Stay Safe Online: the everyday guide to not getting scammed or hacked

Made free by the CyberFreedom Association, a not-for-profit.

I want to start by taking some pressure off you. You do not need to be technical to protect yourself, you do not need to buy anything, and falling for a scam says nothing about how smart you are. The people running these operations are organised, well funded, and using the same clever tools the rest of us are. The good news is that almost everything they do relies on the same two levers: urgency, and getting you to act before you check. Take those away and most of it falls over.

This guide is written for everyday people. Your parents could follow it. Pick a section, do the bits that apply to your life, and come back for the rest later. None of it has to happen at once.

If money has already left your account, do not finish reading. Skip to the recovery checklist and call your bank now. Speed is everything.

---

Scams happening now, and exactly how to spot them

In 2025 Australians reported $2.18 billion lost to scams. Here is what is actually landing in people's phones and inboxes right now, so you recognise each one the moment it arrives.

The text message scam (the one that hits everyone)

A text turns up about an unpaid toll (Linkt), a parcel you need to redirect (Australia Post), a myGov or ATO message, or a "suspicious transaction" from your bank. It has a link. It wants you to act now.

Here is the single fact that cuts through all of it: the big organisations being impersonated are moving away from putting clickable links in their texts. myGov and the ATO will not send you a link to tap and pay, and Australia Post says it will never ask for your details by text. So treat any link in a text as suspect. So the rule is brutally simple.

Never tap a link in a text message. Ever. If you think the toll, the parcel or the tax thing might be real, open the app yourself or type the website address in by hand. April 2026 saw a record global wave of toll-text scams, over 79,000 fake messages, with Linkt among the brands impersonated here, so if a toll text feels plausible, that is exactly why they sent it.

Red flags: a link in the text, a sense of urgency ("overdue", "account suspended", "final notice"), a slightly-off web address, or a request to "verify" your details by clicking. Real organisations let you come to them.

Fake invoices and changed bank details

This kind of scam, called payment redirection, cost Australians $166.8 million in 2025. You are expecting an invoice, from a tradie, a supplier, a conveyancer when you are buying a house. An email arrives that looks right, except the bank account details have quietly changed. You pay, and the money was never going to the real business. Sometimes the criminal has actually gotten into a real email account, so the email genuinely comes from the right address. You cannot trust the email alone.

The fix is one phone call. Any time bank details are new or have changed, ring the business to confirm them, on a number you found yourself, off their website or an old invoice, never the number in the suspicious email. For anything large like a house deposit, do this every single time even if nothing looks wrong. If you run a business, make it a rule that two people sign off on any change to payment details.

Romance and investment scams (the slow, expensive ones)

Investment scams were the single biggest category in 2025 at $837.7 million, and romance scams hit $139.9 million on top of that. Increasingly they are the same scam wearing two hats, the thing now called "pig butchering". Someone meets you online, on a dating app, in a friendly "wrong number" text, in a group chat. They are warm, attentive, quick to call it love. There is never a video call that works, and they always live or work just far enough away that you can never meet.

Then, gently, the money comes up. A trading platform. A crypto opportunity. The platform looks real, your balance even goes up at first. That is the trap. The balance is fake, and the moment you try to withdraw, the fees and excuses start.

Any one of these is enough to walk away: they get romantic fast but can never meet or video call, they steer the conversation toward investing or crypto, they show you a platform "with guaranteed returns", or they pressure you to act before an opportunity closes. No genuine partner you met online needs your money in a trading app. None.

AI voice clone and "family emergency" scams

This one did not really exist a couple of years ago and is now everywhere. Scammers can clone a voice from as little as three seconds of audio, pulled straight off social media. You get a call. It is your kid, your grandkid, your partner, panicked, in trouble, needing money right now. It sounds exactly like them.

You cannot fully trust your own ears anymore, and I know how unsettling that is to read. But there is a clean, free defence that works for almost all of these.

