to and can deny access if it looks suspicious.
For iOS devices (iPhone):
- Open Settings.
- Scroll down to Privacy & Security.
- Here you see categories like Contacts, Camera, and Microphone. Click on a category to see which apps have access to that function.
- You can also scroll to the very bottom of the main settings menu and click on a specific app to see all its permissions in one place.

Risk 2: Malicious apps

There are apps that look legitimate but are actually malicious code (e.g., trojans). These can copy the name and icon from known apps to trick you into downloading them, aiming to steal money or passwords.

How you recognize a safe app:

Check the developer: Visit the service's official website and follow their link to the app. If you are looking for your health center's app, go to their website first to be sure you end up in the right place.
Read reviews: Before you install, look at what other users write. If the app has many negative reviews or if users complain about money being deducted without permission, you should avoid it.
Review behavior: If the phone starts behaving strangely, changes settings on its own, or if the app lacks contact information for support, it is a warning sign.

Agreements and policies

Before you start using an app, you should cast an eye over:

Privacy Policy: A document that explains how the app collects, uses, and protects your information. If you are not comfortable with how your data is handled, you should not install the app.
User Agreement: The terms you agree to in order to use the service. It is important to know what you are agreeing to regarding your personal data.

Protect your apps in practice

Update regularly: Developers often release updates to plug security holes. The faster you update your phone and your apps, the safer your data is.
Use extra passwords: It is not always enough to just have a password on the phone itself. For sensitive apps (like banking apps or apps with important documents), you should set up an extra password or biometric login (fingerprint/face) inside the app itself if possible.
Use a password manager: To keep track of strong and unique passwords for each service, it is wise to use a standalone password manager.
Two-factor authentication (2FA): Always activate 2FA on important accounts. This means you confirm your identity in two steps, making it much harder for unauthorized people to get in.
Use a security program: Install a comprehensive security program on your mobile device to detect malicious apps and protect your privacy online.

Summary

Mobile apps make life easier, but require vigilance. Never download apps from third-party sources (use official stores), read user reviews, check permissions carefully, and ensure you always have the latest version of the software installed.

Reflection questions

Look at the apps you have installed on your phone right now. Is there any app that has access to your camera or location even though it doesn't really need it? Why do you think the app wants that access?
Why is it safer to download an app via a link from a company's official website than to just search for the name directly in the app store?
Many ignore reading the privacy policy because it is too long. What risks do you see in not knowing how a company uses the information they collect about you?
If a friend asks you to download an app that is not in the official app store (a so-called "APK" or third-party app), what should you answer and what risks should you warn your friend about?
Why is it not enough to just have a password to unlock the phone itself if you want good protection for your most important apps?

Chapter 10: Protecting children online

In this lesson, we will go through how we can protect children and young people from digital threats on the internet. The internet is today a large and important part of children's lives. They use it to learn new things, have fun, and stay in touch with friends. But unfortunately, it also means they can encounter less pleasant things online.

While adults often have the knowledge and tools to protect themselves, children rarely do. Therefore, it is primarily the task of parents or guardians to ensure that children's internet use happens in a safe and secure manner. In this chapter, you will learn about the risks for children online, how technical tools like child profiles and parental controls work, and how to properly talk to children about cyber threats.

The risks on the internet for children

Let's start by discussing the most common risks children can be exposed to online:

Inappropriate information and content: Children can, either by mistake or intentionally, encounter content that is not suitable for their age, such as violent or sexually explicit material.
Online grooming: This means a criminal person tries to establish a trusting relationship with a child. The purpose is often to get the child to share private pictures or videos that can then be used for blackmail, or to try to arrange a meeting in real life.
Online fraud: Children can be targets for scammers trying to steal personal data or money, either from the child themselves or by tricking the child into giving access to their parents' details.
Cyberbullying: Children can be subjected to bullying, threats, and harassment on social media, in games, or via messaging services.

In addition to these risks, general threats like fake phone calls and malicious code apply to children just as much as adults.

How to protect children - A combination of measures

To protect children against the full range of cyber threats, a combination of technical and non-technical security measures is required.

Non-technical measures (Digital literacy and hygiene)
This is about teaching children basic security rules and increasing their digital literacy. This includes:

Only downloading games and apps from official app stores or the developer's official website.
Not clicking on links in suspicious messages, even if they look like they come from friends.
Being critical of generous offers online.
Not trusting strangers on the internet.

