Web Starter Guide - Get Your Website Online for Free

So You Want a Website?

Great! Let's get you online. This guide will walk you through everything step by step, and most of it is completely free.

First question: Do you have a name for your business, project, or idea?

This determines whether you need a custom domain name (like yourname.com) or can start with a free subdomain.

Choose one option below:

Start Without a Custom Domain

Smart move! You can build and launch your site first, then add a custom domain whenever you're ready.

With free hosting, you'll get a URL like:

yourproject.pages.dev (Cloudflare Pages)
yourusername.github.io (GitHub Pages)
yourproject.vercel.app (Vercel)

These are perfectly fine for testing, portfolios, or projects where the exact URL doesn't matter. You can always add a custom domain later without rebuilding anything.

Pro tip

Starting this way is great for learning. You'll understand the tools before committing to a domain name purchase.

You Have a Name - Great!

A custom domain makes your site look professional and builds trust with visitors.

Do you already own your domain?

Choose one option below:

You Already Own Your Domain

Perfect! You can keep it where it is or transfer it to Cloudflare to save on renewal costs.

Option 1: Keep it where it is

Your domain can stay at its current registrar. You'll just point the DNS to your hosting provider later. This is the simplest approach if you're happy with your current registrar.

Option 2: Transfer to Cloudflare (recommended for savings)

Cloudflare offers domains at cost - no markup. This typically saves $5-15/year compared to other registrars. The transfer process takes a few days.

How to transfer to Cloudflare

Unlock your domain at your current registrar
Get your authorization/EPP code from your current registrar
Go to Cloudflare Domain Transfer
Enter your domain and the authorization code
Pay for one year renewal (at Cloudflare's cost price)
Wait 5-7 days for the transfer to complete

Note: ICANN rules require domains to be at least 60 days old before transfer.

Register Your Domain

First, check if your domain is available, then pick a registrar.

Check availability

Search for your domain on Cloudflare Registrar to see if it's available and get the real price (no upsells).

Where to register

Cloudflare Registrar

Recommended

Why: Domains at wholesale cost (no markup). A .com is ~$10.11/year. No tricks, no upsells, includes free privacy protection.

Best for: Everyone. It's genuinely the cheapest for most TLDs.

Register on Cloudflare

Porkbun

Why: Low prices, friendly interface, great support. Often has the best prices for unusual TLDs.

Best for: If you want a nicer UI or Cloudflare doesn't support your TLD.

Visit Porkbun

Namecheap

Why: Established company, frequent sales, good support. First-year deals can be very cheap.

Best for: Catching a sale, or if you prefer a well-known brand.

Visit Namecheap

Price comparison for .com domains

Registrar	First Year	Renewal	Privacy
Cloudflare	~$10.11	~$10.11	Free
Porkbun	~$10.87	~$10.87	Free
Namecheap	~$9.98*	~$15.98	Free
GoDaddy	~$12.99*	~$22.99	$10+/yr

*First-year promotional pricing. Prices as of 2024 - check current rates.

Avoid these

GoDaddy, Google Domains (shut down), and Network Solutions charge significantly more and often have aggressive upselling.

Need Help Picking a Domain?

Use AI to brainstorm domain names. Here's a prompt you can use with ChatGPT, Claude, or similar tools.

AI Prompt Template

Help me brainstorm domain names for my [business/project].

About my project:
- What it does: [describe briefly]
- Target audience: [who is it for]
- Keywords: [list 3-5 relevant words]
- Tone: [professional/fun/creative/etc]

Please suggest:
1. 10 exact-match .com domains (check availability)
2. 5 creative alternatives using other TLDs
3. 5 short, memorable options

For each suggestion, note if it's likely available (common words = probably taken).

Domain name tips

Shorter is better - easier to remember and type
Avoid hyphens - they're hard to communicate verbally
Avoid numbers - "four" or "4"? People will guess wrong
.com is still king - but .co, .io, .dev are acceptable for tech
Say it out loud - can you tell someone your domain over the phone?

Checking availability

Use Cloudflare's domain search to check availability without being tracked or having domain squatters grab your idea.

Choose Your Hosting

All of these are free for static websites (HTML, CSS, JavaScript). Pick based on your needs.

Cloudflare Pages

Recommended Free

Free tier: Unlimited bandwidth, 500 builds/month, unlimited sites

Best for: Most projects. Fast global CDN, easy GitHub/GitLab integration, serverless functions (Workers) if needed later.

Setup: Connect GitHub repo, auto-deploys on every push.

Learn more about Cloudflare Pages

GitHub Pages

Free

Free tier: 100GB bandwidth/month, 1GB storage, unlimited public repos

Best for: Personal sites, portfolios, documentation. Simplest setup if you already use GitHub.

Setup: Enable in repo settings, push to main branch.

Learn more about GitHub Pages

Vercel

Free

Free tier: 100GB bandwidth/month, serverless functions, edge functions

Best for: React/Next.js projects, or if you want the best developer experience.

Setup: Import from GitHub, auto-configures most frameworks.

Learn more about Vercel

Quick comparison

Feature	Cloudflare Pages	GitHub Pages	Vercel
Bandwidth	Unlimited	100GB/mo	100GB/mo
Build minutes	500/mo	2000/mo	6000/mo
Custom domain	Yes	Yes	Yes
HTTPS	Auto	Auto	Auto
Functions	Workers	No	Yes
Best CDN	Excellent	Good	Excellent

My recommendation: Start with Cloudflare Pages. Unlimited bandwidth means you never worry about traffic spikes, and it integrates perfectly if you registered your domain with Cloudflare.

Set Up GitHub (Your Backup)

GitHub stores your code and automatically deploys changes. It's free and gives you version history + backup of everything.

Why GitHub?

Even if you're not a developer, GitHub is valuable: it backs up every change, lets you roll back mistakes, and all the hosting options integrate with it for automatic deploys.

Getting started

Create a GitHub account at github.com/signup (free)
Create a new repository
- Click the "+" in the top right, select "New repository"
- Name it something like my-website
- Select "Public" (free hosting requires public repos for most services)
- Check "Add a README file"
- Click "Create repository"
Add your website files
- Click "Add file" → "Upload files"
- Drag your HTML, CSS, and image files
- Click "Commit changes"

Don't have website files yet?

Start with a simple index.html:

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>My Website</title>
</head>
<body>
  <h1>Hello World!</h1>
  <p>My website is coming soon.</p>
</body>
</html>

You can create this file directly on GitHub: click "Add file" → "Create new file", name it index.html, and paste this code.

Connect to your hosting

Pick ONE hosting provider below. You only need to follow the instructions for whichever service you chose on the previous screen. You can expand all three to compare, but you'll only set up one. (You can always switch later if you change your mind.)

Cloudflare Pages setup

Go to Cloudflare Pages Dashboard
Click "Create a project" → "Connect to Git"
Select your GitHub account and repository
For build settings: if it's plain HTML, leave everything blank
Click "Save and Deploy"
Your site will be live at projectname.pages.dev

To add your custom domain: go to your project → "Custom domains" → add your domain. Cloudflare handles DNS automatically if your domain is with them.

GitHub Pages setup

Go to your repository on GitHub
Click "Settings" → "Pages" (in left sidebar)
Under "Source", select "Deploy from a branch"
Select "main" branch and "/ (root)" folder
Click "Save"
Your site will be live at username.github.io/reponame

To add a custom domain: enter it in the "Custom domain" field and create the DNS records it shows you.

Vercel setup

Go to vercel.com/new
Click "Import" next to your GitHub repository
Vercel auto-detects settings - usually just click "Deploy"
Your site will be live at projectname.vercel.app

To add a custom domain: go to project settings → "Domains" → add your domain and follow DNS instructions.

Set Up Email for Your Domain

Want a professional email like [email protected]? Here's how to do it for free.

Two parts to email: Receiving mail is easy and free. Sending mail from your domain is trickier but still possible for free.

Part 1: Receiving Email (Easy & Free)

Cloudflare Email Routing

Recommended Free

Forward emails from [email protected] to your personal Gmail, Outlook, etc. Unlimited addresses, completely free.

Go to Cloudflare Dashboard
Select your domain → "Email" → "Email Routing"
Click "Get started"
Add your destination email (Gmail, etc.)
Verify by clicking the link sent to that email
Create routes like [email protected] → your Gmail

Catch-all option: Enable this to receive emails to any address at your domain.

Part 2: Sending Email (The Hard Part)

To send emails from your custom domain, you need an SMTP service. Here are free options:

Zoho Mail Free

Best for Personal Use Free

What you get: 5 users, 5GB each, webmail, mobile apps, real SMTP/IMAP

Setup: zoho.com/mail → Sign up with your domain → Verify domain → Set up MX records

Catch: Free plan requires you to use Zoho's interface (no SMTP to other clients on free tier, actually). You can use their webmail or mobile app.

