Most online scams don't start with a genius hacker breaking into systems. They start with a text message saying your parcel is being held, a call from someone claiming to be your bank, an ad with a price too good to be true. The target isn't your computer, it's you, and the weapon is almost always the same, your hurry.
The good news is that the defense requires no technical skill and costs no money. It comes down to ten habits, practiced until they become automatic, like looking both ways before crossing the street.
Stop before you click
- Urgency is the tell. "Your account will be blocked today", "final notice", "you have 24 hours". No legitimate bank, shop or public service demands a decision in minutes. Whoever wrote that message designed it to leap over your common sense, and urgency is the tool. When a message rushes you, stop right there.
- Never enter through the door they point to. Never solve anything through the link that came in the message. If your bank, the postal service or social security has something to tell you, it is waiting inside: open the app yourself or type the address into the browser. The scammer's link leads to a copy of the real site, built to catch your password.
- Return the call through the official number. Anyone can phone you claiming to be your bank, your telecom provider or the police. Hang up without arguing and call the number on the back of your card or on the official website. Legitimate people don't take offense.
- Receiving money never requires codes. A classic scheme in Portugal abuses MB Way, the national instant-payment app: a fake buyer (for a sofa you listed online, say) walks you through steps at the ATM or in the app "so you can receive the payment". To receive money you never need to enter codes, accept requests or follow anyone's instructions. Whoever guides you step by step isn't putting money into your account, they're taking it out. The same logic protects you on any payment app, anywhere.
Lock down your accounts
- Protect your email like you protect your bank. Your email is the master key to everything: whoever gets in can hit "forgot my password" on all your other services, and that is where the reset links arrive. It is the first account to fortify.
- One password for each door. Reusing the same password is carrying one key that opens your house, your car and your office: you only need to lose it once. A password manager, a vault app that invents and stores them for you, is the best solution. And if you don't trust apps, a notebook kept safely at home is still less risky than reusing the same password everywhere.
- Turn on two-step verification. It is a second lock, a code that reaches your phone when someone tries to log in. With it on, the overwhelming majority of break-in attempts using stolen passwords die at the door. Turn it on first for your email and your bank, then your social networks, and when given the choice, prefer app-generated codes over SMS.
Treat your devices like your home
- Update without delay. An update is, in practice, a new lock replacing one that turned out to be broken. A large share of the attacks that reach ordinary people exploit flaws whose fix had existed for months, waiting for whoever postponed it. When your phone or computer asks to update, let it.
- Install apps only from official stores. That "free" game downloaded from some website multiplies the risk dozens of times over, according to Google's own analysis, and that is how a thief moves in to live inside your phone, where your bank lives too.
- Keep copies of what you can't afford to lose. Photos of your kids, documents, invoices: anything that would hurt to lose should exist in two places, say the cloud and a disk at home. It protects you from the viruses that hold files hostage for ransom, and from the phone that falls into the water.
When things go wrong
Falling for a scam happens to anyone, including people who work in technology every day. What you do next is what counts:
- Change your email password immediately, then the others.
- Call your bank through the official number to freeze payments and cards.
- Keep everything, messages, receipts, the numbers that called you, and file a report; in Portugal this can be done online through the Electronic Complaint system. That evidence makes a difference.
- Tell someone. Shame and silence are the scammer's best friends, they are what he counts on to repeat the scheme on you and on others.
Whoever attacks you isn't counting on poorly protected machines, they're counting on you tired, sorting out your life on your phone between two tasks. Online security isn't a product or a talent, it's what you do without thinking the moment the message arrives. Train these ten habits while everything is fine, so that the day a scam knocks on your door, the habit answers, not the hurry.
To go further: Portugal's National Cybersecurity Centre (CNCS) publishes practical guides for citizens.
#StaySafe
🙏🖖