Most articles about cybersecurity treat the threat as something that lives entirely on the internet. Plug in the right software, the thinking goes, and you’ll be fine. That’s only half the story. A growing chunk of the financial losses people experience every year doesn’t come from breached servers or zero-day exploits. They come from a phone call. A text message. A friendly knock on the door.
Real protection covers both sides, the technical and the human. Here’s how to layer it.
Start with the software side
The basics of digital hygiene haven’t changed much in the last decade. They’ve just become more important.
Use a password manager. The single biggest weakness in most people’s setups is reusing the same password across dozens of accounts. When one of those services gets breached, and they do, constantly, every other account using the same login is exposed. A password manager generates unique passwords for each service and stores them under a single master password. Bitwarden is free and widely trusted. 1Password is paid but well-built. Browser-built-in managers are better than nothing and far better than reusing passwords.
Turn on two-factor authentication. Anywhere it’s offered, email, banking, social media and cloud storage. Use an authenticator app such as Authy, Google Authenticator or Aegis on Android, rather than SMS, where possible. SMS-based 2FA can be defeated by SIM-swapping attacks, where a fraudster convinces your mobile provider to transfer your number to a new SIM.
Keep things updated. Operating system patches, browsers, phone apps. Most attacks rely on known vulnerabilities that have already been patched. The only reason they still work is that people put off the update.
Run a reputable antivirus. On Windows, the built-in Microsoft Defender is genuinely good and doesn’t need supplementing for most users. On Mac, the threat surface is smaller but not zero. On phones, antivirus is largely theatre. Sticking to the official app stores and being careful about permissions matters more.
Use a VPN on networks you don’t control. Hotel Wi-Fi, cafĂ© Wi-Fi, airport lounges, conference centres. Not because hackers are guaranteed to be lurking, but because public networks make basic interception trivially easy. An affordable vpn service is enough for this; you don’t need the most expensive provider on the market to encrypt your traffic on a hotel network.
Back things up. Ransomware encrypts your files and demands payment to unlock them. The cleanest defence is having a recent backup you can restore from. The 3-2-1 rule is the rough standard: three copies of your data, on two different types of media, with one stored offsite. A cloud backup counts.
Then think about the threats that don’t come through your screen
This is where most current scams actually operate. Software won’t save you here. Awareness will.
Phone scams. The most common UK variant pretends to be your bank’s fraud department and calls about suspicious activity on your account. They sound calm, they know your name, and they’ll often pressure you to move money to a so-called safe account. No legitimate bank will ever ask you to do this. If you’re uncertain, hang up and call your bank back using the number on the back of your card, and from a different phone if possible, because some scammers stay on the line and play a fake dial tone.
Smishing. Fake delivery notifications from Royal Mail, DPD or Evri are the classic example. They link to a page that asks for a small redelivery fee and harvests your card details. Real couriers don’t ask for payment by text.
HMRC and DVLA scams. Aggressive automated calls claiming you owe tax or that your driving licence has been suspended. Real government bodies write letters first.
AI voice cloning. This one is newer and worth flagging. A few seconds of audio scraped from social media are now enough to convincingly clone someone’s voice. Scammers use this to fake distress calls, a grandchild claiming to be in trouble and needing money fast. If you ever get a call like this, agree on a private code word with close family now, before anything happens. It’s the simplest possible defence, and it works.
Romance scams. Long-running and devastating when they hit. The pattern is consistent: someone you’ve never met in person, an emotional connection that builds quickly, and eventually a request for money, often dressed up as an investment opportunity. If you’ve never met them face-to-face, don’t send them money. Ever.
Doorstep scams. Rogue traders offering to fix a roof you didn’t know was damaged, or check your boiler for free. Older relatives are particularly targeted. A standing rule of never agreeing to anything at the door is a clean defence.
QR code scams. Stickers are placed over legitimate QR codes in car parks and on parking meters that redirect to fake payment pages. If a QR code in public looks like it’s been added on top of something else, it probably has been.
Investment and crypto scams. These have become one of the biggest single sources of fraud loss in the UK. The pitch is usually a guaranteed return, a tip from a contact in a WhatsApp or Telegram group, or a polished trading platform that lets you watch your fake balance grow before it’s time to withdraw, at which point the fees and complications start. If returns sound too consistent or too high, they’re not real. Anything that pressures you into moving money before you’ve checked the platform with the FCA register is a scam by default.
Build the habits that catch what software misses
Some of these are genuinely simple to put into practice.
Slow down on anything that feels urgent. Almost every scam, phone, text or email, relies on creating time pressure. Your account will be closed in 24 hours. We need to act immediately. Real institutions don’t operate this way. If you feel rushed, that itself is a signal.
Verify through a second channel. If your bank calls about a problem, hang up and call the number on your card. If a colleague emails asking you to buy gift cards or transfer money, message them on a different platform to confirm. The friction of switching channels is what catches the scam.
Treat unsolicited contact as suspect by default. Whether it’s a call, a DM, a LinkedIn message, or someone at the door, if you didn’t initiate it, slow down before you act.
Keep your social media less informative. Birthdays, mother’s maiden names, pet names and the name of your first school. These are exactly the kinds of details people use as security questions. A public Facebook profile is often a goldmine for someone building a profile to scam you.
Layer it
No single tool or rule prevents everything. Software protects you from the kinds of attacks where bad code or stolen credentials do the work. Awareness protects you from the kinds where someone is talking to you directly and trying to convince you to act against your own interests. You need both.
The good news is that the basics, a password manager, 2FA, decent backups, a VPN on public networks, and a habit of slowing down when something feels off, cover the overwhelming majority of what people actually face. The tools are mostly free or cheap. The habits are free.
What costs you, every time, is the assumption that this is something that happens to other people.