Agree on a family code word. Pick a word or short phrase, something never posted online or said in emails, and agree that anyone calling in a genuine emergency has to say it. AI can copy a voice, but it does not know your code word. If a distressed call comes in, ask for it. No code word, hang up and call back on their normal number. Even if they give the right word, call back before you send any money, because a determined scammer could have learned it. Do this today, it is a two minute conversation with your family and it is the best protection going. The same trick covers a video call or voice message from a "boss" urgently asking you to move money: verify on a separate channel before a cent moves.

Marketplace scams (Facebook Marketplace and Gumtree)

Buying and selling was the most reported loss-making scam in 2025. The classic right now is the PayID overpayment con, and it catches sellers, not just buyers. You list something. A keen buyer agrees instantly, no haggling, and wants to pay by PayID. Then you get an email saying the payment "failed" because your account needs a "business upgrade", and could you just send them $100 to $500 to fix it, which they will refund. It is entirely fake.

Burn these facts into your memory: There is no PayID business upgrade fee, and no such thing as a business account upgrade. Your bank may still apply its normal transfer limits, but PayID itself never needs topping up. And no bank, ever, asks you to send money in order to receive money. That last one is the universal tell.

Treat these platforms as a way to arrange an in-person cash sale, not as a payment system. Only hand over goods once you have the money, and confirm any payment by logging into your own bank app directly, never by trusting an email or screenshot.

---

Lock down your accounts (the single highest-value hour you can spend)

Two-factor methods, weakest to strongest:

Most people get hacked through three boring failures: reused passwords, no second lock on the door, and old accounts they forgot about. You can close all three for free.

A handful of accounts actually matter: your email, your phone account, your banking, and your myGov. Get those right and everything else gets easier, because most of your other accounts can be reset through your email. So protect the email first.

Get a password manager

This is the one tool that makes everything else possible. It remembers a different strong password for every account so you do not have to. You only memorise one good passphrase to unlock it.

I recommend Bitwarden (bitwarden.com). It is free, open-source (anyone can inspect the code, so there are no secrets about how it handles your data), and it works on your phone, computer and browser. The free plan covers unlimited passwords on unlimited devices and manages passkeys. It can also hold your two-factor codes, but that is a paid Premium feature, so on the free plan use a separate authenticator app (next) for those. If you would rather keep everything on your own machine with no cloud at all, KeePassXC is the open-source option for that, though you have to handle syncing yourself. For most people Bitwarden is the easier and still-excellent choice.

For the one password you do have to remember (the one that unlocks the manager), use a passphrase: four or more random unrelated words, at least 15 characters, like "crystal onion clay pretzel". That is the Australian Cyber Security Centre's own advice. Write it on paper and keep it somewhere safe at home. Every other password, let the manager generate. You never need to see them.

Turn on two-factor authentication, done properly

This is the second lock on the door. Even if someone steals your password, they cannot get in without the second code. But the method matters.

Text-message (SMS) codes are the weakest kind, because criminals can hijack your phone number through a "SIM swap" (they trick your telco into moving your number to their SIM). Use an authenticator app instead. The codes live on your device, work offline, and a SIM swap cannot touch them. Good free apps: Bitwarden's built-in one, Google Authenticator, Microsoft Authenticator, or 2FAS (open source). This is not just my opinion: Microsoft is switching off SMS sign-in for personal accounts through 2026, and Google and Meta are moving the same way, because SMS codes have become a leading source of fraud.

Never read a one-time code out to anyone who rang you. Real institutions will never ask.

Use passkeys where they are offered

A passkey replaces the password entirely. You sign in with your fingerprint, face, or your phone's PIN. There is nothing to type, nothing to phish, and nothing to leak in a breach. Google, Amazon, eBay, Microsoft, PayPal and many banks now offer them. When a site offers a passkey, take it. Your password manager or your phone (Apple, Google, Microsoft) stores and syncs them for you. Passkeys are on track to become the main way we log in, so getting comfortable now is time well spent.

