Welcome to Internet Safety Month, a once-a-year event in which you, the public, are told that anywhere between three and 30 different best practices will simplify your approach to staying safe online.

Unfortunately, much of the well-intentioned advice surrounding Internet Safety Month ignores one basic fact about how people change their habits: We typically only correct our behavior after first making a mistake.

We buy rain boots after feeling the unique misery of drenched socks. We become sunscreen evangelists after getting burnt on the beach. We try on a different pair of jeans after a separate pair caused psychic damage to our egos.

This year, then, for Internet Safety Month, we’re packaging our advice a little differently.

Today, we’re going to share stories about the consequences of unsafe Internet practices. By focusing on this context, we hope that you’ll come away with a stronger understanding about, for instance, why you should use a password manager rather than that you should use a password manager.

Here’s what to avoid during Internet Safety Month, and every month after.

Don’t lose thousands upon thousands of dollars

In the world of online scams, criminals care about one thing: Your money.

That’s true for the criminals who send you phishing emails that ask you to fill out personal information on bogus webpages that spoof the legitimate sites of Netflix, or Facebook, or your bank. It’s also true of the criminals who prey on the elderly and the unassuming when pretending to develop a romantic relationship online, only to later ask for financial support and disappear.

None of these situations are hypotheticals.

Earlier this year, a woman in Tennessee was fooled in an online dating scam by a thief who stole $390,000 of her money. Just last month, after the Twitter account of a famous digital artist was hacked, cybercriminals abused the account to send promotions for a fraudulent collaboration between the artist and the luxury brand Lous Vuitton. By selling fake raffle tickets for the promotion, the scammers raked in $438,000 worth of cryptocurrency.

Staying safe in all of these situations can be difficult because, often times, the scammers on the other end are practiced, experienced professionals. Still, there are a few things you can do to best protect yourself from falling for an online scam.

  • Do not click on links in emails or text messages from unknown senders. Even if a message looks like it came from a trustworthy source, like a store you often shop at, you should still be wary of any request to get you to hand over credit card or financial information online.
  • Do not send money to anyone you haven’t met before. When we spoke with Cindy Liebes of the Cybercrime Support Network about romance scams, she said many victims of romance scams often sent money to people they had never met in person.
  • Do not trust everything you see online. This may sound simple, but remember that even trusted sources of authority can have their online accounts hacked or spoofed—after all, why else do you think we see so many cryptocurrency scams centering on bogus Twitter accounts for Elon Musk? Because, at first blush, they look legitimate.

Don’t ruin your device

A true story from me, your author. In 2016, I bought a new smartphone that, as part of a promotion, came with an additional smart watch. Getting the smartwatch required sending a separate form and having the watch delivered to my home at a later date.

About a week after I’d sent the form, I received an email allegedly from the United States Postal Service. The email told me that an update on my package—which I believed to be my new smartwatch—could be read in the attached document, which I blindly downloaded and opened.

Lo and behold, the attachment contained ransomware. After just a few minutes, I’d ruined my work laptop. My files were encrypted and inaccessible and the only readable document remaining was a ransom note asking for money.

The worst part about ruining your work laptop is that you don’t even get to take the day off. Working as a reporter, I still had a story to file—I was on deadline! I spent the day reporting and writing an entire article on my phone. It was a nightmare that I recommend to no one.

Though my tale is just about ransomware, the truth is that much of today’s malware gets delivered either through malicious attachments or malicious websites. Here are some simple steps you can take to prevent these attacks from happening.

  • Do not open email attachments from random senders. You never know if what you’ve just received is actually malware in disguise.
  • Do scrutinize email attachments of all types. Even if you’ve received an attachment from someone or some organization that looks legitimate, remember that, in my case, I was fooled by an email that spoofed the USPS. In fact, a few years ago, threat actors managed to insert malicious attachments into ongoing email threads between two trusted parties.
  • Do run security updates. Many malware campaigns rely on known vulnerabilities that have yet to be patched by individuals and organizations. The best defense you have to these types of attacks is to stay up to date on your software’s security patches.
  • Do consider using a browser plugin that flags unsafe websites. Some browser plugins can warn you if you’re visiting a dangerous website or a website that has been associated with previous malware scams. Consider using one of these plugins if you’re not sure who you can trust online.
  • Do use a cybersecurity app. A cybersecurity tool with real-time protection can stop malware before it has a chance to infect your device. This will provide you with the type of cover you need for when you aren’t remembering every best practice, which is okay. Sometimes you click a link you weren’t supposed to. Don’t beat yourself up about it—just get a cybersecurity app to back you up.

Don’t make it easy for criminals

A video of Kanye West from 2018 purportedly revealed that the rapper and producer’s iPhone passcode was 000000. Before you laugh, remember that every single year, a list of the top 10 or 20 most-used passwords (as determined through data breaches that revealed account credentials) typically includes “password” and “123456” near the top five placements. And, separately, though the reasons for the devastating SolarWinds breach are many, it’s hard to forget that, according to the company’s CEO, someone protected a critical, internal account with only the password “solarwinds123.”

The lesson here is simple: Don’t give cybercriminals a free pass.

The truth is, that in most cases, cybercriminals will only succeed against the least-defended targets. If you have any basic defenses in place, cybercriminals often won’t bother with a follow-up attempt to breach your device or steal your information—it’s simply too much trouble when they can move on to another potential victim.

Implement these practices—with the help of some tools—to ruin a cyberthief’s day.

  • Do use strong passwords. The longer the password the better in today’s world, in which password-cracking is more a function of time than “complexity.”
  • Do use unique passwords for every account.Repeat passwords are a huge risk to you because if your data is breached in an attack on one of the services you use, cybercriminals absolutely will try that password and username combo to access other popular services.
  • Do use a password manager to help keep track of the dozens of unique passwords you have.
  • Do use two-factor (also called multi-factor) authentication. With 2FA or MFA, even if your username and password are leaked, your account will still trigger a notification to your phone if a website recognizes that you are logging in from a different device or place. This can stop cyberthieves in their tracks even if they have your account credentials.
  • Do use a VPN on public WiFi connections. A virtual private network, or VPN, will encrypt your traffic, which can be especially helpful when connecting to public WiFi networks which could be vulnerable to eavesdropping. To learn how to choose the best VPN for you, read our advice here.

Learn from the experiences of others

The Internet can be a risky place where you can legitimately lose thousands of dollars or entire days’ worth of work. Don’t wait until you’ve made your own mistake to course-correct. Start changing your behavior today to enjoy a safer, better Internet experience.

Learn more about our Malwarebytes Internet Safety Month promotions here.