Technical measures (Security solutions)
These tools act as a technical layer of protection. They can prevent access to fraudulent websites (phishing), stop the installation of malicious code, and include parental control apps.

Technical control - Parental controls and child profiles

We will now look closer at two important technical tools:

Parental controls
Parental control is an app or function that allows parents to restrict children's access to inappropriate content and apps. It is also possible to regulate how much time the child may spend on their devices or in specific apps.

Ways to set up parental controls:

Through special software installed on both the child's and the parent's device.
Through settings in the network router.
By using the built-in functions in different operating systems (e.g., iOS, Android, Windows) and services.

Child profile
A child profile is a special account used on various platforms or web services. This profile limits some of the functions on gadgets and online services. In this way, you can filter and block inappropriate content and individual applications, protecting the child from potential risks, such as adult content.

Adapt control according to age

Depending on age, children should be given varying degrees of independence online. Here are some general recommendations:

Young children (Preschool age): The focus is on protecting the child from inappropriate content using "safe search", time limits for devices, and blocking access to non-educational apps.
School children (Middle school): Children become more independent but still need supervision. Features like positioning (GPS tracking) can be useful for safety, as well as continued web filters and time limits to prevent gaming or internet addiction.
Teenagers (Junior high/High school): Teenagers often feel they do not need protection. It is important that parents exercise a mild control while respecting their independence. For example, you can use positioning instead of constantly calling. You can also give the teenager their own responsibility for their screen time.

These recommendations are not set in stone but must be adapted to each individual family and child.

The conversation - The foundation for online safety

Using technical tools is only part of the solution. The most important thing is to talk to your children about how to use the internet safely and responsibly. Here are some tips for a positive and rewarding conversation:

Ask what they are doing: Show interest in which apps, games, and websites the child uses. Ask them to show their favorites and learn how they work. It helps you understand their online world and identify potential risks.
Discuss problems openly: Share your concerns if you are afraid the child is using an inappropriate app or website. Discuss the reasons why you consider it inappropriate and decide together on rules for the future.
Be honest about consequences: Talk about phenomena like cyberbullying, hacking, social engineering, and online grooming. Explain in a way the child can understand.
Create safety: Assure the child that they can always tell you if they encounter something difficult online (e.g., mean comments, sexual content, or violence). Promise that you will not overreact. It is better that they tell you than keep it to themselves. Also, show them how to block inappropriate content or people.
Set realistic boundaries: Rules for screen time and internet use should depend on the child's age and what is acceptable in your family. Discuss the rules with the child, such as when and for how long they can be online, and that they should not text with strangers. It is important that the rules apply to everyone in the family, even adults.

Summary

The internet offers fantastic opportunities but also involves risks for children in the form of inappropriate content, grooming, fraud, internet addiction, and cyberbullying. You can protect your child by combining technical tools like parental controls and child profiles with increasing their digital literacy. But above all: talk to them about safe online behavior and explain the reasons behind the rules you set. Protection is the best gift you can give your loved ones.

Reflection questions

Which of the four mentioned risks for children online do you think is hardest for a parent to detect, and why?
How can a parent balance the need to protect their child technically (e.g., with positioning and web filters) against the child's need for privacy and independence?
How would you go about talking to a teenager about online grooming and the risks of sharing private pictures, without seeming overly judgmental or frightening?
In what way can a parent's own behavior online (for example, how much time you spend on your phone) affect a child's internet habits and view of rules?
Why is it important to teach children to be critical of generous offers online, and how can you easily explain this to a younger child?

Chapter 11: Social engineering - How to see through scammers

Welcome to Chapter 11. In this chapter, we will take a closer look at social engineering, what it is, and how you can protect yourself against it. You will learn about the methods scammers use to trick people, how you recognize if you are communicating with a criminal, and how you protect yourself against online scams.

What is social engineering?

Social engineering describes the psychological manipulation techniques hackers and scammers use to convince people to do something or reveal valuable information. It can involve tricking someone into sending money, revealing sensitive personal data, or sharing passwords to access various resources.

When scammers use these techniques, they skillfully create a sense of urgency and importance. Experienced attackers often only need a few seconds to pressure someone into sharing the data they want.