Forward Email (forwardemail.net)

Free & Open Source

What you get: Free forwarding + limited sending (via their SMTP)

Setup: forwardemail.net → Add domain → Set DNS records

Bonus: Open source, privacy-focused, no ads.

Gmail "Send mail as" (workaround)

Free

What you get: Send from your custom domain using Gmail's interface

How it works:

Set up Cloudflare Email Routing to forward to your Gmail
In Gmail: Settings → "See all settings" → "Accounts and Import"
"Send mail as" → "Add another email address"
Enter your custom email address
For SMTP server, you'll need a service like Resend or Brevo (see below)

Transactional email services (more technical)

These are designed for apps but work for personal email too:

Service	Free Tier	Notes
Resend	3,000/month	Modern API, easy setup
Brevo	300/day	Good deliverability
Mailgun	Trial only	Powerful but complex

Simplest approach

Use Cloudflare Email Routing for receiving + Zoho Mail Free for sending. It's 100% free and gives you a real email experience.

You're All Set!

Congratulations! You now have everything you need for a professional web presence.

What you've accomplished

Domain - Your own address on the internet
Hosting - Your site is live and fast
Backup - GitHub stores everything safely
Email - Professional email at your domain

Your total cost

Domain (.com)	~$10/year
Hosting	$0
Email	$0
GitHub	$0
Total	~$10/year

Or $0 if you're using a free subdomain!

Next steps

Build out your website content
Learn basic HTML/CSS (try freeCodeCamp)
Consider a simple site builder if you don't want to code
Set up analytics (Plausible or Cloudflare Web Analytics - both privacy-friendly)

Secure Your Online Presence

Your website is live - now let's make sure you don't lose access to it (or your connected accounts).

This section covers the most common ways people lose control of their online presence and how to prevent them.

The scary truth

Most people don't get "hacked" by sophisticated attacks. They lose access because of preventable mistakes: weak passwords, no 2FA, or getting locked out by automated systems.

What would you like to focus on?

Account Security Basics

These fundamentals protect 90% of people from 90% of attacks.

1. Use a Password Manager

Stop reusing passwords. A password manager generates and stores unique passwords for every account.

Recommended Password Managers

Manager	Free Tier	Best For
Bitwarden	Yes, full-featured	Best free option
1Password	No (14-day trial)	Best UX, families
Apple Keychain	Built into Apple	Apple ecosystem

2. Enable Two-Factor Authentication (2FA)

Even if someone gets your password, they can't log in without your second factor.

Priority accounts for 2FA: Email (most important!), domain registrar, hosting, GitHub, banking, social media.

2FA methods, ranked by security:

Hardware keys (YubiKey) - best security, can't be phished
Authenticator apps (Authy, Google Authenticator) - good security
SMS codes - better than nothing, but vulnerable to SIM swapping

Email is the master key

Your email account can reset passwords for everything else. If someone gets into your email, they can take over your entire online presence. Secure it first with the strongest 2FA you can.

3. Set Up Recovery Options

What happens if you lose your phone or password manager?

Save recovery codes - print them and store somewhere safe (not digital)
Add a backup email - use a completely separate email provider
Register a backup phone number - ideally someone you trust
Export your password manager - encrypted backup stored offline

Protecting Your Business Online

Losing your Google listing, social media accounts, or email reputation can devastate a small business overnight. Here's how it happens and how to protect yourself.

What Does "Getting Banned" Actually Look Like?

The Coffee Shop That Disappeared

Sarah ran a small coffee shop for 8 years. One morning, her Google Business Profile showed "This listing has been suspended." No warning, no explanation. Her business vanished from Google Maps, Google Search, and all the reviews she'd built up over years were gone. Phone calls dropped 60% in the first week.

What happened: A competitor had filed fake "business moved" reports. Google's automated system suspended her listing for "suspicious activity." It took 3 months and countless hours to get reinstated.

The Contractor Blacklisted by Email

Mike's HVAC company sent appointment confirmations and invoices via email. One day, his emails started bouncing. Then customers reported his emails were going to spam. His domain had been blacklisted.

What happened: His WordPress contact form had been compromised and was sending thousands of spam emails from his domain. He never noticed because the spam was going out, not coming in. His domain's email reputation was destroyed.

The Bakery's Social Media Nightmare

A bakery with 15,000 Instagram followers lost their account overnight. Instagram said it violated community guidelines. The business had been posting cake photos for 5 years.

What happened: Their account was reported en masse by a coordinated attack (possibly a disgruntled ex-employee or competitor). Instagram's automated system disabled the account. Appeals took 6 weeks.

How Businesses Get Delisted, Banned, or Blacklisted

The terrifying truth: Most of these happen through NO fault of your own. Automated systems make mistakes, competitors file false reports, and your website can be compromised without you knowing.

1. Email Blacklisting

Your domain gets flagged as a spam source, and your emails stop reaching customers.

Open mail relay - misconfigured email server that spammers use to send through your domain
Compromised contact forms - hackers use your website to send spam
Shared hosting contamination - another site on your server is spamming, and you share an IP
Purchased email lists - sending to people who didn't opt in triggers spam reports
Sudden volume spikes - sending 1,000 emails when you usually send 10 looks suspicious

2. Google Business Profile Suspension

Your business disappears from Maps and local search results.

Competitor false reports - "This business is closed" or "wrong address" reports
Keyword stuffing - putting "Best Pizza NYC Cheap Pizza Near Me" in your business name
Multiple listings - creating duplicate listings for the same location
Virtual office addresses - using a mailbox service instead of real location
Ownership disputes - someone claims they own your business listing

3. Social Media Account Termination

Years of followers and content, gone instantly.

Mass reporting attacks - coordinated false reports trigger automatic suspension
Third-party app access - an app you connected gets compromised and posts spam
Accidental policy violations - algorithms misinterpret your content
Account theft - hacker changes email/password and you can't recover
Payment disputes - if you run ads and payment fails, whole account can be banned

4. Website Blacklisting (Google Safe Browsing)

Chrome shows a scary "Dangerous site" warning when customers try to visit.

Malware injection - hackers add malicious code to your site (especially WordPress)
Phishing pages - attackers create fake login pages on your site
SEO spam - hidden links to gambling/pharma sites injected into your pages
Drive-by downloads - your site starts serving malware to visitors

5. Domain Seizure or Suspension

Your entire domain stops working.

Registrar account compromise - hacker transfers your domain away
Expired payment info - domain lapses because card on file expired
Legal complaints - DMCA or trademark claims (legitimate or fraudulent)
Abuse reports - hosting provider shuts you down for alleged violations

Prevention: Building Your Defenses

Email Reputation Protection

Set up SPF, DKIM, and DMARC - these prove emails actually come from you (Cloudflare makes this easy)
Use a dedicated email service - don't send business email through your web hosting
Monitor your reputation - check MXToolbox Blacklist Check monthly
Secure contact forms - add CAPTCHA, rate limiting, and spam filtering
Use transactional email services - SendGrid, Mailgun, or Amazon SES for automated emails
Never buy email lists - only email people who explicitly opted in

Google Business Profile Protection

Verify your business - complete all verification steps Google offers
Keep information accurate - hours, address, phone must match reality exactly
Respond to reviews - active engagement signals legitimacy
Monitor for changes - check your listing weekly for unauthorized edits
Document everything - save photos, receipts, business licenses proving legitimacy
Set up Google Alerts - get notified when your business name appears online

Social Media Account Protection

Enable 2FA on every account - use an authenticator app, not SMS
Use unique, strong passwords - password manager required
Audit connected apps regularly - remove any you don't actively use
Never share login credentials - use platform's native team/business features
Download your data regularly - Facebook, Instagram, Twitter all offer data exports
Build an email list - own your audience, don't rely solely on social platforms
Document your content - save copies of important posts, images, videos locally

Website Security

Keep software updated - WordPress, plugins, themes - all of them, always
Use security plugins - Wordfence, Sucuri, or similar if on WordPress
Monitor for changes - file integrity monitoring catches injections
Regular backups - automated, stored offsite, tested periodically
Web Application Firewall (WAF) - Cloudflare free tier includes basic WAF
Check Google Search Console - Google will notify you of security issues here

Domain Protection

Enable registrar lock - prevents unauthorized transfers
Use registrar 2FA - domain theft is devastating
Keep payment info current - set calendar reminders before expiration
Enable auto-renew - but still monitor it
WHOIS privacy - reduces spam and social engineering attempts
Consider registry lock - extra protection for critical domains (may cost extra)

Mitigation: When Bad Things Happen

Despite your best efforts, incidents will occur. Speed matters - act fast.

