Practical safety guidance for the technology people use every day. Simple, careful, useful.

Treat an email as suspicious if it creates pressure, asks for a password, claims your account will be closed, demands urgent payment, includes a strange attachment, or sends you to a login page you were not expecting.

• Check the sender address, not just the display name.
• Look for misspellings, strange domains, or extra words in the address.
• Hover over links before clicking, but do not click if the link looks wrong.
• Be careful with invoice, payroll, password reset, shipping, bank, tax, and Microsoft 365 messages.
• When in doubt, go directly to the known website or app instead of using the email link.

Do not panic, but do act quickly. The next step depends on whether you entered credentials, downloaded a file, approved an MFA prompt, or only opened a page.

1. Close the browser tab.
2. Do not enter any more information.
3. If you entered a password, change it from the real website or app, not from the suspicious link.
4. Sign out of active sessions if the platform offers that option.
5. Notify your IT provider or administrator if this is a business account.
6. If a file was downloaded or opened, stop using the device until it can be reviewed.

Unexpected attachments should be treated carefully, especially files claiming to be invoices, shipping labels, resumes, password lists, tax forms, shared documents, or urgent legal notices.

• Ask whether you were expecting the file.
• Confirm with the sender using a known-good contact method.
• Be extra careful with ZIP files, macro-enabled Office files, executable files, scripts, and password-protected attachments.
• Do not enable macros unless you are completely sure the file is legitimate and your organization allows it.
• If the attachment asks you to log in after opening it, stop and verify.

Business email compromise happens when an attacker uses email to trick someone into sending money, changing payment information, sharing sensitive records, or giving access to an account.

The email may look like it came from an owner, vendor, client, bookkeeper, payroll provider, bank, or manager. The message may be polite, urgent, and professionally written.

Start with the address bar. The website name should be spelled correctly and should match the company or service you intended to visit.

• Look for misspelled domains, extra hyphens, strange endings, or words added before or after the real name.
• Be careful with links from email, text messages, ads, and social media posts.
• Use bookmarks or type the address yourself for banking, email, payroll, cloud services, and admin portals.
• HTTPS is important, but it does not automatically mean the site is safe. Fake websites can use HTTPS too.
• Be cautious if the site asks for a password, MFA code, seed phrase, payment details, or personal information unexpectedly.

• The page came from an email or text you were not expecting.
• The domain name is slightly wrong.
• The page asks for your password and MFA code at the same time.
• The page asks you to download a browser extension or security tool.
• The page looks like Microsoft, Google, Facebook, Apple, or a bank, but the address does not match.
• The login fails once, then sends you to the real site afterward.

Be careful. Attackers sometimes use ads to imitate popular software, banks, shipping companies, support portals, and login pages. The first result is not always the safest result.

For software downloads, financial services, cloud accounts, email, or admin tools, type the official site directly or use a trusted bookmark.

• Avoid banking, payroll, admin portals, or sensitive business tasks on public Wi-Fi when possible.
• Use your phone hotspot or a trusted VPN when appropriate.
• Turn off automatic joining of public networks.
• Do not accept random certificate warnings.
• Keep your device updated before traveling or working remotely.

MFA stands for multi-factor authentication. It means your account requires more than just a password. That second factor might be an authenticator app, hardware key, push notification, text code, phone call, or biometric prompt.

MFA is important because stolen passwords are common. MFA gives the account another layer of protection.

Do not approve it. An unexpected MFA prompt can mean someone has your password and is trying to sign in.

1. Deny the prompt.
2. Change your password from the official app or website.
3. Review recent sign-in activity if available.
4. Notify your IT provider or administrator if this is a work account.
5. Do not approve repeated prompts just to make them stop.

Text message MFA is better than no MFA, but authenticator apps or hardware security keys are usually stronger. Text messages can be affected by SIM swap fraud, phone number compromise, and social engineering.

If your account supports an authenticator app or passkey, consider using that instead of SMS when possible.

Backup codes are emergency codes that can help you recover access if you lose your phone or authenticator app. They should be stored securely, not in plain text on your desktop or in an email inbox.

• Store them in a reputable password manager.
• For business accounts, follow your company’s recovery process.
• Do not share backup codes with anyone who contacts you unexpectedly.

• Use a strong unique password that is not used anywhere else.
• Turn on MFA or passkeys.
• Review recovery email and recovery phone settings.
• Check recent security activity.
• Remove unknown devices from the account.
• Review third-party apps with account access.
• Make sure business-critical accounts are not tied only to one personal device.