The scammers often exploit the latest technology and use persuasion and manipulation. They often mask themselves as trustworthy figures, for example, representatives for the police, security services, doctors, or technical support.

An example: The fake bank call

To make it clearer, let's look at an example. Imagine you get a call from an unknown number. You answer and hear a convincing voice. A person says: "Good day. This is [Name], head of your bank's security service. Your money has just been transferred from your account to an account abroad in the name [Name]. This person is involved in several suspicious activities and criminal investigations regarding fraud and theft. But don't worry, we will do our best to protect your finances. To do this, we just need your account number, card number, and CVC code. Please share them now. We only have 2 minutes to save your money. This is extremely serious."

Why is this a scam?

Let's analyze why the person calling is not a security chief, but a scammer.

Sign 1: Information overload. The scammer overwhelms you with information: name of the alleged security chief, name of the suspect abroad, information about criminal investigations and legal paragraphs. It is hard to follow so many details, especially when spoken quickly.
Sign 2: Time pressure. Criminals try to stress you into making a decision. "2 minutes" is far too short a time to think logically.
Sign 3: Position of authority. The scammer pretends to be someone with authority. A security chief at a well-known bank is unlikely to call you personally for such a matter.
Sign 4: Playing on emotions. The scammer plays on your emotions, escalates the situation, and persuades you to follow instructions exactly. Phrases like "Don't worry" often make you worry even more. The rapid speech, information overload, and risk of losing money contribute to increasing your panic, fear, and confusion. In this state, many are prone to act hastily and instinctively.
Sign 5: Requests for confidential information. The scammer asks for passwords, card details, SMS codes, or CVC codes. Real banks never ask for such things over the phone.

Different methods of social engineering

Criminals have many inventive ways to scam you. Here are some common techniques:

Baiting: The scammer leaves "bait." It could be an email stating you won a large sum of money in a lottery, where you must click a link and enter confidential info to claim the prize. It can also be a physical USB drive with malicious code left in a public place, hoping someone out of curiosity plugs it into their computer.
Pretexting: The scammer uses an excuse to get your attention and force you to share information. An example is online "polls" where you are redirected to a fake login page and asked to enter a phone number and verification code, leading to your account being hijacked.
Phishing: They send emails from a seemingly trusted source asking for information. A clear example is a message looking like it’s from the bank, asking you to confirm confidential info on a fake website. If you fill in the form, your personal and payment details end up in the attacker's hands.
Vishing (Voice phishing): As in the example above, an attacker calls and pretends to be a bank official or police officer to get you to do something, like transfer money to a "safe account" (which is actually the attacker's).
Fake services: The attacker convinces you that you get something in exchange for your data. This is how fake antivirus programs work; they offer to remove a threat on your computer, but the program itself is the threat.
Hijacked accounts: They hack an account on social media or messaging services, get access to contacts, and contact your friends and family in your name, asking for money because you "got into trouble."
Multi-step scams: A more complex variant where the victim first gets a message from a known contact (but unknown number) saying authorities will contact them in an urgent matter. Soon the fake authorities contact you, apply psychological pressure, and prepare you for a call from the "bank," which then calls and tries to get you to transfer money or take out loans.

How to protect yourself against social engineering

If you follow these tips, you significantly reduce the risk of falling victim to criminal schemes:

Always verify the source. Be suspicious of unexpected emails, calls, or found USB drives. If you get an email that looks like it comes from a known contact but feels suspicious, compare it with previous correspondence (style and headers). If you don't know the sender, scrutinize the address for strange characters. Never click links or open attachments in suspicious emails. Hover over links to see where they actually lead. If you are still in doubt, look up the organization's official website and call their support number.
Think about what they know about you. Just because someone knows your full name does not guarantee it isn't a scam. Remember that real bank officials will never make changes to your account or perform other operations via email, phone, or messaging apps.
Take your time. Scammers try to rush you. Take a pause and think. Just pausing for a minute can help you spot the problem. If you feel pressured, say you need time to think, e.g., that you don't have the details at hand. The scammer will usually not take any risks if the element of surprise is gone. Always verify through a second communication method (e.g., call a friend if they ask for money via email).
Use a reliable spam filter. Ensure your spam settings are correct. Good filters can identify suspicious files or links and block suspicious senders.
Think critically. Scammers count on you being gullible. Think about it: How likely is it that you inherited a million from an unknown prince? Would your bank ask for account details over the phone? Many banks record all calls and save correspondence. If you are unsure, contact the bank yourself through their official channels.
Use security solutions and follow digital hygiene rules. Install and update security programs that can prevent you from clicking fake links or downloading malicious code. Never use the same password for different accounts. Create strong passwords and store them securely. Use two-factor authentication (2FA) where possible.
Reduce your digital footprint. A digital footprint is the data you leave behind when using the internet (visited websites, sent emails, social media posts). Scammers can use this to their advantage by gathering data about you to prepare their attacks. By reducing what is available online, you reduce the risk of being targeted.