Golden rule: Document EVERYTHING. Screenshots, emails, timestamps, reference numbers. You'll need this evidence for appeals and may need it for legal action.

Email Blacklisted

Identify the blacklist - use MXToolbox to see which lists you're on
Find the cause - check server logs, look for compromised forms or accounts
Fix the vulnerability - patch the hole before requesting delisting
Request removal - each blacklist has a delisting process (usually on their website)
Use alternate sending - temporarily use a different email service for critical communications
Notify customers - explain emails may be delayed, provide alternate contact method

Google Business Suspended

Don't create a new listing - this makes recovery harder
Check email for details - Google sometimes explains why
Review guidelines - understand what might have triggered suspension
Gather documentation - business license, utility bills, photos of location
Submit reinstatement request - through Google Business Profile support
Be patient but persistent - follow up if no response in 7-10 days
Consider Google Business Profile forum - Google Product Experts can escalate issues

Social Media Account Disabled

Appeal immediately - most platforms have an appeal form in the disabled account notice
Provide ID if requested - for business accounts, business documentation
Use alternate official channels - Facebook has a "hacked accounts" form separate from appeals
Document the impact - note business losses for potential legal action
Don't create alt accounts - platforms detect and ban these, hurting your case
Engage on other platforms - let customers know where else to find you
Consider paid support - Meta Verified and similar services offer human support

Website Blacklisted

Take the site offline temporarily - prevent further damage to visitors
Scan for malware - use Sucuri SiteCheck, VirusTotal
Clean the infection - remove malicious code (may need professional help)
Change all passwords - CMS admin, FTP, hosting panel, database
Update everything - CMS, plugins, themes to latest versions
Request review - Google Search Console has a "Request Review" option
Restore from backup if needed - but ensure backup predates infection

Recovery: Getting Back on Your Feet

Email Reputation Recovery

Rebuilding email reputation takes time - often 2-4 weeks of consistent good behavior.

Start with small volume, gradually increase
Focus on engaged recipients who open and click
Remove bounced addresses immediately
Use email warm-up services if needed
Monitor delivery rates daily during recovery

Rebuilding After Social Media Loss

If an account is permanently lost, you need to start fresh strategically.

Create new account with slightly different name if needed (avoid exact duplicate)
Email your customer list announcing the new account
Cross-promote from other platforms you still control
Consider this a lesson: diversify platforms, build your email list
Post consistently to rebuild algorithm favor

Legal and Escalation Options

When normal channels fail:

State Attorney General - can sometimes pressure companies on consumer issues
Small claims court - viable for documented business losses
Media attention - local news loves "big tech vs small business" stories
Social media escalation - tagging company executives sometimes works
Lawyer letter - sometimes a formal letter gets attention
Industry associations - some have relationships with platforms

The Uncomfortable Truth

You are building your business on platforms you don't control. Google, Facebook, Instagram, YouTube - they can change the rules or make mistakes that devastate you, and you have almost no recourse.

The only real protection: Build assets you own. Your website, your email list, your customer database. Platforms are for discovery; owned channels are for relationships.

Prevention Checklist

SPF, DKIM, and DMARC configured for email
2FA enabled on all platform accounts
Domain registrar lock enabled
Google Business Profile verified and monitored
Social media data downloaded/backed up
Email list independent of social platforms
Website backups automated and tested
Security monitoring in place
Contact forms have CAPTCHA/rate limiting
Payment info current on all accounts

General Computer Security

Your computer is the gateway to everything. These habits protect you every day.

1. Browser Extensions Are Dangerous

Browser extensions can read everything you do online - every page you visit, every form you fill out, every password you type.

The hidden risk

Popular extensions like Honey, Grammarly, and many ad blockers request "Read and change all your data on all websites." This means they can see your bank account, read your emails, and capture your passwords as you type them.

Extension Safety Rules

Minimize extensions - every extension is a potential security hole
Check permissions - be suspicious of "Read and change all your data on all websites"
Research the company - who owns this extension? What's their business model?
Review periodically - remove extensions you no longer use
Use separate browser profiles - banking in a clean profile with no extensions

Extensions to be cautious about

Extension	Risk	Alternative
Honey	Tracks all browsing, owned by PayPal, sells data	Manually search for coupon codes
Grammarly	Reads everything you type, including passwords	Use built-in spell check, or Grammarly website only
Free VPN extensions	Route all traffic through unknown servers	Paid VPN with native app
Screenshot tools	Can capture sensitive screens	Built-in OS screenshot tools
PDF converters	Upload your documents to unknown servers	Desktop software or OS built-in

Safer extensions: uBlock Origin (open source, privacy-focused), Bitwarden (password manager from trusted company), and browser built-in features when possible.

2. Keep Software Updated

Updates aren't just about new features - they patch security holes that attackers actively exploit.

Priority Updates

Operating system - enable automatic updates (Windows Update, macOS Software Update)
Browser - Chrome, Firefox, Safari auto-update; just don't delay restarts
Password manager - keeps your credentials safe
Antivirus/security software - signature updates are critical

The 24-hour rule: When you see an update notification, install it within 24 hours. Attackers reverse-engineer patches to find vulnerabilities, then attack people who haven't updated.

3. Don't Reuse Passwords (Ever)

When one site gets breached, attackers try those credentials everywhere. One reused password = all accounts compromised.

Use your password manager to generate unique passwords for every site
Make passwords long (16+ characters) - length beats complexity
Never share passwords via email, text, or chat
If a site is breached, change that password immediately

4. Recognize Phishing

Phishing is still the #1 way people get hacked. Learn to spot it.

Red Flags

Urgency - "Act now or your account will be closed!"
Generic greetings - "Dear Customer" instead of your name
Suspicious links - hover to see the real URL before clicking
Unexpected attachments - especially .exe, .zip, or Office files with macros
Requests for passwords - legitimate companies never ask for your password
Too good to be true - you didn't win a prize you didn't enter

When in doubt

Don't click links in emails. Instead, go directly to the website by typing the URL yourself or using a bookmark you created.

5. Secure Your Home Network

Change default router password - "admin/admin" is not security
Use WPA3 or WPA2 - never WEP (it's broken)
Update router firmware - routers get security patches too
Use a guest network - for IoT devices and visitors. Pick an easy-to-remember password (like "welcomeguest") so you'll actually tell guests to use it instead of giving out your main password
Disable WPS - it's convenient but insecure

6. Be Careful with Public Wi-Fi

Assume all public Wi-Fi is monitored
Don't log into sensitive accounts (banking, email) on public Wi-Fi
Use a VPN if you must use public Wi-Fi for sensitive tasks
Turn off auto-connect to open networks
Verify the network name with staff (attackers create fake hotspots)

7. Physical Security Matters

Lock your screen - Win+L (Windows) or Cmd+Ctrl+Q (Mac) when stepping away
Enable full-disk encryption - BitLocker (Windows) or FileVault (Mac)
Use a privacy screen - for working in public places
Don't leave devices unattended - even for "just a minute"
Shred sensitive documents - dumpster diving is real

8. Backup Your Data

The 3-2-1 rule: 3 copies, on 2 different types of media, with 1 offsite.

Original files on your computer
Local backup on external drive
Cloud backup (iCloud, Google Drive, Backblaze, etc.)

Avoiding Account Lockouts

Getting locked out of your own accounts by automated systems is more common than being "hacked."

Why Google/YouTube Bans Happen

Google's automated systems can flag accounts for:

Unusual login locations or patterns
Automated activity that looks like bots
Content violations (even accidental ones)
Payment issues on connected accounts
Being associated with a banned account

The real danger

Google bans are often permanent with no appeal. If your Gmail is banned, you lose access to YouTube, Google Drive, Google Workspace, and any account that uses Gmail for recovery.

How to Protect Yourself

1. Don't Put All Eggs in One Basket

Use different email providers for different purposes
Don't use Gmail as the recovery email for critical accounts
Consider paid email for business (Fastmail, Proton Mail) - you're a customer, not a product

2. Maintain Access to Your Domain

Don't use Gmail as the contact for your domain registration
Use a completely independent email for your registrar account
Enable registrar lock to prevent unauthorized transfers
Keep domain registration details up to date

3. Backup Everything

Google Takeout - export your Gmail, Drive, Photos regularly
GitHub - clone repos locally, don't only store code on GitHub
YouTube - download your own videos, keep originals
Social media - export your data periodically

4. Avoid Triggering Automated Systems

Don't use VPNs that rapidly change your location
Don't use automation tools on personal accounts
Don't share accounts across many devices
Don't repeatedly fail login attempts
Keep payment methods up to date

If You Get Locked Out

Don't panic - try standard recovery options first
Check recovery email and phone for verification requests
If automated recovery fails, look for official appeal forms
For Google: Account Recovery Form
Document everything - screenshots, dates, account details
Be patient - appeals can take weeks

WordPress Security

WordPress powers 40% of the web, making it a massive target. Most hacks are preventable.