For your two or three most critical accounts (email and banking), a physical security key is the gold standard. A FIDO2 key like a YubiKey or the open-source Nitrokey is the strongest second factor there is, and has effectively eliminated phishing in large rollouts. Register two keys per account and keep the spare somewhere safe so you are never locked out.

Clean up your old breached accounts

Australia has been hit hard. Optus, Medibank and Latitude between them exposed the details of tens of millions of us, and the Medibank breach alone was linked to thousands of fraud incidents. Your details are almost certainly in a breach somewhere already. The fix is not to panic, it is to make those leaks worthless: a unique password on every account means one leaked password unlocks exactly one account and nothing else.

Check haveibeenpwned.com (free, run by Australian security researcher Troy Hunt). It tells you instantly whether your email or phone number has turned up in a known breach. For anything it flags, change that password (your manager makes this painless) and turn on 2FA.

A sensible order: today, set up Bitwarden and lock down your email. This week, work through banking, myGov/ATO, your phone account and main social media, one or two a day. You will end up safer than the vast majority of people, with less to remember than you have now.

---

Your devices and browser

Most of what protects you here is free, built into your devices, and takes a few minutes once. There is a whole industry that profits from making you feel one click from disaster so you will buy a subscription. I am not going to do that. Here is what genuinely matters.

Keep everything updated (this is the big one)

If you do one thing from this whole guide, do this. Most real-world attacks do not use clever hacking. They use a hole that was patched months ago, on a device that never installed the patch. The 2017 WannaCry attack locked up more than 230,000 computers worldwide, and Microsoft had already released the fix weeks earlier. The people with automatic updates turned on were fine.

Turn on automatic updates everywhere, then forget about it.

• iPhone/iPad: Settings > General > Software Update > Automatic Updates. Turn both toggles on.
• Android: Settings > System > Software update, plus open the Play Store > profile icon > Settings > Network preferences > Auto-update apps.
• Windows: Settings > Windows Update. Make sure it is on, and click "Check for updates" once now.
• Mac: System Settings > General > Software Update > the (i) next to Automatic Updates, turn everything on.

Watch out for "end of life" gear. When a phone, tablet or router stops getting security updates, it stops being safe for banking and email no matter how well it still works. As a rough guide, budget to replace a phone every 4 to 5 years and a router every 5 to 6.

Safe browsing habits

• The padlock protects the pipe, not the person. A padlock (HTTPS) means your connection is encrypted so nobody on the same network can read it. It does NOT mean the site is honest. Scammers use HTTPS too.
• Read the address, not the look. Phishing sites copy real ones perfectly, but they cannot copy the exact web address. Slow down: is it really commbank.com.au, or commbank-secure-login.xyz? When in doubt, do not click the link. Open a new tab and type the address yourself, or use a bookmark.
• Never install software because someone on the phone told you to. Remote-access scams (a caller claiming to be from your bank, Telstra or "tech support" walks you through installing an app so they can "help") are among the most damaging scams in Australia. The moment you install it, they can see your screen and empty your accounts. Hang up, and call the organisation back on the number printed on your card.

Which browser, and the one add-on worth having

Any modern browser that updates itself is reasonably safe. The differences are mostly about privacy. My picks:

• Firefox (free, open source) is my recommendation for most people. Made by a non-profit (Mozilla), not tied to an advertising company, strong tracking protection on by default.
• Brave (free, open source) blocks ads and trackers aggressively out of the box with no setup. Just turn off the optional crypto features if you do not want them.
• Safari on iPhone and Mac is a perfectly good, private default if you would rather not install anything.

The one add-on worth installing is uBlock Origin (free, open source). It blocks ads, trackers and a lot of malicious junk, and blocking ads genuinely reduces your exposure to dodgy "malvertising". The catch that matters in 2025-2026: Google changed Chrome's rules (Manifest V3) and the full, powerful version of uBlock Origin no longer works on Chrome, only a cut-down "Lite". It works perfectly on Firefox and Brave. That is a big part of why I steer most people away from Chrome as their main browser.

