How do I protect my online accounts from being hacked or taken over?
Use a unique strong password for every account, enable two-factor authentication (ideally with an authenticator app), and never click password-reset links you did not request.
Last reviewed: 10 June 2026
Explanation
Account takeover is often the gateway to financial fraud. Once a scammer controls your email, they can reset passwords for your bank, investment accounts, and shopping sites. The most common entry points are reused passwords (so that one breach exposes many accounts), phishing emails that mimic login pages, and SIM-swapping attacks that redirect your phone number.
The foundation is password uniqueness. A password manager generates and stores long random passwords so you never reuse a string across sites. Combine this with two-factor authentication (2FA) on every important account. App-based 2FA such as Google Authenticator or Authy is significantly stronger than SMS codes, because SMS is vulnerable to SIM-swap attacks where a scammer convinces your carrier to port your number to their device.
Phishing remains the most common way attackers steal credentials. Scam emails create urgency ('Your account will be closed in 24 hours') and link to a convincing fake login page. Before entering credentials anywhere, check the full URL in the address bar — not just the displayed link text. Enable your browser's built-in phishing warnings and consider a DNS-level filter like Cloudflare 1.1.1.1 or Quad9 that blocks known malicious domains.
Monitor Have I Been Pwned (haveibeenpwned.com) to learn if your email address appears in known data breaches, and change passwords for any breached service immediately. Review the active sessions and connected apps in the security settings of your most important accounts at least once a year.
Common red flags
- Login notification for a device or location you do not recognise
- Password-reset email you did not request
- Sudden inability to log in with a correct password (account may already be taken over)
- Friends report receiving strange messages from your accounts
- Your mobile carrier sends a SIM-change confirmation you did not initiate
- Security question or recovery email you do not recognise when reviewing account settings
What to do now
- Install a reputable password manager and start replacing reused passwords
- Enable two-factor authentication on email, banking, and social media — use an authenticator app not SMS where possible
- Check your email at haveibeenpwned.com and change passwords for any breached accounts
- Review active sessions in the security settings of your email and main accounts
- Contact your mobile carrier and add a SIM-lock or account PIN to prevent SIM swaps
- Set up account-activity alerts wherever offered
Frequently asked questions
Is SMS two-factor authentication better than nothing?
Yes, SMS 2FA is much better than a password alone. But it is weaker than an authenticator app because phone numbers can be ported via SIM swap. Use app-based 2FA on your highest-value accounts.
What is a SIM-swap attack?
A SIM swap is when a scammer convinces your mobile carrier — often with stolen personal information — to transfer your phone number to a SIM card they control. They then receive your SMS verification codes and can reset your account passwords.
How often should I change my passwords?
Security guidance has shifted: change passwords when there is a known breach or suspicion of compromise, not on a fixed schedule. Using unique strong passwords per site and enabling 2FA matters more than frequent rotation.