Not using WordPress? If you're running a static site on Cloudflare Pages or GitHub Pages, you're already more secure than most WordPress sites. Skip to the scanning tools.

Why WordPress Sites Get Hacked

Outdated core/plugins/themes (most common)
Weak admin passwords
Cheap/shared hosting with poor security
Nulled (pirated) themes/plugins - they often contain malware
Too many plugins - more attack surface

Essential WordPress Security Steps

1. Keep Everything Updated

Enable auto-updates for WordPress core
Enable auto-updates for plugins (or update weekly)
Delete unused themes and plugins - don't just deactivate
Use reputable plugins from wordpress.org with recent updates

2. Secure Your Login

Don't use "admin" as your username
Use a strong, unique password (via password manager)
Install a 2FA plugin (Two-Factor or Wordfence)
Limit login attempts to block brute force attacks
Consider changing the login URL (security through obscurity helps)

3. Choose Good Hosting

Managed WordPress hosts handle security for you:

Cloudways - good balance of control and management
Kinsta - premium, excellent security
SiteGround - good budget option with security features

Avoid: cheap shared hosting, GoDaddy, EIG brands (Bluehost, HostGator)

4. Backup Regularly

Use UpdraftPlus for automated backups
Store backups off-site (Dropbox, Google Drive, S3)
Test restoring from backup periodically
Keep at least 30 days of backups

Recommended Security Plugins

Plugin	Free Tier	Best For
Wordfence	Yes, good	All-in-one security
Sucuri	Limited	Malware scanning
Solid Security	Yes	Hardening options

Free Security Scanning Tools

These tools help identify vulnerabilities before attackers do. All have useful free tiers.

Website Scanners

SSL Labs (Qualys)

Free Essential

What it checks: SSL/TLS certificate configuration, encryption strength, vulnerabilities

Use it: ssllabs.com/ssltest

Aim for: A+ grade. Anything below A indicates issues.

Security Headers

Free

What it checks: HTTP security headers (CSP, HSTS, X-Frame-Options, etc.)

Use it: securityheaders.com

Aim for: A grade. Add missing headers via Cloudflare or your server config.

Mozilla Observatory

Free

What it checks: Overall web security, combines multiple tests

Use it: observatory.mozilla.org

Shows: Actionable recommendations with explanations.

Sucuri SiteCheck

Free

What it checks: Malware, blacklist status, known vulnerabilities

Use it: sitecheck.sucuri.net

Good for: Quick check if your site has been compromised.

Account Security Checkers

Have I Been Pwned

Free Essential

What it checks: If your email/password appears in known data breaches

Use it: haveibeenpwned.com

Action: If found in breaches, change those passwords immediately.

Google Security Checkup

Free

What it checks: Your Google account security settings, recent activity

Use it: myaccount.google.com/security-checkup

Shows: Devices, third-party access, recovery options.

DNS & Email Security

MXToolbox

Free

What it checks: DNS records, email configuration (SPF, DKIM, DMARC), blacklists

Use it: mxtoolbox.com

Key tests: "Email Health" and "Domain Health" reports.

Scanning isn't free on some tools

Avoid: Pentest-Tools, Detectify, Intruder - they show you have problems but paywall the details. The tools above give you actionable information for free.

OWASP Top 10 in Plain English

The 10 most common ways websites get hacked, explained for non-developers.

What is OWASP? The Open Web Application Security Project - a nonprofit that tracks the most common website vulnerabilities. Their "Top 10" list is the industry standard for web security.

1. Broken Access Control

What it means: People can access things they shouldn't - like viewing other customers' orders or accessing admin pages.

Small business example: Your online store lets anyone view any order by changing the number in the URL (order/123 → order/124). A curious customer sees someone else's name, address, and purchase history.

Protect yourself: If you use a website builder (Shopify, Squarespace), they handle this. If you have a custom site, ask your developer "How do you verify users can only see their own data?"

2. Cryptographic Failures

What it means: Sensitive data isn't properly encrypted - passwords stored in plain text, credit cards transmitted without HTTPS.

Small business example: Your contact form emails you customer inquiries, but the email includes their phone number in plain text. Or worse, your old website stored passwords without encryption, and now they're leaked.

Protect yourself: Always use HTTPS (the padlock icon). Never store customer passwords yourself - use "Sign in with Google" or a proper auth service. Never email sensitive data.

3. Injection

What it means: Attackers insert malicious code through input fields (like search boxes or contact forms) that your website accidentally runs.

Small business example: Someone fills out your contact form with weird code instead of their name. Your website treats it as a command and suddenly they can see your entire customer database.

Protect yourself: Use established platforms (WordPress with security plugins, Shopify, etc.) rather than custom code. If custom, your developer must "sanitize all inputs" - ask them about it.

4. Insecure Design

What it means: The website was designed without thinking about security from the start - security was an afterthought.

Small business example: Your appointment booking system lets anyone cancel any appointment if they know (or guess) the confirmation number. There's no "Are you sure?" or login required.

Protect yourself: When getting a website built, ask "What happens if someone tries to misuse this feature?" Use established platforms that have already thought through these issues.

5. Security Misconfiguration

What it means: The website or server is set up with insecure default settings that were never changed.

Small business example: Your WordPress site still has the default "admin" username. Your hosting account still uses the password they emailed you on day one. Error messages show your database structure to visitors.

Protect yourself: Change ALL default passwords immediately. Turn off detailed error messages on live sites. Remove sample files and unused features. Keep everything updated.

6. Vulnerable and Outdated Components

What it means: Using old, unpatched software with known security holes.

Small business example: You installed a WordPress plugin 3 years ago and forgot about it. That plugin had a security flaw discovered last year. Hackers have scripts that automatically find and exploit sites with that old plugin.

Protect yourself: Update everything regularly - WordPress, plugins, themes. Delete plugins/themes you don't use. Set up automatic updates where possible.

7. Identification and Authentication Failures

What it means: Weak login systems - allowing simple passwords, not limiting login attempts, poor session management.

Small business example: Your admin login allows unlimited password attempts. An attacker runs a script trying thousands of common passwords until "password123" works. Or your site keeps you logged in forever, and someone uses your unattended computer.

Protect yourself: Require strong passwords. Enable 2FA for admin accounts. Limit failed login attempts. Use automatic logout after inactivity.

8. Software and Data Integrity Failures

What it means: Trusting code or data from untrusted sources without verification.

Small business example: You download a "free premium" WordPress theme from a sketchy website instead of the official source. It works great - but it also contains hidden code sending your customer data to hackers.

Protect yourself: Only install plugins/themes from official sources (WordPress.org, official developer sites). Never use "nulled" (pirated) software. Verify downloads when possible.

9. Security Logging and Monitoring Failures

What it means: No way to detect or investigate when something bad happens.

Small business example: Someone accessed your admin panel from Russia at 3 AM and changed your prices to $0. You don't find out until a customer mentions it a week later. You have no logs to figure out what happened or how they got in.

Protect yourself: Use hosting/platforms that provide activity logs. Check logs periodically. Set up alerts for unusual activity (many security plugins offer this).

10. Server-Side Request Forgery (SSRF)

What it means: Tricking your server into making requests to internal systems it shouldn't access.

Small business example: Your website has a feature that fetches preview images from URLs. An attacker provides a special URL that makes your server access your internal admin panel or database, bypassing normal security.

Protect yourself: This is technical - if you have custom development, your developer needs to validate and restrict what URLs your server can fetch. Most standard platforms handle this for you.

The Good News

Using established platforms protects you from most of these

If you're using Shopify, Squarespace, Wix, or even WordPress with reputable themes/plugins, the platform handles most of these security concerns. Your main jobs are: keep everything updated, use strong passwords with 2FA, and don't install sketchy plugins.

The most sophisticated security systems in the world can't protect you if someone convinces you to hand over the keys.

Why this matters most: Over 90% of successful cyberattacks start with social engineering. Hackers don't break through firewalls - they trick people into opening the door. This is especially true for small businesses where everyone wears multiple hats.

The Psychology Behind It

Social engineers exploit fundamental human traits:

Trust - We want to believe people are who they say they are
Helpfulness - We want to help colleagues and customers
Fear - We panic when threatened with consequences
Urgency - We make mistakes when rushed
Authority - We comply with people in power
Greed - We want deals that seem too good
Curiosity - We can't resist finding out more

Phishing: The Most Common Attack

Fake emails, texts, or messages designed to steal credentials or install malware.

Email Phishing Examples

"Your Microsoft 365 password expires today"

The scam: Email looks exactly like Microsoft's branding. Says your password expires in 24 hours and you'll lose access to all your files. Links to a perfect replica of the Microsoft login page.