Summary

Social engineering involves psychological manipulation techniques where scammers try to stress, scare, or manipulate you into doing something, such as sending money or revealing passwords. They often pretend to be authorities. Never click suspicious links and never hand out sensitive info (passwords, codes) via phone or messages. If in doubt, always double-check the info via another source. Think critically and take your time; scammers want quick answers.

Reflection questions

Why does the technique of creating a sense of urgency (time pressure) work so effectively in social engineering?
Have you or someone you know ever been exposed to an attempt at phishing or voice phishing (vishing)? How did you react and what were the warning signs?
How would you go about verifying that an email appearing to come from an authority or a bank is actually genuine, without clicking on any links in the message?
How does the use of unique, strong passwords and two-factor authentication connect to protection against social engineering?
In what way can complex multi-step scams (where several fake authorities contact the victim) make it harder to detect the manipulation compared to a simple fake call?

Chapter 12: Protection against email attacks

Email is one of our most important communication tools, but it is also a common route for cyberattacks. In this chapter, we will go through how attackers use email to trick users, why they do it, and how you can protect yourself against these attacks.

Spam and phishing

The two most common forms of unwanted email are spam and phishing.

Spam: This is the digital equivalent of direct mail in your physical mailbox. Although most of it is harmless (but annoying) advertising, spam can also be dangerous if it contains malicious links or is part of a more targeted attack.
Phishing: This is a more serious cyber threat where the goal is to steal user data. It can involve login details (username and password), bank card numbers, or other confidential information.

To succeed with phishing, criminals often use social engineering. This involves psychological manipulation techniques to convince you to take action (like clicking a link) or reveal valuable information. They often try to make their email addresses and messages look as if they come from official, reliable sources, such as banks, authorities, or known companies.

Why are these emails sent?

Criminals send out enormous amounts of spam and phishing emails in the hope that a few will fall into the trap. The purposes are usually:

Scam: To trick the recipient into voluntarily transferring money to the criminals under false pretenses.
Data theft: To gain access to passwords, credit card numbers, and bank details through phishing.
Spreading malicious code: To infect the user's device with viruses, trojans, or ransomware via attachments or links.

How to recognize a phishing email

There are clear warning signs that you should pay attention to. Attackers try to make their emails as convincing as possible by using fake sender addresses that resemble real ones, as well as official logos and formatting.

Here are the most important signs that an email is fake:

Call to immediate action (Creates panic): Phrases like "Urgent!", "Your account will be blocked within 3 hours", or threats of legal consequences are typical tricks. The purpose is to make you panic and act quickly without thinking or checking the source.
Enticing subject lines (Plays on greed or curiosity): Subject lines about large money transfers, compensation, winnings, unexpected job offers with high salaries, or shared documents are common to grab your attention.
Incorrect language and strange characters: Even though scammers are getting better, many fake emails contain typos, grammatical errors, or strange phrasing (often the result of automatic translation). Sometimes senders replace letters with similar characters from other alphabets to bypass spam filters.
Suspicious sender address: Scrutinize the sender's email address carefully. It might consist of a random string of letters and numbers, or use the wrong domain name (e.g., [email protected] instead of [email protected]). Scammers count on you only reading the display name and not the actual address.
Suspicious links and attachments: This is the most dangerous element.
- Links: Before clicking, hover your mouse pointer over the link (without clicking!) to see the actual web address (URL) at the bottom of the browser window. Check that the address leads to the official website. Scammers often use link shorteners or addresses spelled almost correctly (e.g., samsunq.com instead of samsung.com).
- Attachments: Never open attachments in emails from unknown senders, especially if you are not expecting a document. They can contain malicious code such as:
  - Keyloggers: Programs that record everything you type on the keyboard (including passwords and bank details).
  - Trojans: Malicious software that hides inside a seemingly harmless program.
  - Ransomware: Programs that encrypt your files and demand a ransom to unlock them.