Dodgy apps and extensions

The thing you installed yourself, that you trusted, is a common way people get caught.

• Extensions can read everything you do in your browser, including your banking. Treat them like house keys, not decorations. In 2025, researchers found malicious extensions on the official Chrome and Edge stores with millions of installs, several of which were useful tools that turned malicious in a later update. Install as few as possible, only from the official store, and be suspicious if an old extension suddenly asks for new permissions. Audit them now and remove anything you do not use.
• Phone apps: official store only (Apple App Store, Google Play). Never sideload an app from a link in a text, email or ad. Check the developer name matches the real company, and be wary of three glowing reviews posted the same day.
• Be stingy with permissions. A torch app does not need your contacts or location. Choose "Allow once" or "While using" rather than "Always".

Public Wi-Fi (less scary than you have been told)

Because almost every website and app now uses HTTPS, a stranger in the same café genuinely cannot read your passwords or banking over the Wi-Fi the way they could a decade ago. The "you will be hacked the second you connect" line mostly sells VPNs. What is actually worth knowing:

• The real risk is the fake hotspot ("evil twin"). Ask staff for the exact network name, and be wary of open networks that ask you to "log in" with an email and a reused password.
• Turn off auto-join for open networks so your phone does not silently connect to anything it has seen before.
• You usually do not need a VPN just to use public Wi-Fi. If you want one, pick a reputable paid provider; "free" VPNs make money selling your data. The simplest safe option for anything sensitive: use your phone's mobile data (4G/5G) instead, which is encrypted by design.

Home router basics (15 minutes, once)

Your router is the front door to your whole home. Log in by typing the address on its sticker (often 192.168.0.1 or 192.168.1.1) into a browser, or via your provider's app.

1. Change the default admin password (the one to log in to the router itself, not your Wi-Fi password). The factory one is often public.
2. Use a strong Wi-Fi passphrase and set security to WPA3 if offered (WPA2 otherwise). Avoid old WEP/WPA1 entirely.
3. Turn on automatic firmware updates if available, or check for one now and set a calendar reminder twice a year.
4. Set up a guest Wi-Fi network and put visitors and smart gadgets (TVs, doorbells, plugs) on it, so one insecure device cannot reach your laptop and phone.
5. Turn off WPS and remote management if you see them. They add risk and you almost certainly do not need them.

Back up what you would hate to lose

Phones get stolen, laptops die, and ransomware locks files. A backup turns a disaster into an inconvenience. Turn on automatic cloud backup for your photos and documents (iCloud, Google, or OneDrive), and every so often copy the important things to an external drive you keep unplugged. Two copies, in two places, is the whole idea.

---

Privacy and your data

You do not need to vanish off the grid. The guiding idea is data minimisation, which just means give out less of your stuff in the first place. The less of your data scattered across company servers, the less there is to leak when one of them gets hacked. And in Australia they do get hacked: over 1,100 reported breaches in 2024, the highest year on record. It is not about hiding, it is about choosing what you share and on what terms.

You cannot do everything at once. The password manager and 2FA above already do most of the heavy lifting. Here are the rest, roughly in order of bang for buck:

• Switch your browser and search. Firefox or Brave block trackers out of the box. For search, DuckDuckGo or Brave Search do not log and profile you. Set one as your default and you cut a big slice of tracking with no ongoing effort.
• Use Signal for private messaging. Free, open source, run by a non-profit, end-to-end encrypted by default so not even Signal can read your messages. Get your family on it and use it as your normal chat. Turn on disappearing messages for anything sensitive.
• Kill ad personalisation. On iPhone: Settings > Privacy & Security > Tracking, turn off "Allow Apps to Request to Track", and under Apple Advertising turn off Personalised Ads. On Android: Settings > Google > Ads > Delete advertising ID. In your Google Account under Data & Privacy, switch off Personalised Ads.
• Cut Meta's off-app tracking. In Facebook or Instagram settings, find Off-Facebook Activity (or "Your Activity Off Meta Technologies"), clear the history, then Disconnect Future Activity.
• Lock down your social profiles. Set accounts to private, hide your birthday and phone number, turn off facial recognition and tag-approval, and review who can find you by email or number. Recheck every few months, because platforms quietly change these settings. Public birthdays, pet names and check-ins are a gift to scammers guessing your security questions.
• Use an email alias for sign-ups you do not fully trust. Apple Hide My Email (iCloud+) or Firefox Relay (free tier, from Mozilla) hand a site a throwaway address that forwards to your real inbox. If it leaks, you bin the alias and your real email stays clean.
• Shrink your footprint. Delete accounts and apps you no longer use, unsubscribe from lists, and revoke app permissions you do not need. Every account you close is one fewer place your data can leak from.

---

Your money and identity

Most money loss in Australia right now does not come from clever hacking. It comes from someone talking you into sending money or handing over a code yourself. A small number of plain habits stop the overwhelming majority of it, and most of the protections and recovery services are free.

• Make "verify on a channel I chose" your one golden rule. If a call, text or email pushes you to act on money urgently, hang up or close it, then contact the organisation using a number from your own card, your banking app, or a website you typed yourself. Real institutions are fine with you calling back.
• Turn on the free bank protection that already exists. Confirmation of Payee, now rolling out across online banking, checks whether the account name matches the BSB and number before you send. If it says "close match", "no match" or "error", stop and check. It warns you, it does not block the payment, so the final call is yours. Also turn on transaction alerts in your banking app so you see every charge.
• Treat every unexpected link as guilty until proven innocent. No bank or government department will ask for your password, full card number or a code by message. Open the app or type the address yourself.
• Apply a hard rule to investing: if someone contacts you with an opportunity, it is not one. Before putting in a cent, check the business on ASIC's MoneySmart and its "companies you should not deal with" list, and confirm any Australian financial firm holds an AFS licence. Be very wary of guaranteed returns, pressure to act fast, and any request to pay in crypto or via a crypto ATM. No real agency, bank, court or utility ever asks for payment in crypto, gift cards or vouchers. If someone rings claiming to be the ATO, you can check it in the ATO app, which lists any genuine recent contact, before you trust the call.
• Watch for the second hit. After you lose money, a "recovery agent", lawyer or government body may offer to get it back for a fee. That is always a fresh scam. Real agencies never charge to recover funds.
• If you self-custody Bitcoin, protect the recovery phrase above all else. Buy a reputable hardware wallet from the maker's own website, write the 12 to 24 words on paper or steel by hand, and store them offline in two safe places. Never photograph them, never type them into a website or "support" chat, never store them in the cloud. Anyone asking for your seed phrase is a thief, full stop.

Harden your identity now, before anything goes wrong. Secure your mailbox, shred documents with personal details, and place a free credit ban so no one can open credit in your name. Ask Equifax, Experian and illion (or ask one to pass the request on); the ban is free, lasts 21 days, and is free to extend for as long as you need. Lock down your phone account with your telco to reduce SIM-swap risk, and put a passkey on your myGov.

---

If it has already happened: your recovery checklist

Take a breath. This is fixable, and you are not the first person it has happened to. The single most important thing is speed: the faster you call your bank and lock things down, the better your chances of stopping or clawing back money. Do not let embarrassment slow you down. Banks and police deal with this every single day.

Work through these roughly in order. If money has just left your account, jump straight to step 1. Keep notes and a reference number for everything as you go.