What happens: You enter your real password on the fake site. Attackers now have access to your email, OneDrive, Teams - everything.

Red flags: Microsoft doesn't email about password expiration. Hover over links to see the real URL (it won't be microsoft.com). The urgency is manufactured.

"You have a new voicemail from +1-555-XXX-XXXX"

The scam: Email claims you missed an important voicemail. Includes a "Play" button or attachment to listen.

What happens: Clicking downloads malware or takes you to a credential-harvesting page. The attachment might be ransomware disguised as an audio file.

Red flags: Why would a voicemail come via email? The "from" address is wrong. Audio files don't need you to "enable macros."

"Invoice #INV-29481 attached - Payment overdue"

The scam: Looks like a legitimate invoice from a vendor. Often uses names of real companies you might work with. Attachment is a Word doc or Excel file with malicious macros.

What happens: Opening the attachment and enabling macros installs malware that can steal data, encrypt files for ransom, or give attackers remote access.

Red flags: You don't recognize the invoice. The amount is random. The company name is slightly off. It asks you to "enable content."

"Unusual sign-in activity on your account"

The scam: Email looks like it's from Google, Apple, or your bank. Claims someone logged in from Russia/China/etc. "Click here to secure your account."

What happens: The link takes you to a fake login page. You enter your credentials trying to "secure" your account, and hand them directly to attackers.

Red flags: Don't click links in these emails. Go directly to the website by typing the URL yourself. Check your actual account activity from there.

"Your package could not be delivered"

The scam: Looks like FedEx, UPS, USPS, or Amazon. Says delivery failed and you need to update your address or pay a small fee.

What happens: Links to a fake site that steals your login, credit card, or personal info. Or downloads malware.

Red flags: Check tracking directly on the carrier's real website. Legitimate delivery issues don't require credit cards for "redelivery fees."

SMS/Text Phishing (Smishing)

"USPS: Your package has a shipping label issue"

The scam: Text with a link to "track" or "resolve" a package issue. Link goes to a fake site asking for personal info or payment.

What happens: You provide address, credit card, or credentials thinking you're fixing a delivery issue.

Red flags: USPS doesn't text you unless you signed up for tracking. The link is a shortened URL or weird domain. Go to usps.com directly.

"Your bank account has been locked. Call this number."

The scam: Urgent text claiming fraud on your account. Provides a phone number (not the real bank number).

What happens: You call and reach a scammer pretending to be the bank's fraud department. They "verify your identity" by collecting all your personal info, account numbers, and PINs.

Red flags: Banks don't text you to call random numbers. Call the number on the back of your card or on your statement instead.

"Hi! I think you gave me the wrong number at the bar last night"

The scam: Random text that seems like a wrong number. Designed to start a conversation.

What happens: If you respond, they know it's a live number. This can lead to romance scams, investment scams, or just spam. Your number gets sold to more scammers.

Red flags: Don't respond to unknown numbers. Block and delete.

Voice Phishing (Vishing)

"This is the IRS. You owe back taxes and will be arrested."

The scam: Aggressive caller claims to be IRS, threatening arrest, license suspension, or deportation unless you pay immediately via gift cards or wire transfer.

What happens: Panicked victims buy gift cards and read the numbers to scammers. Money is gone instantly and untraceable.

Red flags: The IRS never calls demanding immediate payment. They never ask for gift cards. They never threaten arrest on first contact. They send letters first.

"This is Microsoft. Your computer is infected."

The scam: Call claims your computer is sending out viruses or has been compromised. They want to "help" by remotely accessing your computer.

What happens: You give them remote access. They install malware, steal files, or lock your computer and demand payment to unlock it.

Red flags: Microsoft doesn't call you about your computer. Ever. Neither does Dell, HP, or "Windows Support." Hang up immediately.

"Grandma, I'm in trouble and need money"

The scam: Caller sounds distressed, claims to be a grandchild who's been arrested, in an accident, or stranded. Needs bail money or help immediately. "Please don't tell mom and dad."

What happens: Grandparents wire money or send gift cards to "help" their grandchild. The scammer may impersonate a lawyer or police officer to add legitimacy.

Red flags: Always verify by calling the person directly on their known number. Ask questions only the real person would know. Scammers rely on panic overriding logic.

"Your Social Security number has been suspended"

The scam: Robocall claiming your SSN has been suspended due to suspicious activity. Press 1 to speak to an agent.

What happens: "Agent" collects your SSN, date of birth, and other personal info to commit identity theft.

Red flags: Social Security numbers cannot be suspended. The SSA doesn't call you. This is always a scam.

Business Email Compromise (BEC)

Targeted attacks against businesses - the most financially damaging type of scam.

CEO Fraud / Executive Impersonation

"I need you to wire $47,000 right now - confidential"

The scam: Email appears to come from the CEO/owner to someone in accounting. Urgent request to wire money for a "confidential acquisition" or "time-sensitive deal." Tells them not to discuss with anyone.

What happens: Employee wires money thinking they're helping the boss. Money goes to scammer's account and is immediately moved overseas.

Real example: A church bookkeeper received an email from "the pastor" asking to wire $28,000 for a confidential mission project. She didn't verify and wired the money.

Red flags: Unusual requests via email only. Pressure to keep it secret. Urgency that prevents verification. Always verify large transactions by phone or in person.

"Please update our bank account for future payments"

The scam: Email appears to come from a regular vendor saying they've changed banks. Provides new account details for future invoice payments.

What happens: You update your records. Next time you pay that vendor, money goes to the scammer instead.

Real example: A construction company received an email from their "lumber supplier" with new bank details. They updated their system and paid $182,000 to scammers over 3 months before the real supplier asked about missing payments.

Red flags: Always call vendors at their known phone number (not one in the email) to verify banking changes. This is a standard attack - have a policy for it.

"Attached is the invoice for the project we discussed"

The scam: Scammers research your business, learn who you work with, and send a convincing invoice for services that seem plausible.

What happens: Busy employees pay invoices that look legitimate. Or they open attached "invoices" that contain malware.

Red flags: Verify all unexpected invoices. Have a process where invoices must match purchase orders. Be suspicious of slightly different vendor email addresses.

Payroll Diversion

"Please update my direct deposit information"

The scam: Email to HR/payroll appears to be from an employee asking to change their bank account for direct deposit.

What happens: HR updates the payroll system. Employee's next paycheck goes to the scammer's account.

Real example: HR received emails from 3 "employees" in one week asking to update direct deposit. Two were scams. The company lost $12,000 before noticing.

Red flags: Require in-person or phone verification for all banking changes. Use a form on your internal system rather than accepting email requests.

Physical Social Engineering

Tailgating / Piggybacking

"Can you hold the door? My hands are full."

The scam: Someone in business casual with a coffee cup and laptop bag follows an employee through a secure door. Looks like they belong there.

What happens: Attacker gains physical access to your office. Can steal equipment, plant devices, access unlocked computers, or gather information.

Red flags: Don't hold doors for people you don't recognize. Politely ask them to badge in. It's not rude - it's policy.

"I'm here from IT to fix the printer"

The scam: Person shows up claiming to be tech support, a repair technician, or an inspector. May have a fake badge or uniform.

What happens: They get unsupervised access to your network, computers, or sensitive areas. Could install malware, plant surveillance devices, or steal data.

Red flags: Always verify with the company they claim to be from. Call your actual IT person or the vendor directly. Escort visitors at all times.

Baiting

USB drive in the parking lot labeled "Layoff List 2024"

The scam: Attacker drops USB drives in your parking lot, lobby, or mails them. Labels trigger curiosity: "Confidential," "Salary Info," or "Photos."

What happens: Someone plugs it into a work computer to see what's on it. The USB auto-runs malware that infects the network.

Real example: Security testers dropped 200 USB drives around a company's offices. 20% were plugged into corporate computers within hours.

Red flags: Never plug in unknown USB drives. Report them to IT. This is a known attack vector.

"Free iPad! Just complete this survey!"

The scam: Pop-up, email, or social media ad promises free electronics, gift cards, or prizes for "completing a survey."

What happens: Survey asks for personal info, credit card for "shipping," or installs malware. There is no prize.

Red flags: If it's too good to be true, it is. Legitimate companies don't randomly give away iPads to strangers.

Pretexting

"Hi, I'm calling from your bank's fraud department"

The scam: Caller has some of your info (name, last 4 of card) making them seem legitimate. Claims there's suspicious activity and they need to "verify" more information.

What happens: You provide the remaining info they need - full card number, CVV, SSN, or password. Now they have everything for identity theft.

Red flags: Hang up and call the number on your card. Never give sensitive info to inbound callers, no matter how legitimate they seem.

