CyberSafe · Stay Safe Online

Stay Safe Online. Know the risks. Build the habits.

Cyber threats target everyone — students, professionals and organisations alike. This guide breaks down the most common attacks, the protective measures that actually work, and a clear set of everyday rules to keep your data, your devices and your privacy safe.

Explore threats → Read the rules

🛡️

What you'll find here

⚠️

Common threats

Phishing, malware, ransomware, social engineering, password attacks and unsafe Wi-Fi — explained with examples.

🛡️

Protective measures

Strong passwords, MFA, backups, updates, firewalls and VPNs — the controls that block 99% of incidents.

📋

Daily rules

Clear "do" and "don't" rules for data, devices and internet use — what every user should follow.

🎯

Self-assessment

Take the quiz to check your reflexes against realistic scenarios — instant feedback, no signup.

A "threat" is any potential cause of harm to your information, devices or accounts. Below: the five most common today, with real-world advice you can apply immediately.

High risk

🐟

Phishing

Attackers impersonate someone you trust (your bank, a colleague, IT support) to trick you into revealing credentials or clicking a malicious link. Most phishing now uses urgency, fear or curiosity to bypass your judgement.

Never click suspicious links — hover first to inspect the URL.
You should check the sender's full email address, not just the display name.
Always report suspicious messages to your IT department.
Type your bank's URL yourself rather than following email links.

High risk

🦠

Malware & Ransomware

Malicious software that infects your device — to steal data, spy on you, mine cryptocurrency, or encrypt your files and demand a ransom. It usually arrives via email attachments, fake downloads or compromised websites.

Never open attachments from unknown senders.
You must only download software from official sources.
Keep antivirus and OS updates enabled at all times.
Always back up your data — offline if possible.

Medium risk

🔑

Password Attacks

Brute-force, dictionary attacks and credential stuffing — attackers try millions of passwords (often from leaks of other sites) to break into your accounts. Weak or reused passwords are the #1 cause of account takeover.

Do not reuse passwords across services.
Use a password manager to generate long, unique passwords.
You should enable two-factor authentication (2FA) everywhere it is offered.
Check haveibeenpwned.com to see if your accounts have been leaked.

High risk

🎭

Social Engineering

Manipulation that exploits trust, authority or fear to extract information or actions — by phone, email, chat or in person. Even the strongest technical defences fail if the human is tricked.

Never give your password over the phone — your IT will never ask for it.
You should verify any unusual request through a separate channel.
Always slow down: urgency is a manipulation tactic.
Be skeptical of unsolicited "support" calls or messages.

Medium risk

📶

Public Wi-Fi & Man-in-the-Middle

Open networks (cafés, airports, hotels) can be monitored or impersonated by attackers, allowing them to intercept your traffic, capture credentials or inject malicious content.

Do not log in to sensitive accounts over public Wi-Fi.
You must use a VPN when connecting from untrusted networks.
Always check the network name with the venue — fake hotspots are common.
Disable auto-connect to known networks on your devices.

Lower but real

📱

Physical & Device Threats

Lost or stolen devices, shoulder-surfing, malicious USB drives — physical access often defeats software protections. Especially relevant for laptops, phones and removable media.

Never plug an unknown USB drive into your device.
You must lock your screen every time you leave your desk.
Always enable full-disk encryption (BitLocker, FileVault).
Report lost or stolen devices immediately to your IT.

No single tool stops every attack — but a layered set of basic controls blocks the vast majority of incidents. Implement these in order of impact.

🔐

Strong passwords & 2FA

The single most effective control: long unique passwords + a second factor (app code, hardware key) make 99.9% of automated attacks fail (Microsoft data, 2023).

Use a password manager (Bitwarden, 1Password, KeePass).
Enable 2FA on email, banking, work and social accounts.
Prefer authenticator apps or hardware keys over SMS codes.

🔄

Software updates

Most malware exploits vulnerabilities that have already been patched. Updates are not optional — they are the front line of your defence.

Turn on automatic updates for OS, browser and antivirus.
Don't run end-of-life software (Windows 7, old Android, etc.).
Update routers and IoT devices too.

