The vast majority of account takeovers do not involve a master hacker breaking encryption. They involve a convincing email, a fake login page, or a password you reused on a site that got breached. The defenses are unglamorous and genuinely effective: recognize the bait, give every account its own strong password, and add a second lock. An afternoon of setup buys you years of protection.

Comparison of a single reused password that unlocks every account versus unique passwords plus two-factor authentication that contain a breach
One reused password can topple a dozen accounts. A manager plus two-factor closes the gap.

What phishing actually looks like

Phishing is a message — email, text, or call — designed to trick you into handing over a password, a code, or money. Modern phishing is polished; the days of obvious typos are mostly gone. The tells are subtler:

  • A sense of urgency or fear: "Your account will be suspended," "Suspicious login detected — verify now."
  • A link that looks almost right but isn't — a misspelled domain, or a real-sounding name on the wrong website.
  • A request to "confirm" your password, full card number, or a one-time code. Legitimate companies never ask for these.
  • An unexpected attachment, or a text claiming a package problem or bank alert with a link to "fix" it.

The cardinal rule: never log in or enter sensitive data through a link in a message. Instead, open a new tab and type the site's address yourself, or use the company's app. If a "code" arrives that you did not request, never share it — that code is often the last thing standing between a thief and your account.

Strong, unique passwords — and a manager to hold them

The biggest, most common mistake is reusing one password across many sites. When any one of those sites is breached, attackers take the leaked email-and-password pairs and try them everywhere — your bank, your email, your brokerage. One reused password can topple a dozen accounts at once.

The fix is a password manager. It generates a long, random, different password for every account and remembers them all, so you only memorize one master password. This is the single highest-leverage security upgrade most people can make, and it actually makes daily life easier, not harder. Prioritize unique passwords on the accounts that matter most: your email first, then financial accounts.

Why your email is the master key

If an attacker controls your email, they can reset the password on nearly everything else, because password resets get sent there. Treat your primary email account as the crown jewels: give it your strongest unique password and your best second factor. Protecting it is more important than protecting any single bank login.

Two-factor authentication: the second lock

Two-factor authentication (2FA) requires a second proof of identity beyond your password — usually a code from an app or a tap on your phone. Even if a thief steals your password, they are stopped at the second lock. Turn it on for email, banking, and brokerage accounts at minimum.

  • An authenticator app or a physical security key is stronger than text-message codes, which can be intercepted.
  • Text-message 2FA is still far better than no 2FA, so use it if that is all an account offers.
  • Save your backup codes somewhere safe so you are not locked out if you lose your phone.

Combined with unique passwords, 2FA neutralizes the most common attack — a stolen-and-reused credential — almost entirely. These same habits shut down the scams catalogued in The Most Common Financial Scams, which often begin with a phishing message.

What to do if you've been breached

If you think an account is compromised, move quickly and in order:

  • Change that account's password immediately, and change it anywhere else you reused it.
  • Turn on or reset two-factor authentication and review recent activity for anything you didn't do.
  • If a financial account or your identity is involved, contact the institution's fraud line and follow the full plan in How to Recover From Identity Theft, including freezing your credit.
  • Watch your statements and credit for the next several months.

Security is not a one-time project but a set of habits. Use a manager, turn on 2FA everywhere, and stay skeptical of urgent messages — the broader playbook is in Protecting Yourself From Financial Fraud. To see where your defenses are thin, run the Financial Resilience Assessment and fix the gaps it surfaces.