I initially developed this list to help family members browse the internet safely and secure their computers and cryptocurrency wallets. Over the last year or so, a couple of friends were hacked or scammed, sent crypto to scammers and lost their cryptocurrency. Recently, it seems few others on the internet (twitter user) were also victims of similar attacks. For this reason, I’ve decided to share this list of rules publicly. Some of the items in the list focus on cyrptocurrency but generally speaking, they could apply to almost anything you do on the internet.
You may follow all of the recommendations below or just some but the intention really is to start thinking from security perspective, having that security first mindset, use common sense and bring internet security awareness to non-technical users.
The rules below should augment your current security protocol rather than replace whatever you are doing today for online protection.
List of Rules for online security:
Rule #1: Never share your secret seed phrase. You shouldn’t share “secrets” with strangers online.
Rule #2: Never share your private-keys or anything else which has word “private” before it.
Rule #3: Never enter your secret seed phrase or private-keys into any website online.
Your private-key or secret seed phrase is meant to be the key to your crypto wallet. Violating above rules means scammer/hacker will gain access to your wallet and you will lose money.
Rule #4: Assume everyone on the internet is a scammer/hacker. Especially those who you don’t know and you interact with them in one way or another through social media (twitter, facebook, instagram, TikTok, Discord, etc.).
For example, on Discord, block users from sending you DMs. There is absolutely no reason for any random person to send you a private message on Discord. Turn that option off. Recently Discord and Slack were used to spread malware.
Rule #5: Cryptocurrency Wallet Support or coin/token creators will never DM you (Direct Message on messaging apps, i.e., Text, WhatsApp, Telegram, Discord, Slack, etc.)
Rule #6: Never DM someone offering to help.
Rule #7: If someone DMs you offering to help (with cryptocurrency wallet, exchange issue, etc.), it is a scam. No Doubt, Block, Move on.
If you need technical help/support with crypto wallet, the wallet support does not need to know the secret seed phrase or private-keys or passwords.
Rule #8: Don’t install obscure and “github” wallets on your PC/laptop/phone. Sometimes, it is safer to keep your coins/tokens on an exchange rather than on a software wallet which could be compromised.
Rule #10: Don’t take part in complex, multi-step and confusing cryptocurrency airdrops. It may not be a scam but you could lose money by just trying to participate, keep it simple. It is probably not worth the time and headache.
Rule #11: Always verify and double-check crypto coin/token/wallet website, social media accounts, contract addresses on CoinMarketCap and CoinGecko. If it is not there, don’t invest, don’t install, you will lose your money.
Rule #12: Never send BTC/ETH or any cryptocurrency or Fiat/paper money to receive double the amount back. It is a well known scam.
Be cautious of solicitations requesting that you send cryptocurrency or send money or deposit a check or pay a fee or send payment.
Rule #13: Often people fall victim to scams mentioned in rule #12 because they get emotional, FOMO and try to do things in a hurry, in anticipation to receive “double” crypto back. Crypto is a fast, crazy and furious market, things move at a rapid pace and emotions take over. Slow down. If you read something, think about it, who it is coming from, what it wants you to do, why, verify, double-check the source. Even if by slim chance the request is legit, move slowly, take your time, do one thing at a time. Don’t hurry and never panic or FOMO.
Rule #14: Never use mobile/smartphone to trade, login to crypto exchanges, wallets, etc.
Rule #15: Never fall for “free” stuff offers. 99.999% are scams or has a hidden agenda or catch which makes it worthless.
Rule #16: Never entertain text messages from strangers. If the message is offering some business deal or collaboration related to your work/interests, is too good to be true, asks you to download a file/software, etc. ignore it.
Most scammers/hackers will use social-engineering techniques where they convince a person to perform certain actions or disclose sensitive and confidential information . They contact a person because they’ve identified that person as a target after studying their online habits, messages, social media posts/interests. In addition to that, they may use urgency, scarcity, social proof (news related to their fake offer, etc.) and trust as methods to initiate an attack. This way the message seems relatable, believable and makes the person let their guard down. They use your information and interests against you to hack or scam you.
Rule #17: Never click on website links received in text messages or in email messages, even if the sending number is someone you know. It could be that person you know, their phone is compromised and it is being used to attack you and others on the contact list. Verify through voice or face-to-face conversation.