Attackers also use other email-related systems, like calendar invitations or survey forms, to spread phishing links. If you get an unexpected invite with suspicious links, ignore it.

How to protect yourself against email threats

The best protection is to be vigilant, but there are several concrete steps you can take to increase your security.

1. Handle suspicious emails correctly

If an email looks suspicious, don't open it. Delete it immediately.
If you are unsure, contact the company or person (e.g., your bank or boss) via another, trusted channel (call their official number or write a new email to their known address). Do not use the contact details in the suspicious email.
Never reply to spam. It confirms to the spammers that your address is active, leading to even more spam.
Do not click "Unsubscribe" in questionable emails. This can be a way for scammers to collect active email addresses.

2. Use technical layers of protection

Security program: Install a reliable security program that updates regularly. This can block phishing links and prevent the downloading of malicious code.
Spam filters: Use email services that have good built-in spam filters.
Two-factor authentication (2FA): Always activate 2FA on your email account. It provides an extra layer of protection if someone were to get hold of your password.
Update software: Ensure your operating system and all your programs (especially browsers and email clients) are updated with the latest security patches.

3. Create strong passwords Use a strong and unique password for your email account. It should be hard to guess and consist of a mix of uppercase and lowercase letters, numbers, and special characters. A password should be at least 16 characters long. Avoid simple combinations like your name, birth date, or pet's name. A password manager can help you create and store secure passwords.

4. Have multiple email addresses (Public and Private) This is an effective way to reduce the amount of spam to your most important address.

Private address: Use this only for personal communication with family, friends, and important services (like the bank). Never share it on public websites or in surveys. If you must publish it, do it as an image instead of a clickable link.
Public address: Use this secondary address when registering on websites, participating in marketing activities, filling out surveys, or subscribing to newsletters. This way, spam ends up in this inbox and not in your private one.

Summary

Criminals use spam and phishing via email to steal personal information and money. Be alert to emails with an urgent tone, enticing offers, language errors, and suspicious sender addresses. Never click suspicious links and never open attachments from unknown sources. Protect yourself by using strong passwords, activating two-factor authentication, having updated security programs, and using separate email addresses for private and public purposes.

Reflection questions

Why do you think scammers so often use threats of blocking an account or promising huge winnings in their phishing emails? What psychological effect does it have on the recipient?
Think about the emails you received over the past week. Did you react to any sender address or link? How did you check if it was genuine?
What is the difference between spam and phishing, and why can even "regular" spam sometimes be dangerous?
What concrete disadvantages and risks are there in using the same password for your email account as for other websites and services?
How can the strategy of having two different email addresses (one private and one public) help you maintain better digital hygiene?

Chapter 13: Protect yourself against phone scams

Phone scams are a topic most people are familiar with through the news or everyday talk, but as we become more vigilant, the criminals become more sophisticated. Today they use advanced psychology and technology to access your money and personal data. In this chapter, we go through how these scams work, how you recognize them, and how you protect yourself.

Where do the scammers get your information?

Many wonder how a stranger can know their name or where they work. Scammers primarily use two sources:

Open data on the internet: Everything you share publicly—photos, check-ins, phone numbers, and workplace—can be used to build a profile of you. The more you share, the easier it is for a scammer to appear credible.
Account hijacking and targeted attacks: By hacking an account of, for example, a colleague or friend, the scammer can read past conversations to make their attack more personal. They can send a message via a chat app warning that "the authorities will call you soon," which increases the chance that you trust the subsequent call.

Methods for phone scams

There are two main techniques used to trick victims via mobile:

Vishing (Voice phishing)
Here the scammer tries to get hold of confidential information through a regular call or via voice calls in apps.

Warning signs: The call comes from a normal mobile number even though it claims to be from a bank, or from a foreign number.
Psychological pressure: They create a sense of urgency ("Your card is under attack right now!") to get you to stop thinking logically.
Requests for codes: A bank employee or police officer will never ask for your CVC code (the three digits on the back of the card), your passwords, or codes from your security token/BankID.

