Phishing, Hacking, and Cybersecurity: How to Protect Yourself Online

The Digital Threat Landscape for Young Adults

Young adults live large portions of their lives online. Social media, online banking, email, streaming, shopping, dating, gaming, studying: digital platforms mediate an extraordinary range of daily activities. This high level of digital engagement is one of the reasons young adults are heavily targeted by cybercriminals. More online activity means more accounts, more potential entry points, and more valuable data to steal.

At the same time, digital literacy around security is uneven. Many young people are highly comfortable with technology but have specific gaps in their awareness of how they can be targeted and what genuinely protects them. This guide addresses those gaps directly.

Phishing: The Most Common Attack

Phishing is the practice of deceiving people into providing sensitive information, typically through fraudulent emails, text messages, or social media messages that impersonate trusted organisations. It is by far the most common form of cybercrime targeting individuals, and it continues to succeed because modern phishing attacks are genuinely convincing.

A well-crafted phishing email may look identical to a communication from your bank, university, government department, streaming service, or delivery company. It will use the organisation's branding, language, and formatting. The link it contains will lead to a website that looks identical to the real one. The only reliable way to detect many phishing attempts is through careful attention to specific details.

Key things to check: the sender's actual email address (hover over or tap the display name to see the underlying address, which will often contain misspellings or unrelated domains), the URL you are being directed to (which may substitute similar-looking characters or use an entirely different domain with the brand name included as a subdomain), and the specific action being requested. Legitimate organisations will not ask you to provide your full password, payment card details, or login credentials via email or text. If in doubt, navigate to the organisation's website directly by typing the address yourself, rather than clicking any link.

Smishing (SMS phishing) and vishing (voice phishing, where a caller impersonates an organisation) follow the same principles but through different channels. Be particularly alert to unsolicited calls claiming to be from your bank's fraud department: a genuine bank calling about suspicious activity will not ask you for your full PIN, full password, or to transfer money to a safe account. No legitimate organisation will ever make these requests.

Password Security: The Foundation of Account Safety

Weak, reused passwords are the most common single point of failure in individual cybersecurity. Most people know this, and most people continue to reuse passwords across multiple accounts because managing many unique passwords is genuinely inconvenient. A password manager solves this problem effectively.

A password manager is a piece of software that generates and securely stores strong, unique passwords for each of your accounts. You remember only one master password to access the manager; the manager handles everything else. Reputable password managers are available at low or no cost, and they integrate with browsers and mobile devices to make the login experience as convenient as using a single password everywhere, but with dramatically better security.

Strong passwords are long (at least 12-15 characters), random, and unique to each account. A password manager generates these automatically. If you choose to create passwords without a manager, use a passphrase: a sequence of four or more random words, which is both more secure than most traditional passwords and easier to remember.

Change passwords immediately for any account where you suspect your credentials may have been compromised, and for any account associated with an email address that has appeared in a data breach. Free breach-checking services allow you to search whether your email address has been included in known breaches.

Two-Factor Authentication: Your Most Important Security Tool

Two-factor authentication (2FA), also called two-step verification or multi-factor authentication (MFA), adds a second layer of verification to your account logins. Even if someone obtains your password, they cannot access your account without also having access to your second factor: typically a code generated by an app, a code sent to your phone, or a physical security key.

Enable 2FA on every account that offers it, prioritising your email account, banking, and social media accounts. Your email account is particularly critical: it is the recovery mechanism for most other accounts, meaning that access to your email effectively means access to everything connected to it.

The most secure form of 2FA is an authenticator app (which generates time-limited codes) or a hardware security key. SMS-based 2FA, where codes are sent by text message, is less secure because SIM-swapping attacks can redirect your messages to a criminal's device, but it is still significantly better than no 2FA at all.

Device Security

Your devices, your phone, laptop, and tablet, contain or provide access to most of your sensitive accounts and personal information. Protecting them is foundational to your digital safety.

Keep your operating system and all apps updated. Updates frequently contain security patches that address vulnerabilities that criminals actively exploit. Delayed updates leave known vulnerabilities unpatched.

Enable full-disk encryption on your laptop if it is not already enabled by default. This means that if your device is stolen, the data on it cannot be accessed without your credentials. Most modern operating systems offer this as a built-in option.

Use a strong PIN, password, or biometric lock on your phone. The lock screen is the first line of defence if your phone is lost or stolen. Ensure your phone is set to lock automatically after a short period of inactivity.

Install apps only from official app stores. Third-party app sources bypass the security review processes of official stores and significantly increase the risk of installing malicious software. Be sceptical of apps that request permissions that are not obviously necessary for their function: a calculator app has no reason to request access to your contacts or location.

Be cautious about public Wi-Fi. Networks in cafes, airports, hotels, and other public venues are generally not encrypted, which means your traffic may be visible to others on the same network. Avoid logging into sensitive accounts on public Wi-Fi, or use a reputable virtual private network (VPN) to encrypt your traffic when using these networks.

Social Engineering: Attacks That Target People Rather Than Systems

Not all cyberattacks work by exploiting technical vulnerabilities. Social engineering attacks target human psychology rather than technical weaknesses. They are effective because they exploit natural tendencies: to be helpful, to respond to authority, to act under pressure, and to trust people who appear to know things about us.

Pretexting involves creating a fabricated scenario to extract information or access. A caller might claim to be from your university's IT department and need your login credentials to fix an urgent problem. A fraudster might claim to know details about your account to establish credibility before asking for sensitive information. Legitimate IT departments and financial institutions will never ask for your password, ever, for any reason.

Business email compromise, while primarily a corporate attack vector, can affect young adults in employment contexts. It involves impersonating a manager or colleague via email to request urgent action, typically a financial transfer or the sharing of sensitive information. If you receive an unexpected request for financial action or sensitive information via email, verify it through a separate channel, calling the person directly, before acting.

What to Do If You Have Been Hacked

If you believe an account has been compromised, act quickly.

Change the password for the affected account immediately, and for any other accounts that use the same password. If your email account has been compromised, prioritise regaining control of it, as it is the gateway to everything else. Use the account recovery options the platform provides.

Review recent activity on the affected account. Look for sent messages you did not send, account setting changes you did not make, and any other evidence of what the attacker did while they had access.

Enable two-factor authentication on the account if it is not already enabled. This prevents the same attack from succeeding again.

Notify any relevant parties. If your bank account was compromised, contact your bank immediately. If personal information that could be used for identity theft was accessed, review the steps in the identity theft guide in this series.

Report to the relevant platform and, in cases involving financial loss or serious harm, to law enforcement and your country's cybercrime reporting service.

Staying Safe Long-Term

Cybersecurity is not a one-time setup but an ongoing practice. The threat landscape evolves continuously, and the habits that protect you need to be maintained and occasionally updated. The core principles, strong unique passwords, two-factor authentication, scepticism about unsolicited requests, keeping software updated, and being careful about what you share and where, remain consistent even as specific threats change. Building these habits now, while you are establishing your digital life, creates a foundation that serves you throughout your adult years.