A friend of mine lost access to her entire digital life in about forty minutes. She wasn't hacked by a sophisticated criminal. Someone just called her phone carrier, pretended to be her, and got her number transferred to a new SIM. From there, they reset her email. From her email, they got into her bank. It was over before she even noticed her phone had gone silent.
What she didn't realize — and what most people don't — is that a few specific accounts sit at the top of a hierarchy. Compromise one of them, and everything else falls like dominoes. Protect them well, and the rest of your digital life becomes dramatically harder to reach.
Your Email Account Is the Master Key
Every "forgot my password?" link goes to your inbox. This makes your primary email account the single most dangerous thing an attacker can own. It's not just a communication tool — it's a recovery mechanism for almost everything else you use.
The fix here is non-negotiable: turn on two-factor authentication (2FA), but use an authenticator app, not SMS. Text-message codes can be intercepted or redirected through the kind of SIM swap attack that hit my friend. Apps like Google Authenticator or Authy generate codes locally on your device, which is a meaningfully different security model.
Use a strong, unique password — one you've never used anywhere else. If you've had the same email password for five years, change it today.
Your Phone Number Is More Powerful Than You Think
Here's the counterintuitive part most articles skip entirely: your phone number is probably your weakest security link, even though it feels like a security tool.
When companies send you a verification code via text, they're treating your phone number as proof of identity. But phone numbers can be hijacked — through SIM swaps, through SS7 protocol exploits, through social engineering at a carrier store. According to the FTC, SIM swap scams have caused substantial financial losses, and carriers have been slow to implement effective safeguards.
The actionable step: call your carrier and ask if they offer a "port freeze" or a "SIM lock" that requires a PIN before any changes can be made to your account. Most carriers offer this. Almost nobody uses it.
Your Password Manager
If you don't use a password manager, you're almost certainly reusing passwords. And password reuse is how most account takeovers actually happen in practice — not through Hollywood-style hacking, but through credential stuffing: attackers take a leaked password from one breach and try it everywhere else.
According to Have I Been Pwned, billions of credentials from past breaches are freely available to anyone who wants them. Your old LinkedIn password from 2012 is probably in a database somewhere.
A password manager like Bitwarden (free) or 1Password lets you use a unique, random password for every account without memorizing any of them. Protect the manager itself with a strong master password and an authenticator app — not SMS.
Your Apple ID or Google Account
These accounts control your phone backups, your photos, your app purchases, and often your physical device itself. If someone gets into your Apple ID, they can locate your devices, wipe them, or lock you out entirely. Google account access means access to Gmail, Drive, Photos, and potentially your Android phone.
Enable 2FA on both. For Apple, also set up a Recovery Key — it's an option in your account settings that disables the standard account recovery process, which has been abused by attackers in the past.
Your Financial Accounts — But Not the Ones You're Thinking Of
Most people worry about their bank. Banks are actually relatively well-defended, and they have fraud protection and chargebacks. The accounts that actually matter more are the ones that feed into your financial life: your primary email (already covered), your phone number (covered), and — critically — your brokerage or investment accounts.
Brokerage accounts often have weaker consumer protections than banks. Wire transfers from investment accounts can be harder to reverse. Prioritize these alongside your bank, not after.
The Honest Limitation
Here's where I have to be straight with you: even if you do all of this perfectly, you're still not immune. Some attacks target the institutions themselves rather than you individually. Data breaches happen at companies with no fault on your part. And the social engineering problem — a convincing phone call, a fake email — exploits human psychology in ways that technical controls don't fully solve.
What good security hygiene actually does is raise the cost of attacking you high enough that most opportunistic attackers move on to easier targets. It doesn't make you invincible. The goal is to not be the easiest person in the room to rob.
Sources:
- FTC — SIM Swap Scams
- Have I Been Pwned