💾

Backups

The only reliable defence against ransomware and data loss. Follow the 3-2-1 rule: three copies, on two different media, with one off-site or offline.

Use cloud backup (Backblaze, OneDrive, iCloud) for daily use.
Keep one offline copy (external drive, disconnected after backup).
Test restoration regularly — a backup you can't restore is no backup.

🌐

Network protection

Firewalls block unwanted traffic; VPNs encrypt your connection on untrusted networks. Both should be active by default.

Keep your OS firewall enabled.
Change the default router admin password.
Use WPA3 (or at least WPA2) on your home Wi-Fi.
Use a reputable VPN on public Wi-Fi.

🛡️

Safe browsing & email

Most attacks reach you via your browser or your inbox. A few habits dramatically reduce your exposure.

Check the URL before logging in — look for HTTPS and the correct domain.
Use a content blocker / ad blocker on untrusted sites.
Preview links before clicking; never trust shortened URLs blindly.
Use an email provider with strong spam & phishing filtering.

👁️

Privacy hygiene

Protecting privacy is part of security: the less data you expose, the less attackers can use against you.

Review app permissions on phone and computer regularly.
Limit what you share on social media (location, schedule, ID).
Use privacy-respecting browsers (Firefox, Brave) when possible.
Read terms of service of new apps before installing them.

A short charter of practical rules grouped by topic — modeled on an IT acceptable-use policy. Must = mandatory, Must not = forbidden, Should = strongly recommended.

🔐 Data Protection & Privacy

Must not share your password with anyone — not even IT support.

Must use a unique password for every account that matters.

Must enable two-factor authentication on email, banking and work accounts.

Must not store personal data in unencrypted shared folders.

Should use a password manager to generate and remember passwords.

Should review your privacy settings on social networks every 6 months.

💻 Device Usage

Must not install unauthorized software on a work device.

Must lock your screen when leaving your desk, even briefly.

Must apply security updates as soon as they are available.

Must not plug in unknown USB devices.

Should enable full-disk encryption (BitLocker, FileVault, LUKS).

Should report any lost or stolen device immediately.

🌐 Internet & Email Use

Must not visit unsafe or untrusted websites (warning shown by the browser).

Must not open attachments from unknown senders.

Must verify the URL before entering credentials on any site.

Must use a VPN on public or untrusted Wi-Fi networks.

Should report any suspicious email to your IT or security team.

Should prefer encrypted messaging (Signal, WhatsApp) for sensitive conversations.

8 questions, single answer. Pick what you'd actually do — feedback appears after each answer.

0 / 8

A student-friendly definition of the key terms used across this site.

Phishing Attack: Fraudulent message pretending to come from a trusted source to trick you into revealing data or clicking malicious links.
Malware Attack: Any software designed to harm: viruses, worms, spyware, trojans, ransomware…
Ransomware Attack: Malware that encrypts your files and demands a ransom to decrypt them. Backups are the only reliable recovery.
Trojan Attack: Malware disguised as a legitimate program. Once executed, it opens a backdoor for attackers.
Spyware Attack: Software that secretly records what you do — keystrokes, screenshots, browsing — and exfiltrates it.
DDoS Attack: Distributed Denial of Service: many devices flood a server with traffic to make it unavailable.
Botnet Attack: A network of compromised devices remotely controlled by an attacker to launch attacks (often DDoS or spam).
Zero-day Concept: A security flaw exploited by attackers before the vendor has released a patch.
Vulnerability Concept: A weakness in software, hardware or configuration that an attacker can exploit.
Patch Defence: A small update that fixes a vulnerability. Applying patches quickly is one of the strongest defences.
Firewall Defence: A filter that allows or blocks network traffic based on rules. Built into your OS and router.
VPN Defence: Virtual Private Network: encrypts your internet traffic, hiding it from local networks and attackers.
2FA / MFA Defence: Two- or multi-factor authentication: a second proof (code, key) in addition to your password.
Encryption Defence: Converting data so only authorised users can read it. Used for files, emails, websites (HTTPS).
Sandboxing Defence: Running suspicious code in an isolated environment so it cannot affect the rest of the system.