Smishing (SMS phishing)
Here text messages are sent with links claiming you won money or that a package is awaiting delivery.

The risk: If you click the link, malicious code can be installed on your device, or you are sent to a fake website where you are asked to enter your details.

Different types of calls to watch out for

To know if you are communicating with a scammer, you should examine how the call takes place:

Calls via messaging apps: Banks and authorities never call via WhatsApp, Messenger, or similar services.
Number spoofing: Technology that makes it look like the call is coming from an official number (e.g., the bank's real number). Remember: Even if the number looks right, a bank official will never ask for your private codes over the phone.
Dropped calls: Calls that just ring for a second. The purpose is often to check if your number is active or to get you to call back to an expensive premium-rate number.
Automatic voice bots: AI-driven programs that imitate human speech to sell services or collect information.

What do you do in difficult situations?

If you get a verification code you didn't request: It means someone is trying to log into one of your accounts. Never share the code with anyone. If you suspect they have your password, go directly to the service and change the password.
If you realize you are talking to a scammer:
- Hang up immediately. It is the most effective strategy.
- Do not respond with emotions. Avoid joking with, insulting, or trying to trick the scammer. They can retaliate by using your number to call other victims (so-called "spoofing"), which can lead to innocent people calling you and demanding their money back.
If you have already handed out details:
- Contact your bank immediately via their official number and block your cards/accounts.
- Report the incident to the police.
- Contact your mobile operator if you suspect they gained access to your mobile subscription.

Important rule: If you are unsure, hang up and call the organization yourself via the number listed on their official website.

How to protect yourself proactively

Install apps for Caller ID: There are programs that identify known fraudulent numbers and warn you directly on the screen before you answer. Some can even block these calls automatically.
Be sparse with your data: The less personal information available about you online, the harder it is for scammers to build credible stories.
Use security software: Updated protection on your mobile can warn of malicious links in SMS and protect your personal data.
Two-factor authentication (2FA): This is your strongest defense. Even if a scammer has your password, they cannot get into your accounts without the second verification.

Summary

Scammers are constantly becoming more creative and using both technology and psychology to trick us. The best line of defense is your own vigilance. By never sharing codes, always verifying the source, and using technical aids like caller ID and security programs, you can feel safe in your digital everyday life.

Reflection questions

Why do you think scammers often pretend to be from exactly the "bank's security department" or "the police"? What effect does it have on us?
If you get a call from a person claiming to be a relative in crisis and asking for money, what control questions could you ask that only the real relative can answer?
Discuss the risks of trying to "mess" with or trick a calling scammer. Why is it recommended that you just hang up?
How can your behavior on social media (e.g., sharing where you work or when you travel away) make it easier for a phone scammer?
What are the three most important things you would teach an elderly person or a child so they don't get scammed over the phone?

Chapter 14: Safe online shopping

Welcome. In this chapter, we will talk about something that has become part of everyday life for many of us: shopping online. It's fast, convenient and yes, it can also involve risks. Unfortunately, scammers love targeting people who shop online, especially those who do it in a hurry or without double-checking links and details.

But don't worry. After going through this chapter, you will know exactly how to protect yourself, your money, and your personal data.

In this chapter, you will learn:

What problems you might encounter when shopping online.
What methods scammers use to trick you.
How to protect yourself when shopping online.

Fake websites - A common trap

Let's start with one of the most common traps: fake websites. Cybercriminals build pages that look almost identical to real online stores. They use known logos, product images, and even fake customer reviews to trick you into trusting them. But behind the scenes, these sites are designed to steal your money, your personal data, or both.

How to spot a fake:

Examine the web address (URL): Look closely at the address in your browser. Does it look strange? Maybe there's a typo, an extra hyphen, or an unusual top-level domain (like .store, .shop, or .xyz) instead of the usual (.com, .co.uk, etc.).
Check payment options: If they only offer bank transfers or ask you to send a message to confirm your order, it's a red flag.
Make it a habit: Don't click on random links in emails or ads. Instead, type the store's name directly into the browser.
If unsure: Search for independent customer reviews on third-party websites or forums.