"This is corporate IT doing a security audit"

The scam: Caller claims to be from IT/corporate, needs your password to "verify your account is secure" or "update your permissions."

What happens: You give your password to be helpful. Attacker now has legitimate credentials to your systems.

Red flags: IT should never ask for your password. Real IT can reset it if needed without knowing it. This is a classic attack.

LinkedIn recruiter with a "perfect opportunity"

The scam: Message from a "recruiter" about your dream job. They need your resume, references, and eventually SSN for "background check" before you even interview.

What happens: They collect detailed personal info for identity theft. Or send you a "job offer" and have you deposit a fake check and "forward" money.

Red flags: Real recruiters don't ask for SSN before you have a job offer. Research the company and recruiter independently. Too good too fast is a red flag.

Romance and Long-Con Scams

Online dating: "I can't video chat, my camera is broken"

The scam: Online relationship develops over weeks/months. They're always traveling, military deployed, or working overseas. Can never meet or video chat. Eventually need money for emergency - medical bills, plane ticket to visit you, business problem.

What happens: Victim sends money, often repeatedly. "Emergencies" keep happening. Some victims lose their life savings.

Real example: A 68-year-old woman sent $450,000 over two years to a "boyfriend" she'd never met or video chatted with.

Red flags: Can't video chat. Always has excuses to not meet. Relationship moves fast emotionally. Asks for money. Claims to be military, doctor overseas, or on an oil rig.

"I'll send you money, just forward some to my supplier"

The scam: Online friend/romantic interest sends you a large check. Asks you to deposit it and wire part of it somewhere else. You can keep some as payment for helping.

What happens: The check is fake but banks make funds available before it clears. You wire real money. Days later, the check bounces and you owe the bank the full amount.

Red flags: Anyone asking you to receive and forward money is a scam. Always. This is money laundering and you could face criminal charges.

Investment / Crypto Scams

"I made $50,000 last month with this trading platform"

The scam: Social media posts, dating app matches, or friends show screenshots of huge crypto/forex/stock returns. They share the "platform" that made them rich.

What happens: You invest on the fake platform. It shows great returns. When you try to withdraw, you're told to pay "taxes" or "fees" first. You pay, then there's another fee. Your money is gone.

Red flags: Guaranteed returns don't exist. Unknown platforms are scams. Friends promoting investments may have been hacked. Never invest based on screenshots.

"We need you to buy Bitcoin for the IRS/FBI/customs"

The scam: Caller claims you owe money to a government agency, have a warrant, or a package with drugs was addressed to you. You need to pay via Bitcoin or gift cards to resolve it.

What happens: You buy crypto or gift cards and send the codes/wallet address. Money gone instantly.

Red flags: No government agency accepts Bitcoin or gift cards. This is always a scam. Always.

Targeted Business Attacks

Vendor/Supply Chain Compromise

Your accountant's email was hacked

The scam: Attackers compromise your accountant, lawyer, or vendor. Using their real email account, they send you malicious attachments or fraudulent payment requests.

What happens: Because it's from a trusted source, you're more likely to open attachments or approve payments without scrutiny.

Red flags: Even trusted contacts can be compromised. Verify unusual requests by phone. Be suspicious of unexpected attachments even from known senders.

Watering Hole Attacks

Industry forum/website gets compromised

The scam: Attackers identify websites your business uses (industry forums, local business association, vendor portals) and compromise them to serve malware.

What happens: You visit a website you've used safely for years. This time, it silently installs malware because the site was hacked.

Red flags: Keep browser and plugins updated. Use ad blockers. If a familiar site suddenly seems slow or redirects oddly, leave immediately.

Social Media Reconnaissance

Attackers research your team on LinkedIn, Facebook, Instagram

The scam: Before attacking, scammers gather info: employee names, roles, who reports to whom, vendors you use, recent news, personal details (spouse names, pets, vacations).

What happens: Armed with this info, their phishing is highly convincing. "Hey Sarah, I met your husband Mike at the trade show last week. Can you process this invoice?"

Red flags: Be cautious what you share publicly. Limit personal details on professional profiles. Train staff that public info can be weaponized.

How to Protect Your Business

Create a Security Culture

Train everyone, repeatedly - Security awareness isn't one-and-done. Cover new scams quarterly.
Make reporting safe - Employees should report suspicious contacts without fear of looking stupid. The person who reports saves the company.
Simulate attacks - Send fake phishing emails to test awareness. Make it a learning opportunity, not punishment.
Establish verification procedures - Any financial request over $X requires verbal confirmation. Any bank change requires callback to known number.

Technical Protections

Email filtering - Use a service that scans for phishing and malware
Multi-factor authentication - Even if credentials are stolen, attackers can't log in
Separate accounts - Admin accounts shouldn't be used for email and web browsing
Call verification - For any unusual request, call back on a known number

Red Flags Checklist

Urgency - "This must be done TODAY"
Secrecy - "Don't tell anyone about this"
Authority pressure - "The CEO needs this NOW"
Unusual payment methods - Gift cards, Bitcoin, wire transfers
Changes to established procedures - "Use this new bank account"
Too good to be true - Free stuff, huge returns, lottery wins
Fear - "You'll be arrested" or "Your account will be closed"
Requests for passwords or sensitive data
Pressure to bypass normal processes

The Golden Rule

When in doubt, verify through a different channel. Got a suspicious email? Call them. Got a suspicious call? Hang up and call the official number. Never use contact info provided by the person you're trying to verify.

Real Scams That Got Real People

These aren't hypotheticals. These are documented schemes that have cost people their savings, their businesses, and their sanity.

Why this section exists

Reading about real cases makes scams feel less abstract. When you see the actual emails, the actual dollar amounts, you're more likely to pause when something similar lands in your inbox.

The Sextortion Email

The scam: Email claims to have video of you "enjoying" adult websites, recorded through your webcam. Demands Bitcoin payment or they'll send the video to your contacts. Often includes an old password of yours (from previous data breaches) to seem credible.

What the email looks like

Subject: Your password is [actualoldpassword] - I know what you did

I know [actualoldpassword] is one of your passwords. You don't know me but I know you very well.

I placed malware on an adult video site and you visited it. While you were watching, your webcam recorded you. I also have your contact list from Facebook, email, and phone.

If you want me to delete everything, send $1,900 in Bitcoin to: [wallet address]

You have 48 hours. If I don't receive payment, I will send the video to all your contacts. If you need proof this is real, reply "Yes" and I'll send it to 10 of your contacts.

Don't bother contacting police. I'm untraceable.

Why it works: The old password is real (harvested from LinkedIn, Adobe, or other breaches). This makes victims think the rest must be real too. Shame and fear prevent people from asking for help.

The reality: There is no video. They don't have webcam access. They're sending millions of these emails hoping a small percentage pay. The password is from a public breach database.

What to do: Delete it. Change that password if you're still using it anywhere. They have nothing. The FBI's IC3 received 18,000+ reports of this scam in a single year.

Source: FBI IC3 Public Service Announcement

The $121 Million Google/Facebook Invoice Scam

The scam: A Lithuanian man sent fake invoices to Google and Facebook, impersonating a legitimate hardware vendor (Quanta Computer) that both companies used. Over two years, he invoiced them for computer equipment that was never delivered.

What happened: Both tech giants - companies with massive security teams - paid the invoices. Google paid approximately $23 million. Facebook paid approximately $98 million. The money was wired to bank accounts in Latvia, Cyprus, and other countries controlled by the scammer.

Why it worked: The invoices looked exactly like real ones from a real vendor. The scammer registered a company in Latvia with the same name as the real vendor. He created email accounts that mimicked real employees. Nobody called to verify.

The aftermath: Evaldas Rimasauskas was arrested in 2017, extradited to the US, pleaded guilty, and was sentenced to 5 years in prison. Both companies recovered most of the money by tracing the bank accounts.

The lesson: If Google and Facebook can be fooled by fake invoices, so can your business. Verify banking details by phone before large transfers. Always.

Source: US Department of Justice Press Release

Pig Butchering (Sha Zhu Pan)

The scam: Named after the practice of fattening a pig before slaughter. Scammers build relationships over weeks or months - often romantic - before introducing a "great investment opportunity" in crypto. Victims are groomed to invest larger and larger amounts.

How it works:

Contact: Random text ("Hey! Is this Jessica?"), dating app match, LinkedIn connection, or WhatsApp message
Relationship building: Weeks of friendly conversation, sharing life details, building trust
The hook: Casually mention making money with crypto trading. Show screenshots of profits.
Small investment: Victim invests small amount on a fake platform. It shows gains. They can even withdraw small amounts to build trust.
Bigger investments: Encouraged to invest more. Platform shows massive returns.
The slaughter: When victim tries to withdraw, they're told to pay "taxes" or "fees" first. Or the platform simply disappears.