Always enter websites manually (make it intentional) in the browser and not by clicking on provided links. Each click that you make on your computer, in the browser or on your phone should be intent based and not haphazardly clicking away on first shinning clickable link you see. Make sure to spell the website domain name correctly, if not, search for it on your favorite search engine. If you mistype the website, you could end up on fake website created by cybercriminals. This is called typosquatting (costoco vs Costco, gogle vs google).
Moreover, pay attention to the spellings of the domain-names. Often, cybercriminals might use Internationalized Domain Names (IDN) or Cyrillic spellings to perform Phishing attacks (аррӏе.com – Cyrillic version vs apple.com – real English version, both are different websites).
Rule #18: Never click on any website links in YouTube video descriptions or comments. Even if the YouTube channel is a trusted youtuber/channel with thousands or millions subscribers. Don’t do it.
The main reason for this is that often times, daily tasks and maintenance of the YouTube channel is outsourced to third parties based in the third-world countries (China, South East Asia, India, etc.) and channel owners rarely check what is being inserted into the descriptions as links. This issue is exacerbated by URL shorteners where you cannot ascertain the final destination of the link in the descriptions.
Rule #19: Use dedicated PC/laptop for crypto trading only and DON’T do anything else on it, ever.
When you buy new laptop, etc. always format it and reinstall the Operating System to remove bloatware, scamware and other junk that manufacturer may install from the factory. Moreover, install Operating Systems updates as soon as they are available.
Rule #20: Don’t carry PC/laptop/tablet/hardware wallets used for crypto everywhere you go.
If you must have your laptop or mobile device with you and connect to public Wi-Fi networks, you should use a Virtual Private Newtork (VPN). SurfShark VPN is a good option as it allows you to install on unlimited devices, has an ad-blocker, strict no logs policy, kill switch, 3200+ servers in 65 countries, Multihop and Private DNS & leak protection at an affordable price.
Rule #21: Use dedicated “offline” phone for software-based authenticator apps (preferably without a SIM).
Rule #22: Always use Two-Factor authentication and/or hardware authentication devices (i.e., Yubikey) to secure your email accounts and crypto accounts. Avoid using text message as an authentication option if you can.
Rule #23: Don’t download bit torrents. If you must download then it should be on a workstation which is dedicated for bit torrents files only.
Rule #24: Don’t go looking for “free” movies and free stuff to download. The websites hosting this type of free junk usually come with plenty of malware and scamware.
Rule #25: Don’t install random and unnecessary applications or browser-extensions on your PCs/Laptops/smartphones (you really don’t need that wallpaper or screensaver app on your laptop).
Rule #26: You should implement a proper network protection for your entire home internet connection with a Unified Threat Management or Next-Gen Firewall system such as Untangle, pfSense or Sophos XG.
If above is an overwhelming task for you, consider buying Raspberry Pi and implement DNS based network-wide protection for your home devices. Pi-Hole is a great option for this. It will block advertisements, internet trackers, unwanted content, porn, known malware and scam websites, etc.
At minimum, change your home router DNS IP Addresses to OpenDNS or CleanBrowsing, Neustar, Norton ConnectSafe, AdGuard Family, NextDNS, Quad9 and CloudFlare to name a few.
For devices in your home, such as the ISP provided router, wireless router, etc., change default passwords and use strong Wi-Fi key (15+ characters, mix of letters, numbers and symbols).
Rule #27: All of your PCs, Laptops, Phones and other devices in the household must have antivirus and antimalware protection. Use Malwarebytes or similar product for active end-point malware protection and Bitdefender or similar product for protection against viruses/Trojans/RATs, etc.
Rule #28: Lock and/or power off your PC/Laptop when not in use.
Use Bitwarden in offline/self-hosted mode and get creative.
Rule #30: For all your important files, photos, videos, etc. make sure to backup your data on an external storage device in case of computer hard drive failure or ransomware attack.
This is by no means an exhaustive list but it should put you on a path to start thinking about your online security.
You should have a system, a routine and work in that. Once you’ve built that system and security protocol, improve it but don’t deviate and change things every day – running and panicking from one task to another. This way you are less likely to make a mistake.
Remember, if you are not sure about something, it is better and okay to step back and analyze it further. You should always take time to step away from what you are doing on your computer/phone, take a walk and allow more information, thoughts to come through before making decisions which could impact you and your family. Good luck!