The first time I got malware on my laptop, I was still in school, used USB tethering to connect to the internet, and was intrigued by the idea of “free software.” I made up a “my dog ate my homework” story to explain to my parents why my laptop was acting weird. They obviously didn’t buy it (took my laptop for two weeks), but fixed it with a clean Windows 7 install.
14 years and five computers later, I haven’t had a single malware issue because of the simple security hygiene I religiously follow. Not visiting shady websites remains the most effective trick, but it’s not the only one that matters.
Think twice before you click “Download”
Free software isn’t always free
Not being smart about what I downloaded was the reason I got malware. The allure of free premium software on forums where people share “cracked” programs was too strong to resist. That “free” tool might work, but it’ll also turn your computer into someone else’s bitcoin mining rig.
Ideally, you should only download software from the official websites, verified GitHub repositories, or the Windows Store, and always take a second before clicking any download button. If it’s premium software but someone’s offering it free on a random forum, it likely has malware bundled in.
If you can’t afford to pay for the app, there are some great, legitimate free alternatives available for almost every tool you can download for the Windows platform. For example, you can use LibreOffice instead of pirated Office; GIMP is an excellent alternative to Photoshop, and there are several ways to find quality free video games to play.
Keep your antivirus up to date
Windows Security has excellent built-in protection against malicious apps
Whether you rely on Windows Security alone or prefer a third-party antivirus for additional features, keeping your antivirus definitions updated is important to keep your PC protected.
Even if you accidentally download something sketchy, a properly configured Windows Security tool can often block or quarantine malicious files before they run. Windows Security checks files against Microsoft’s massive database of threats, blocks malware techniques that try to exploit your system, and can restrict untrusted apps from executing.
Unlike third-party antivirus programs, Windows Security comes pre-installed on your Windows PC, updates itself automatically, and doesn’t slow down your computer with constant scans and pop-ups. For most people practicing safe browsing habits, these built-in security features are all you need.
Always be skeptical about email attachments
Verify links, images, and attachments
The only phishing email that spooked me was a PayPal scam. It landed in my inbox with perfect PayPal branding and claimed a new address had been added to my account.
Instead of panic-clicking the review link, I compared the sender’s address to old PayPal emails. The fake one was sent from “[email protected]“, which screams fake if you pause and analyze it.
However, phishing attacks go beyond suspicious links. QR codes in fake invoices steal credentials, and even PDFs embed scripts or fake DocuSign prompts that ask for passwords.
To protect yourself, turn off automatic image loading as legitimate emails rarely break without it. Never open unexpected attachments, even from familiar addresses. Take five minutes to verify through text or call to make sure it’s not an impersonation scam.
Avoid using a public network without a VPN
Public Wi-Fi is a hacker’s playground
Public Wi-Fi at airports, hotels, cafés, and libraries leaves your data exposed. Anyone with basic tools can intercept passwords, emails, credit card numbers, and even real-time typing on the same network. These networks prioritize convenience over security.
While many public Wi-Fi networks use encryption (WPA2/WPA3), this doesn’t protect you from other users on the same network who can potentially intercept your traffic. Even on encrypted networks, malicious actors can exploit these systems. Cybercriminals also set up fake hotspots with legitimate-sounding names like “Free_Airport_WiFi” or “Hotel_Guest_Network” to steal information from anyone who connects.
Avoid public Wi-Fi when possible by using safer alternatives to public Wi-Fi, like your phone’s hotspot or mobile data instead. If you absolutely must connect to public networks, always use a VPN to create an encrypted tunnel for your data.
Additionally, stick to HTTPS sites and avoid accessing banking or other sensitive accounts entirely—even with a VPN, it’s better to wait until you’re on a trusted network for critical activities.
Keep your Windows PC updated
Security patches fix the loopholes in the OS
Those annoying Windows updates that force you to restart are patching security vulnerabilities that criminals actively exploit. When Microsoft releases a security patch, attackers reverse-engineer it to find the vulnerability, then scan for computers that haven’t updated yet.
The only time you can safely skip security updates is if your PC never connects to the internet. For everyone else, set Windows Update to install security patches automatically. Feature updates can wait if you’re worried about bugs, but security patches are non-negotiable. Every day you postpone them, you’re risking running software with known vulnerabilities that anyone can exploit.
Don’t repeat passwords and go passwordless
Also, enable 2FA for sensitive accounts
Using the same password everywhere means one breach compromises all your accounts. Attackers use credential stuffing—automatically trying stolen passwords across multiple sites, knowing most people reuse the same email and password combination everywhere.
Where possible, ditch passwords entirely and switch to passkeys. These use your device’s biometric security to create unique cryptographic keys for each site. Unlike passwords, passkeys can’t be phished, stolen, or reused—someone would need physical access to both your device and your fingerprint.
For sites without passkeys, use a password manager to generate unique passwords for each account. Add two-factor authentication to anything involving money or personal data. Even if your password gets leaked, attackers can’t log in without the second factor—whether that’s a TOTP code from an authenticator app or a hardware security key.
There are no tricks, but simple security hygiene
I’ve kept my devices clean for 14 years by doing the same boring things: downloading software from official sites, keeping everything updated, double-checking emails before clicking, using a VPN on public Wi-Fi, and not reusing passwords.
That’s it. No special tools or technical knowledge. Just the same basic habits, every time. The malware I got in school was enough of a lesson—I haven’t needed another one since.