The scale: The FBI reported $3.3 billion in losses from crypto investment scams in 2022 alone. Individual victims have lost millions. Many scam operations are run by trafficking victims forced to work in compounds in Southeast Asia.

Real victim quote: "I thought I was helping my girlfriend invest. I put in $750,000 - my retirement, my kids' college funds. The platform showed $4 million in profits. When I tried to withdraw, they said I owed $380,000 in taxes first. That's when I realized it was all fake."

Source: FBI IC3 2022 Internet Crime Report

The Geek Squad / Norton Renewal Scam

The scam: Email claims your Geek Squad or Norton subscription has auto-renewed for $399.99 (or similar). Includes a phone number to call "if you didn't authorize this charge."

What the email looks like

Subject: Your Geek Squad subscription has been renewed - $399.99

Dear Customer,

Thank you for renewing your Geek Squad Total Protection subscription.

Amount: $399.99
Transaction ID: GS-2024-8847291
Date: [today's date]

This amount will be debited from your account within 24 hours.

If you did not authorize this transaction, please call our billing department immediately:

+1 (888) XXX-XXXX

Best regards,
Geek Squad Billing Team

What happens when you call: A "support agent" offers to refund you but needs remote access to your computer. They pretend to process a refund but "accidentally" transfer $3,999 instead of $399. They act panicked, say they'll lose their job, and beg you to send back the difference via gift cards or wire transfer. The "extra money" was never actually transferred - they just edited the HTML on your bank's webpage while screen sharing.

Why it works: Targets older adults who may have actually used Geek Squad. The urgency of a charge you didn't authorize makes people call. Once scammers have remote access, they control what you see.

Real case: In 2023, an 80-year-old woman in Ohio lost $25,000 to this scam. She called the number, allowed remote access, and sent gift cards to "return" the fake overpayment.

Source: FTC Report on Business Impersonation Scams

The "Hi Mom" / "Hi Dad" WhatsApp Scam

The scam: Text from unknown number claims to be your child: "Hi Mom, I broke my phone. This is my new number. Can you save it?" Follows up with an urgent request for money.

How the conversation goes

Scammer: Hi Mom! I dropped my phone in the toilet and it's completely dead. This is my temporary number. Save it!

Mom: Oh no! Is this Sarah?

Scammer: Yes it's me! Such bad timing. I need to pay my rent TODAY and I can't log into my banking app on this borrowed phone. Could you transfer £2,500 and I'll pay you back Friday when I get paid?

Mom: Of course honey, what's the account?

Scammer: Thanks Mom you're the best! Send it to: [scammer's account details]

Why it works: Parents want to help their kids. The phone explanation prevents the obvious "why didn't you call me?" question. The urgency (rent due TODAY) prevents careful thinking.

The scale: UK Finance reported £1.5 million lost to this scam in the first half of 2022 alone. Australia reported $7.2 million AUD in losses.

What to do: ALWAYS verify by calling your child's actual number (or another family member). Ask a question only they would know. Establish a family code word for emergencies.

Source: UK Finance Fraud Report

SIM Swapping

The scam: Attacker convinces your mobile carrier to transfer your phone number to their SIM card. They now receive all your calls and texts - including 2FA codes.

How it works:

Attacker gathers your personal info (from social media, data breaches, or social engineering)
Calls your carrier pretending to be you: "I lost my phone, need to activate my new SIM"
Provides enough personal details to pass security questions
Your phone loses service. Their phone now has your number.
They request password resets, receive the SMS codes, and take over your accounts

Real case - Jack Dorsey: In 2019, Twitter CEO Jack Dorsey's Twitter account was hijacked via SIM swap. Attackers posted offensive content from his account. If Twitter's CEO isn't safe, neither are you.

Real case - $400,000 crypto theft: In 2018, a California investor lost $400,000 in cryptocurrency after attackers SIM-swapped his phone and drained his Coinbase account. He sued his carrier.

Protection:

Set up a PIN/password with your carrier that's required for any account changes
Use authenticator apps instead of SMS for 2FA
Consider Google Voice number for sensitive accounts (harder to SIM swap)
Some carriers offer "port freeze" - enable it

Source: KrebsOnSecurity: The Allure of the SIM Swap

The Recovery Room Scam (Scamming the Scammed)

The scam: After you've been scammed, you're contacted by someone claiming they can recover your money - for a fee. They might claim to be lawyers, investigators, or a government agency. They take your fee and disappear.

How they find you: Scammers share victim lists. If you lost money to one scam, your name is sold to recovery scammers. Or they find victims posting in Facebook groups seeking help.

Real example: Victims of the Binary Options scam were later contacted by "recovery agents" who promised to retrieve funds. Victims paid $5,000-$30,000 in "legal fees" and "processing costs." The recovery company was run by the same people who ran the original scam.

The pattern:

"We've identified your funds and can recover them"
Upfront fee required for "legal work" or "processing"
Pressure to act fast before the "window closes"
Once paid, they need more fees for "taxes" or "unforeseen complications"
Eventually stop responding

The reality: Legitimate recovery is extremely rare. Government agencies don't charge fees. Most lost crypto and wire transfers are unrecoverable. Anyone promising guaranteed recovery is almost certainly scamming you again.

Source: CFTC Advisory on Recovery Room Scams

QR Code Scams (Quishing)

The scam: Malicious QR codes placed over legitimate ones, in phishing emails, or on flyers. Scanning takes you to a fake site that steals credentials or installs malware.

Real examples:

Parking meters: Scammers placed stickers with fake QR codes on parking meters in Austin, Houston, and San Antonio. Scanning led to a fake payment site that stole credit card info.
Restaurant menus: Fake QR codes placed over legitimate menu codes at restaurants led to phishing sites.
Package deliveries: Fake "missed delivery" notices with QR codes to "reschedule" that lead to credential theft.
Crypto ATMs: Scammers place QR codes directing payments to their wallets instead of the machine.

The danger: QR codes obscure the URL. You can't see where you're going before you scan. On mobile, URLs are often truncated, making fakes harder to spot.

Protection: Preview URLs before opening (most phone cameras show the URL). Be suspicious of QR codes in emails. Verify physical QR codes aren't stickers placed over originals. Use official apps rather than scanning codes for payments.

Source: FBI San Antonio Warning on Malicious QR Codes

The Brushing Scam (Why You Got That Random Amazon Package)

The scam: You receive packages you never ordered - often cheap items from Amazon or other retailers. There's no return address or invoice.

What's actually happening: Sellers (usually Chinese third-party sellers) have your name and address from data breaches. They ship cheap items to you, then post fake "verified purchase" reviews using your name to boost their product ratings.

Why it matters:

Your personal info is in criminal hands
Your name may be used for fake reviews (potentially fraud)
More concerning: sometimes this is a precursor to identity theft

Newer twist: Some packages now include QR codes urging you to scan to "register your warranty" or "claim your gift" - leading to phishing sites.

What to do: Report to the retailer. Change your passwords. Monitor credit reports. Don't scan any QR codes in the package.

Source: Better Business Bureau: Brushing Scams

Business Impersonation: Domain Spoofing

The scam: Attackers register domains nearly identical to legitimate businesses (paypa1.com instead of paypal.com, arnazon.com instead of amazon.com) and send emails or create login pages that look exactly like the real thing.

Real case - Ubiquiti Networks ($46.7 million): In 2015, the network equipment company was defrauded of $46.7 million. Attackers impersonated executives via email, using look-alike domains, and convinced the finance department to wire funds to overseas accounts controlled by the attackers.

Techniques used:

Homograph attacks: Using characters from other alphabets that look identical (Cyrillic "а" vs Latin "a")
Typosquatting: micros0ft.com, googIe.com (capital I instead of l)
Subdomain tricks: paypal.com.malicious-site.com
Added words: paypal-security.com, amazon-support.com

Protection: Never click links in emails. Type URLs directly. Use bookmarks. Verify the domain letter by letter on financial sites. Look for the padlock but understand that scam sites can have HTTPS too.

Source: KrebsOnSecurity: Ubiquiti $46M Cyberheist

The Gift Card Ecosystem

Why every scam ends with gift cards:

Untraceable - no ID required to redeem
Instant - funds available immediately
Global - can be redeemed from anywhere
Non-reversible - once the code is used, money is gone
Convertible - gift card codes can be sold for cash or crypto

The numbers: The FTC reported $228 million lost to gift card scams in 2022. The most requested cards: Google Play, Apple, eBay, and Steam.

The rule: No legitimate business, government agency, or employer will ever ask for payment in gift cards. Not the IRS. Not tech support. Not your boss. Not publishers clearing house. EVER.

If someone asks you to pay in gift cards, it is a scam. Full stop.