Scams on known marketplaces

Even on well-known platforms and marketplaces where individuals and companies sell goods, you can encounter fake sellers. They often post highly sought-after items (like phones, computers, or designer sneakers) at prices that seem too good to be true.

When you show interest, they often ask you to pay outside the platform, for example via chat apps or by sending an unknown link.

The golden rule is simple: Never pay outside the official platform. Marketplaces offer buyer protection for a reason, but this only applies if you stick to their system. If a seller says "Contact me privately for a better price," pull out of the deal. Scammers often rely on creating stress and strong emotions (like fear of missing out on a bargain). If the offer feels rushed or too good to be true, it probably is.

Fake ticket sites

Have you ever come across websites offering tickets to sold-out concerts, exhibitions, or flights at huge discounts? Be careful. Fake ticket sites are everywhere. They often pop up in search results or ads and look convincing.

Look closer: They often lack details like full artist information, clear refund policies, or contact information. A classic trick is to pressure you into a quick purchase using countdown timers ("Offer expires in 2 minutes") or fake inventory levels ("Only 3 tickets left").

To protect yourself: Only buy tickets from official event websites or verified retailers. Don't rush. If you are in doubt, go to the organizer's official page and see which ticket services they recommend.

Fake delivery notifications

Another common scam is fake delivery notifications. You might get an email or SMS saying: "Your package is waiting. Click here to pay a small fee." The message might even use the logo of a known shipping company.

These messages are designed to create panic or get you to act quickly. Scammers often use sender addresses that look like real ones, but with slight changes.

How to stay safe:

Not expecting a package? Don't click the link.
Expecting a package? Go to the shipping company's official website and manually type in your tracking number instead of clicking the link in the message.
Examine the sender: Always check the sender's email address or phone number. Look closely at what comes after the @ sign. Is it a real domain or something strange?

Account hijacking

Some scams don't start with a fake website, but with your own account. Criminals try to get access to your online store accounts. They do this to:

Use your saved loyalty points.
Shop using your saved card details.
Steal your name, address, and phone number for future scams.

To stay safe:

Use strong and unique passwords for every store.
Turn on two-factor authentication (2FA) wherever possible.
Avoid saving card details unless you trust the site 100 percent.
Be sure to log out if you use shared or public computers.

Remember: Even if no money is stolen directly, your personal data can be sold or used for other scams.

Sellers via chat apps and social media

Some sellers exist only via chat apps or social media. They post enticing ads or send direct messages with statements like "Special offer, limited stock. Click here to buy now."

The link often leads to a fake payment page or a phishing site designed to steal your info.

The rule of thumb is: If the seller has no official website, skip it. Don't click payment links from strangers in chats. Trust only verified stores and brands with a clear and consistent online presence.

Shopping safely via mobile

Shopping from your phone is convenient, but it also carries risks.

Avoid public Wi-Fi: Do not make purchases when connected to public networks (like at a cafe or an airport). Wait until you use your mobile data or your home network.
Security settings: Use a screen lock (PIN code, fingerprint, or facial recognition).
Official apps: Only download shopping apps from official app stores.
Updates: Keep the phone's operating system and apps updated, as security updates are important.

Protect your payment information

Your payment details are what scammers want the most. Here is how you protect them:

Never share: Never provide your card's PIN code, CVV/CVC code (the three digits on the back), or verification codes you receive via SMS.
Don't save unnecessarily: Do not store card details on websites you do not use often.
Use a separate card: Use a separate bank card (e.g., a debit card) intended only for online shopping, or use a virtual card if your bank offers it. Limit the funds available on that card.
Password manager: Use a password manager to securely encrypt and store your card details if you need to save them.

These small steps can save you from big problems.

Summary: Golden rules for safe online shopping

Scrutinize web addresses closely. Look for typos or strange domains.
Do not trust unreasonable discounts. If a price seems too good to be true, it probably is.
Never click on payment links in messaging services, chats, or emails. Go through official routes.
Use strong passwords and two-factor authentication.
Keep track of your actual orders to easily expose fake delivery messages.
Use a separate or virtual card for online purchases.
Do not panic. Take a minute to think before you click on anything.

You don't have to be a tech expert to shop safely online. You just need some smart habits and a little vigilance. Pay attention, protect your data, and shop with confidence.

