Your Personal Cybersecurity Checklist: 10 Things to Do Before You Get Hacked

Common cybersecurity advice usually falls into one of two traps:

• It’s so vague it’s useless (“just use strong passwords!”).
• It’s so technical that it sends you reaching for an aspirin.

That’s not the case here. These are the steps that security professionals actually prioritize, translated into plain language and sorted by time commitment, so you can start small and build from there.

2-Minute Fixes: Do These Right Now

1. Turn on Account Activity Alerts

Most banks, credit card companies, and email providers let you set up real-time alerts for logins, transactions, and password changes. If someone gets into your account, you'll know immediately instead of weeks later.

Where to start:

• Log into your bank and credit card accounts.
• Look under Settings > Notifications or Alerts.
• Turn everything on.

2. Set a SIM PIN on Your Phone

If a thief gets your SIM or pulls off a SIM swap attack by convincing your carrier to transfer your number to a new device, they can intercept your text-based verification codes and use them to break into your accounts.

How to set it up:

• iPhone: Settings > Cellular > SIM PIN
• Android: Settings > Security > SIM card lock

You might have to enter the default PIN of your carrier before you change it.

Choose a PIN that’s different from your screen lock. Store it somewhere safe. If you enter it wrong too many times, your SIM will lock, and your carrier must unlock it for you.

15-Minute Tasks: High Impact, Low Effort

3. Enable Two-Factor Authentication (2FA) on Your Most Important Accounts

Two-factor authentication means that even if someone gets your password, they still can’t get in without a second verification step. This is one of the single most effective protections available.

Priority accounts to secure first:

• email (this is the master key; everything else resets through it)
• online banking and investment accounts
• social media
• your password manager (see below)

Best option: Use an authenticator app like Google Authenticator or Authy instead of SMS text codes. Text codes can be intercepted; app codes can’t.

4. Check If Your Email Has Been Compromised

Go to HaveIBeenPwned.com and enter your email address. The site checks your address against known data breaches for free.

If your email shows up, change the password for every account associated with it immediately.

30-Minute Projects: Worth Every Minute

5. Get a Password Manager

Reusing passwords across accounts? One data breach compromises them all. A password manager generates and stores unique, complex passwords for every account, so you only have to remember one.

• Well-regarded free options: Proton Pass, KeePassXC

Once it’s set up, update your most sensitive account passwords first: email, banking, investment accounts.

6. Audit Your Existing Passwords

If your password manager offers it, run its built-in security audit. Depending on the program, it will flag reused passwords, weak passwords, and passwords exposed in known breaches.

Replace the flagged ones, starting with your financial and email accounts.

One-Time Tasks: Set It and Forget It

7. Freeze Your Credit at All Three Bureaus

A credit freeze is free and prevents anyone (including identity thieves) from opening new credit accounts in your name. It doesn’t affect your credit score, and you can lift it temporarily when you actually need to apply for credit.

You'll need to freeze credit at each bureau separately. It takes about 10 minutes per bureau.

8. Get an IRS Identity-Protection PIN

Tax identity theft happens when someone files a fake return using your Social Security number to steal your refund. An IP PIN from the IRS blocks this. Only you (and the Internal Revenue Service) will know the six-digit code required to file a return in your name.

The IRS will generate a new six-digit IP PIN each January; retrieve it online via your IRS account or mailed notice.

9. Check Your Free Credit Reports

You’re entitled to a free credit report from each bureau every week at AnnualCreditReport.com. Look for accounts you didn’t open, addresses you’ve never lived at, or inquiries you didn’t authorize.

These are red flags for identity theft.

Ongoing Habits: Keep Your Defenses Current

10. Keep Your Devices Updated

Software updates add new features, but they also patch security vulnerabilities that hackers actively exploit. Delaying updates is one of the most common ways people get compromised.

Make it easy:

• Turn on automatic updates for your phone’s operating system.
• Enable automatic updates for your computer’s OS and browser.
• Update your router’s firmware once a year (log into your router’s admin panel to check).

FAQs About Personal Cybersecurity

Do I Really Need a Password Manager, or Is It Safe to Save Passwords in My Browser?

Browser-saved passwords are convenient, but carry real risk. If your browser account is compromised, all your saved passwords go with it. A dedicated password manager stores your credentials in an encrypted vault that’s separate from your browser, gives you a security audit tool, and works across devices. For most of us, the security upgrade is worth the small learning curve.

Is Freezing My Credit Going to Hurt My Credit Score?

No. A credit freeze has zero effect on your credit score. It simply prevents new credit inquiries from going through without your permission. Lift, or “thaw,” the freeze temporarily when you need to apply for a loan, credit card, or apartment, then refreeze it afterward. It’s one of the most underused and most effective protections available.

What’s the Difference Between a Fraud Alert and a Credit Freeze?

A fraud alert tells lenders to take extra steps to verify your identity before opening new credit, but it doesn’t block access entirely. A credit freeze is a harder stop: lenders can’t pull your credit at all without your approval. If you’re concerned about identity theft, a freeze is the stronger choice. You can have both in place at the same time.

How Do I Know If I’ve Already Been Hacked?

Common signs include unfamiliar charges on your accounts, password reset emails you didn’t request, accounts you can no longer log into, or new accounts appearing on your credit report. Check HaveIBeenPwned.com for email breaches and pull your credit report at AnnualCreditReport.com to look for unauthorized activity. Set up account alerts going forward so you’re notified in real time.