1. Change the password from the official Google account page.
2. Review recent security activity.
3. Check recovery email and phone number.
4. Sign out of devices you do not recognize.
5. Review mail forwarding settings.
6. Check filters and rules that may hide or forward messages.
7. Review connected apps and browser extensions.

Recovery email, recovery phone, MFA, backup codes, and trusted devices can decide whether you can regain access after a lockout or compromise. If those settings are outdated or controlled by someone else, account recovery can become difficult.

For a business, personal Gmail accounts can create ownership and continuity problems. If an employee, contractor, or former partner controls the account, the business may lose access to email, documents, YouTube channels, analytics, ads, or business profiles.

A business should strongly consider using a proper business email and account structure where ownership, recovery, and administrator access are clear.

• Use strong unique passwords.
• Enable MFA on every admin account.
• Limit who has administrator access.
• Use business manager tools where available.
• Review page roles regularly.
• Remove former employees, contractors, or vendors who no longer need access.
• Keep recovery email and phone options current.

Common scams include fake copyright warnings, fake verification offers, fake brand deals, fake login pages, fake support messages, impersonation accounts, and messages claiming your page will be deleted unless you act immediately.

OSINT means open-source intelligence. Attackers can use public information from posts, photos, comments, staff profiles, locations, vendors, schedules, and business updates to make scams more believable.

Public posting is normal, but businesses should avoid exposing unnecessary details about security systems, travel, internal tools, staff roles, access methods, or private customer information.

1. Take screenshots of the fake account or page.
2. Do not engage with the impersonator more than necessary.
3. Report the account through the platform’s official reporting tools.
4. Warn customers through your official channels if needed.
5. Review your own account security and admin roles.

AI can help attackers create better emails, fake support messages, realistic job scams, cleaner phishing pages, convincing social media messages, and fake voice or video content.

• Do not trust a message only because it is well written.
• Verify payment changes through a separate known-good method.
• Be careful with voice messages or videos asking for urgent action.
• Watch for messages that know just enough public information to sound believable.
• Do not paste sensitive business records, passwords, client data, or regulated information into public AI tools.

AI tools can be useful for drafting, summarizing, brainstorming, and organizing ideas, but users should be careful with sensitive information.

• Do not paste passwords, keys, tokens, private client records, PHI, CJI, payment data, or confidential business records into public AI tools.
• Review AI-generated content before using it.
• Do not rely on AI for legal, medical, compliance, or security decisions without qualified review.
• Use business-approved AI tools and policies when available.

Ransomware risk is reduced through layers. No single tool is enough.

• Use MFA on email, cloud accounts, remote access, and administrator accounts.
• Keep systems, browsers, firewalls, and software updated.
• Maintain backups and periodically verify that restore is possible.
• Limit administrator rights.
• Train staff to report suspicious messages early.
• Protect remote access and avoid exposing unnecessary services to the internet.
• Use reputable endpoint protection and monitoring where appropriate.
• Document vendors, accounts, devices, and critical systems.

If files are suddenly renamed, ransom notes appear, systems become unusable, or multiple devices show strange behavior, treat it as urgent.

1. Disconnect affected devices from the network if safe to do so.
2. Do not delete ransom notes or wipe systems before qualified review.
3. Do not plug in backup drives to infected systems.
4. Notify business leadership, IT support, cyber insurance, and legal counsel as appropriate.
5. Preserve evidence where possible.
6. Do not communicate with attackers without proper guidance.

A safer password is long, unique, and not reused across multiple sites. Reused passwords are dangerous because one breached website can expose access to other accounts.

• Use a password manager where appropriate.
• Use a different password for every important account.
• Do not share passwords through text, email, or chat.
• Turn on MFA for important accounts.
• Change passwords quickly after a suspected compromise.

A reputable password manager can help users create and store unique passwords. It is usually safer than reusing the same password or keeping passwords in notes, spreadsheets, email drafts, or browser screenshots.

Businesses should choose a tool, set rules for use, protect the master account, and plan recovery carefully.

• Keep the operating system and browser updated.
• Use a screen lock.
• Do not install random software or browser extensions.
• Avoid using administrator accounts for daily work.
• Do not ignore security warnings.
• Report lost, stolen, or suspicious devices quickly.
• Keep work and personal use separated where possible.

Home offices often mix work laptops, personal phones, smart TVs, cameras, printers, kids’ devices, guest devices, and business files on the same network.

• Use a strong Wi-Fi password.
• Use guest Wi-Fi for visitors and untrusted devices.
• Keep router firmware updated when possible.
• Avoid sharing business devices with family members.
• Back up important work files.
• Use MFA on business accounts.