Reflection questions

You see an ad on social media for a pair of expensive sneakers at a 70% discount. The web address is www.cheapdesignershoes.xyz. What red flags do you see here, and how would you act?
Why do you think scammers so often use countdown timers or "few left in stock" messages on fake websites? What psychological effect does this have on us?
You are expecting a package and get an SMS that looks like it is from the shipping company. It says you must pay a handling fee of 1.50 for the package to be delivered, with a link. Describe step by step how you would handle this safely.
Why is it dangerous to pay a seller on a marketplace via an external payment link instead of using the marketplace's own payment system?
When shopping via mobile, why is it safer to use the phone's network (mobile data) than the open Wi-Fi network at a cafe?

Chapter 15: Security on social media and messaging services

Social media and messaging services are today a central part of our lives. We use them to keep in touch with friends, share experiences, and communicate in everyday life. But the popularity also attracts cybercriminals who want to access user accounts and personal information. In this chapter, we go through how you protect yourself and act responsibly online.

1. Manage your privacy settings

The first step to a secure digital life is to control who can see what you do. Many services have open settings by default, meaning anyone can see your profile.

Find the settings: You usually find these under an icon that looks like a gear, three dots, or your profile picture. Look for the "Privacy" section.
Limit visibility: You can often choose whether your profile should be public or private. A private account means only those you have approved as friends can see your posts.
Specific information: You can often control exactly who sees your birth date, your location info, or your friends list. Cybercriminals can use seemingly innocent information (like your birthday) to guess passwords or perform social manipulation.

2. Secure messaging services

Many messaging services offer advanced security features. Here are some important tools to keep an eye on:

Two-factor authentication (2FA): This is one of the most important protections. It means just a password isn't enough to log in; you also need a code sent to your phone or generated in an app.
Hide your phone number: Some services let you use a username instead of showing your private phone number.
Active sessions: Under settings, you can often see which devices (computers, mobiles) are logged into your account. If you see an unknown device, you should immediately terminate that session and change your password.
Encryption: Most modern apps use encryption, meaning outsiders cannot read your messages as they are sent.

3. Think before you share

Information you publish can have consequences in the physical world. Before posting something, ask yourself:

Can the information be used against me or my contacts?
Could this have unforeseen consequences in the future?

Examples of risks:

Burglary risk: If you post pictures from your vacation while having previously shown where you live, the thief knows your home is empty.
Extortion: Pictures or sensitive information shared in confidence can be used for blackmail if they end up in the wrong hands.
Phishing: If a stranger sends you a link, never click it. It could be an attempt to steal your login details.

4. Digital threats: Doxing, cyberbullying, and stalking

There are several terms for unpleasant or illegal behavior online that you should know:

Doxing: Gathering and publishing someone's private information (address, social security number, etc.) without consent to harm the person.
Catfishing: When someone creates a fake identity online to deceive others, often for financial gain or to start a relationship under false pretenses.
Cyberbullying: Systematically offending, threatening, or humiliating someone via digital tools. It can happen openly in comment sections or hidden in group chats.
Cyberstalking: Pursuing or monitoring someone digitally, for example by tracking the person's movement patterns via social media.

Important: If you are subjected to doxing or bullying—save evidence! Take screenshots of messages and comments. Most platforms have features to report violations and block users.

5. What do you do if your account is hacked?

If you suspect someone has taken control of your account, act quickly:

Log out of all devices: Use the "Log out of all sessions" function if it exists.
Change password immediately: Choose a strong and unique password. Preferably use a password manager.
Scan your devices: Run a security scan with an antivirus program to see if you've gotten malicious code (malware) on your computer or phone.
Contact support: If you cannot log in, use the service's official form to recover the account.
Warn your friends: Tell your contacts your account is hacked so they don't click links or send money in your name.

Reflection questions

Private or public? Go through your own social media accounts. How much information can a person you don't know find about you right now?
Password routines: Do you use the same password in several different places? What risks do you see with that after reading the text?
Digital etiquette: Why do you think it is easier for some to be mean in a comment section than face-to-face? How does it affect the person targeted?
Source criticism: If a friend suddenly sends a message asking for money or for you to click a weird link—how can you verify that it really is your friend and not a hacker?
Drawing the line: Where is the line between being curious about someone's life and committing cyberstalking?