1. Call your bank now if any money moved or your card details are exposed. Use the number on the back of your card or in your app, never a number a caller gave you. Ask them to stop or reverse the transfer, freeze the account or card, and flag your accounts for fraud. Most major banks have 24/7 fraud lines. Acting in the first minutes to hours is what gets money back.
2. Stop all contact and stop paying. Block the number and email. If someone is on the phone telling you to move money or buy gift cards, just hang up. No genuine bank, agency or police force ever asks you to move money to a "safe account", pay with gift cards, or keep it secret.
3. If you let someone remotely access your device, or clicked a dodgy link and entered details: disconnect that device from the internet, then from a different trusted device change your passwords, starting with email, then banking, then everything important. Run a full security scan (built-in Microsoft Defender, or the built-in protections on Mac and phones, are fine).
4. Lock down your email first, then everything else. Email is the master key that resets every other account. Change it to a long unique passphrase and turn on 2FA via an authenticator app (not SMS), then do the same for banking, myGov and social media.
5. Recover hacked accounts through the official recovery page, not a search-engine ad. Facebook: facebook.com/hacked. Google/Gmail: Google Account Recovery. Microsoft: account.live.com/acsr. Once back in, check for changed recovery details, forwarding rules and connected apps, and remove anything you do not recognise.
6. Report cybercrime to ReportCyber at cyber.gov.au/report (the national police cybercrime portal). You get a reference number. For urgent expert help, call the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371), 24/7.
7. Report the scam to Scamwatch at scamwatch.gov.au/report-a-scam. This feeds the national picture and helps disrupt scams, though Scamwatch does not investigate individual cases. Your ReportCyber number from step 6 is the official record.
8. If any personal or ID information was exposed, call IDCARE on 1800 595 160. This is the most useful single call you can make. IDCARE is a free, government-funded, independent Australian and New Zealand service. Their caseworkers build you a tailored, written plan covering exactly which documents to replace and which agencies to call.
9. Place a credit ban (a free lock) on your credit file so no one can open loans in your name. Contact Equifax, Experian and illion, or ask one to pass the request to the others. It is free, lasts 21 days, and you can extend it for free for as long as the risk lasts. While you are there, get your free credit report and dispute anything you do not recognise.
10. Replace exposed identity documents. Driver licence: your state road authority. Medicare: Services Australia's Scams and Identity Theft Helpdesk on 1800 941 126. Passport: the Australian Passport Office. Tax file number: the ATO's identity theft line on 1800 467 033. Ask each agency what they can change or flag: some document numbers can be reissued, others (like your tax file number) usually stay the same but can be protected, so the stolen details are worth less.
11. Secure your myGov and government accounts. Sign in at my.gov.au, change your password, turn on the strongest sign-in option, and check your linked services (Centrelink, Medicare, ATO) for changes you did not make.
12. If your bank will not help fairly, lodge a free complaint with the Australian Financial Complaints Authority (AFCA) at afca.org.au or 1800 931 678. AFCA is independent and free, and if you accept its decision the bank is bound by it.
13. Look after yourself. Being scammed is a crime that happened to you, not a failure. For free debt and budgeting help, call the National Debt Helpline on 1800 007 007. For emotional support, Lifeline is on 13 11 14 and Beyond Blue on 1300 22 4636, both 24/7.
14. Help your family and elderly relatives. Australians 55 and over lose the most. Agree as a family that anyone can phone-a-friend before moving money, and that no real bank or government body ever pressures you to act in secret. For an older relative who has been hit, do the bank, ReportCyber, IDCARE and credit-ban steps with them, and point them to the free Be Connected program (beconnected.esafety.gov.au).

---

The Australian services worth saving in your phone

Put these in your contacts now, so they are there the moment you need them, not when you are panicking and searching. The one most people do not know to call is IDCARE (1800 595 160), the free national identity-recovery service, and it is the call that limits the long tail of the damage. Keep your bank's real fraud line saved too, the number on the back of your card, most run 24/7.

---

The one habit that beats nearly everything

If you remember nothing else, remember this. Scammers need you to act fast and not check. So do the opposite. When a message creates urgency, that urgency is the red flag, not the message. Stop. Check it on a channel you chose yourself. Then, and only then, act. That single pause is what they cannot get around.

You are not alone in this, and there are real people whose whole job is to help you. Keep this guide, share it with someone you care about, and come find more free resources at cyberfreedom.org.