Digital security: what it is and how to stay safe online

Resposta direta

Digital security is the set of practices, technologies and behaviors that protect people and organizations against online threats — such as password theft, phishing scams, viruses, account takeover and personal data leaks. It ranges from choosing strong passwords and two-factor authentication to spotting scam attempts and protecting privacy under the General Data Protection Law (LGPD). No one is immune to digital threats, but simple, verifiable behaviors drastically reduce the risk.

Principais conclusões

  • A strong, unique password for each service is the foundation of digital security — use a password manager to handle them without cognitive overload.
  • Enable two-factor authentication (2FA) on all critical services: email, banking, WhatsApp and social media. Authenticator apps are more secure than SMS.
  • Phishing is the most common attack vector in Brazil. Never click links received by WhatsApp or email without verifying the real domain; always access services through the app or by typing the address directly.
  • Infostealers and fake browser extensions silently steal saved passwords. Install extensions only from the official store and never download software from unverified sources.
  • Your personal data is protected by the LGPD. Periodically check whether your email has appeared in leaks using haveibeenpwned.com and revoke permissions for apps that do not need your data.
  • An individual's digital security directly impacts the company they work for. Never reuse corporate passwords on personal services and report any suspicious message received on work channels.

What digital security is and why it matters day to day

Digital security is not a subject reserved for technical people or large companies. It is a set of habits and tools that anyone can — and should — adopt to protect their bank accounts, social media, email, documents and private conversations. In a world where most financial transactions, work communications and personal records pass through a phone or a computer, leaving those environments unprotected is the equivalent of walking through a crowd with your wallet open.

The numbers help put the problem in perspective. CERT.br (the Brazilian National Computer Emergency Response Team) recorded more than 1.3 million incident notifications in 2023, with fraud and scanning attacks being the most frequent categories. Brazil is consistently one of the countries with the highest volume of banking app scams and WhatsApp account takeovers in the world. Every incident has a real cost: money stolen, photos leaked, reputation destroyed, time lost trying to regain access.

The good news is that most successful attacks exploit predictable and correctable behaviors — weak passwords, clicks on suspicious links, outdated apps, the absence of two-factor authentication. This means that protecting yourself digitally does not require advanced knowledge: it requires consistency on the fundamentals. This guide walks through each of them in a practical way.

Strong passwords and password managers: the foundation of everything

The password is still the main access key to almost everyone's digital life, and it is still systematically misused. NordPass's annual report on the most common passwords in Brazil reveals that '123456', 'brasil' and variations with first names followed by numbers top the lists — patterns that automated brute-force tools crack in seconds. Reusing the same password across multiple services is equally dangerous: a single data leak at a smaller site automatically compromises email, banking and social media.

A strong password has at least 16 characters, combines uppercase and lowercase letters, numbers and symbols, and does not form real words or dates. The problem is human: no one memorizes dozens of long, unique passwords. The solution recommended by CERT.br and by most security agencies around the world is to use a password manager — apps such as Bitwarden (free and open source), 1Password or KeePassXC that store all passwords encrypted in a vault accessed by a single strong master password. The user only needs to memorize one password; the manager takes care of the rest, including generating and filling in random, unique passwords for each service.

A practical tip for the master password: use a long phrase that makes sense to you but is unusual to anyone else. 'PinaColadaTime@John#3!' has far more entropy than 'Password123' and is easier to remember than a random sequence. Also set up biometric unlock in the manager — it does not compromise security and eliminates day-to-day friction.

Two-factor authentication (2FA/MFA): the second lock

Even with a strong password, a single authentication factor is insufficient. If the password is captured — through phishing, an infostealer or a database leak — the attacker gets in with no obstacle. Two-factor (2FA) or multi-factor authentication (MFA) requires a second proof of identity beyond the password, making access significantly harder even when the password is known to the attacker.

2FA methods vary in their level of security. SMS is better than nothing, but it is vulnerable to SIM swap — a scam in which the criminal convinces the carrier to transfer your number to a new SIM that they control. Authentication apps such as Google Authenticator, Authy or Microsoft Authenticator generate temporary codes (TOTP) that change every 30 seconds and are far more secure than SMS. The highest level of protection is physical security keys (FIDO2/WebAuthn) — devices such as YubiKey or Google Titan — and passkeys, which bind the credential cryptographically to the service's real domain. AiTM (adversary-in-the-middle) phishing kits can steal session cookies even with TOTP, but they cannot steal FIDO2 credentials because those do not work on fake sites.

Enable 2FA on every account that offers it, prioritizing: your main email (it is the master key to recover any other account), banking and brokerage, WhatsApp and Instagram, work email and corporate platforms. The activation process takes less than five minutes per service and reduces the risk of account takeover by more than 99% according to the Google Security Blog. Store your backup codes in a safe place — printed and kept physically, or in the password manager itself.

How to recognize phishing scams, WhatsApp scams and fake support

Phishing is the technique of deceiving a victim by impersonating a trusted person or brand to steal data or money. In Brazil, the most common scams include messages from banks asking to 'update your registration', fake charges from the DMV or the tax authority, fake promotions from large retailers and, above all, loan requests via WhatsApp pretending to be friends or family whose number has been cloned. Sophistication has increased with generative AI: fake messages and websites are now grammatically correct and visually identical to the originals.