Source: FTC Data Spotlight: Gift Card Scams

The Romance Scam Industrial Complex

The scale: The FBI reported $739 million in romance scam losses in 2021. That's just what's reported - actual losses are estimated at several times higher. Many victims are too embarrassed to report.

Who gets targeted: Mostly people over 40 (60% of losses), but all ages are victims. Educated, intelligent people fall for these scams. It's not about being stupid - it's about being human.

The infrastructure: Many romance scams are run by organized crime operations with:

Scripted conversations and psychological training
Shifts of operators working the same "character"
Stolen photos (often from Instagram influencers or military personnel)
Backstory documents (fake passports, military IDs)
Professional money laundering networks

Real victim stories:

A 75-year-old widow sent $661,000 to an "engineer" she met on Words With Friends
A nurse lost $1.4 million to a "doctor" working overseas
A man lost his entire $200,000 retirement to a "woman" who was actually a team of scammers in Nigeria

The forced labor connection: Many scam operations in Southeast Asia use trafficking victims - people lured with fake job offers, held captive, and forced to run scams. The FBI is investigating these operations as human trafficking.

Source: FBI IC3 Annual Report, ProPublica Investigation

What All These Scams Have in Common

The patterns repeat:

Urgency - Act NOW or face consequences
Secrecy - Don't tell anyone about this
Unusual payment - Gift cards, crypto, wire transfer
Too good to be true - Free money, huge returns, perfect partner
Fear - Arrest, embarrassment, loss
Authority - Government, tech company, your boss

Learn these patterns. When you feel urgency, fear, or excitement pushing you to act fast - that's exactly when you should SLOW DOWN.

If you've been scammed

Report to FBI's IC3 (US) or your country's equivalent
Report to the FTC
Contact your bank immediately - some transfers can be reversed if caught quickly
Don't be ashamed - smart people fall for scams. Reporting helps catch criminals and warn others.
Beware of "recovery" scammers who will target you next

How to Read a URL (Your First Line of Defense)

Learning to decode URLs takes 5 minutes and can save you from 90% of phishing attacks. This is the single most important skill for staying safe online.

The Anatomy of a URL

Every URL has parts. The only part you can trust is the domain. Everything else can be set by anyone.

https://mail.google.com/inbox?compose=new#section

https:// Scheme - secure connection (good!)
mail Subdomain - ⚠️ Anyone who owns the domain can create any subdomain
google.com Domain - ✅ THE ONLY PART YOU CAN TRUST
/inbox Path - ⚠️ Can say anything
?compose= Query - ⚠️ Can contain any data
#section Fragment - ⚠️ Can say anything

The Golden Rule: Read the URL from right to left, finding the domain first. Everything to the LEFT of the domain (subdomains) can be anything. The domain is what's directly before the TLD (.com, .org, etc).

Scam URLs Decoded

Let's look at real-world scam URL patterns:

1. The Subdomain Trick

www.paypal.com.secure-login.ru/signin

The trick: "paypal.com" is just a subdomain! The real domain is secure-login.ru (a Russian site)

2. The Look-alike Domain

https://www.arnazon.com/gp/css/order-history

The trick: "arnazon" with an "rn" looks like "amazon" with an "m". Also watch for: paypa1.com (with a 1), micros0ft.com (with a zero), faceb00k.com

3. The Path Deception

https://scammer-site.com/https://www.bankofamerica.com/login

The trick: The real URL is in the path! The actual domain is "scammer-site.com" - everything after the first "/" is just the page path

4. The Hyphen Confusion

https://www.wells-fargo-online-banking.com/signin

The trick: Real companies rarely have hyphens in their domain. Wells Fargo's real site is wellsfargo.com

5. The Extension Swap

https://www.chase.com.de/secure/login

The trick: ".com.de" is actually a subdomain of ".de" (Germany). The real domain is "chase.com.de" - which is NOT Chase bank

Punycode: The Invisible Threat

This is advanced, but important to know exists. International characters can be used in domains, but they get converted to "punycode" - ASCII characters starting with "xn--".

The Cyrillic letter "а" (U+0430) looks identical to the Latin "a" but is a different character. A scammer could register:

аpple.com ← uses Cyrillic "а"
apple.com ← uses Latin "a"

Modern browsers now display suspicious international domains in punycode format (xn--pple-43d.com) to warn you, but older browsers may not. When in doubt, type the address yourself rather than clicking links.

The Safe URL Checklist

Find the domain first - Read right-to-left from the TLD (.com, .org, etc)
Check spelling carefully - Letter by letter, especially for financial sites
Hover before clicking - See where a link really goes before you click
When in doubt, navigate manually - Type the address yourself or use a bookmark
Subdomains prove nothing - "bankofamerica.scammer.com" belongs to scammer.com
HTTPS proves nothing - Scam sites can have SSL certificates too
Don't trust email links for sensitive actions - Log in directly to check your account

Red Flags in URLs:

Misspellings (arnazon, paypa1, goggle)
Extra words (paypal-secure.com, amazon-support.com)
Unusual TLDs for major companies (.ru, .info, .xyz, .top)
IP addresses instead of domain names (192.168.1.1)
Extremely long URLs with lots of random characters
URL shorteners (bit.ly, tinyurl) in emails - what are they hiding?

Practice: Which URLs Are Safe?

Test yourself:

login.microsoft.com.account-verify.net/signin
https://www.amazon.com/gp/css/order-history
mail.google.com/mail/u/0/#inbox
support-apple.com/icloud/verify

Show Answers

❌ SCAM - Domain is "account-verify.net", not Microsoft
✅ SAFE - Domain is "amazon.com"
✅ SAFE - Domain is "google.com", "mail" is a legitimate subdomain
❌ SCAM - Domain is "support-apple.com", not "apple.com"

The Essential Security Checklist

Print this. Do these things. Revisit quarterly.

Critical (Do These First)

Password manager installed and in use
2FA enabled on email accounts
2FA enabled on domain registrar
2FA enabled on hosting account
Recovery codes saved offline (printed)
Backup email on different provider than primary

Important

Unique passwords for all accounts (via password manager)
Domain registrar lock enabled
Checked Have I Been Pwned for your emails
Google Security Checkup completed (if using Google)
Removed unused apps/services with account access
Website has valid SSL certificate (check via SSL Labs)

Computer & Browser Security

Reviewed browser extensions - removed unnecessary ones
Checked extension permissions - none have "read all data on all websites" unnecessarily
Using a separate browser profile for banking (no extensions)
Operating system auto-updates enabled
Browser auto-updates enabled
Full-disk encryption enabled (BitLocker/FileVault)
Router default password changed
Home Wi-Fi using WPA2 or WPA3 (not WEP)
3-2-1 backup strategy in place (3 copies, 2 media types, 1 offsite)
Know how to recognize phishing emails

Social Engineering Defense (For Teams)

Verification policy: financial requests over $X require phone callback
Bank change policy: vendor banking updates require verification via known number
Team trained on phishing, vishing, and BEC scams
Clear process for reporting suspicious emails/calls (no shame)
Visitor policy: unknown visitors escorted, ID verified
No one has authority to bypass verification procedures
Payroll/HR changes require in-person or phone verification
Staff know: IT will never ask for passwords

For WordPress Sites

WordPress core is up to date
All plugins are up to date
Unused themes/plugins deleted
Admin username is not "admin"
2FA plugin installed for WordPress login
Automatic backups configured and tested
Security plugin installed (Wordfence or similar)

Ongoing (Quarterly Review)

Review accounts with access to your services
Export/backup important data (Google Takeout, etc.)
Review login history on critical accounts
Update recovery phone/email if changed
Run security scans on your website
Review and revoke unused API keys/tokens
Audit browser extensions - remove any you don't actively use
Check for and install OS/software updates
Verify backups are working (test restore)

Time investment: Initial setup takes 1-2 hours. Quarterly review takes 15 minutes. This prevents disasters that take weeks to fix.

Quick Reference: Key URLs

Password breach check	haveibeenpwned.com
SSL certificate check	ssllabs.com/ssltest
Security headers check	securityheaders.com
Google security settings	myaccount.google.com/security
Google data export	takeout.google.com

You're Protected!

You've learned the essentials of online security. Now put them into practice.

Key Takeaways

Password manager + 2FA = protected from most attacks
Don't put all eggs in Google's basket = protected from lockouts
Keep things updated = protected from known vulnerabilities
Regular backups = protected from disasters

Your Action Items

Install a password manager (Bitwarden is free)
Enable 2FA on your email today
Check Have I Been Pwned for your emails
Save this checklist and review it quarterly

Security is a habit, not a destination

Perfect security doesn't exist, but good habits dramatically reduce your risk. Set a calendar reminder to review this checklist every 3 months.