Recognize the warning signs: artificial urgency ('your account will be blocked in 24h'), a request for information through an unusual channel (your bank does not call asking for your password), a link with a slightly wrong domain (e.g., bradesco-seguranca.com instead of bradesco.com.br), a request for a verification code that arrived on your phone — that code should never be shared with anyone, including someone claiming to be the carrier's support. When in doubt, close the channel that contacted you and access the service directly through the official app or the number on the back of your card.

Fake technical support scams are also growing: a pop-up window claims your computer is infected and displays a phone number. Call that number and a 'technician' will ask for remote access to your machine. Legitimate technology companies never contact you unsolicited to warn about viruses. If this kind of message appears, close the browser, do not call and, if necessary, restart the computer. The cartilha.cert.br documents each variant of these scams in detail with real examples.

Instagram, WhatsApp or email account hacked: what to do

Social media account takeover is one of the most frequent complaints at Brazilian digital crime units. The most common method is phishing via a fake link — the victim clicks, enters their login and password on a page identical to the original, and the attacker uses the credentials immediately. The second route is SIM swap to capture the WhatsApp verification SMS. Prevention comes down to the two previous pillars: a unique, strong password plus 2FA enabled.

If your account has already been hacked, act fast. On WhatsApp: reinstall the app and try to verify your number — this disconnects the intruder because WhatsApp only allows one device per number. If the two-step PIN was changed, use the 'Forgot PIN' option and wait for the recovery email (up to 7 days). On Instagram: go to instagram.com/accounts/password/reset, follow the recovery flow by email or SMS, and report the profile as compromised through the app itself. On Gmail or Outlook: use Google's or Microsoft's account recovery page, check forwarded emails and filter rules (attackers often set up automatic forwarding to keep reading your emails after recovery), and revoke all active sessions.

After recovering any account: change the password to a new and unique one, enable 2FA if it was not already active, review third-party apps with authorized access and revoke the unknown ones, and warn your contacts that you may have been compromised to prevent them from falling for scams sent in your name. File a digital police report at delegaciadigital.ssp.br (for São Paulo) or the equivalent in your state — this can help in cases of financial harm.

Viruses, malware, infostealers and fake browser extensions

Malware is the umbrella term for any software designed to cause harm or spy on the user. The most relevant type for individuals today is the infostealer — a program that runs silently in the background and collects passwords saved in the browser, session cookies, autofill data and even cryptocurrency wallets, sending everything to the criminal's server. Infostealers such as Redline, Raccoon and Lumma are sold as a service on underground forums for less than USD 200 per month, which makes them accessible to criminals with no technical skill.

The most common infection vectors are: downloading pirated or cracked software (the file installs the promised program along with the malware); fake browser extensions that mimic popular productivity tools, free VPNs or grammar checkers — a malicious extension has access to everything you see and type in the browser; fake sponsored ads on Google that appear above the organic result and lead to malicious downloads (malvertising); and phishing links that deliver a file disguised as a PDF, invoice or receipt.

The defenses: use only original and up-to-date software — the cost of a license is less than the loss from a bank account theft. Install browser extensions only from the official store (Chrome Web Store, Firefox Add-ons) and check the number of users, reviews and requested permissions before accepting. Keep your antivirus active — on Windows, Microsoft Defender is sufficient for home use when configured correctly. Do not save passwords directly in the browser; use a dedicated password manager. Periodic scans with tools such as Malwarebytes (free version) detect threats that the main antivirus may have missed.

Personal data protection and privacy: your rights under the LGPD

The General Data Protection Law (LGPD — Law 13.709/2018) grants Brazilians a series of rights over their personal data collected by companies and online services. You have the right to know what data a company holds about you, to request the correction or deletion of that data, to withdraw consent given previously and to be notified in the event of a leak affecting your rights. The ANPD (National Data Protection Authority) is the body responsible for enforcing the law and can be called upon in the event of a violation.

In practice, protecting your digital privacy starts with reviewing the privacy settings of social media and apps — most share data with third parties by default, and you need to go into the settings to restrict it. Avoid using 'Sign in with Google' or 'Sign in with Facebook' on unknown services: it creates a chain of access that can be exploited. Periodically review which apps have access to your camera, microphone, location and contacts — revoke those that do not need those features to work.

Personal data leaks happen even at large companies. Services such as HaveIBeenPwned (haveibeenpwned.com) let you check for free whether your email appears in leaked databases. If it does, change the password for that service immediately and check whether the same password was reused elsewhere. Registro.br maintains information on how to report Brazilian websites that misuse personal data.

Digital security at work: how the individual protects the company

The line between personal and corporate security is increasingly thin. Most successful attacks on companies start with an employee's personal account: the corporate email password reused on an online store profile that leaked, the work laptop infected by a personal download made at home, the personal WhatsApp compromised while holding conversations with clients and colleagues. According to the Verizon Data Breach Investigations Report 2024, more than 68% of breaches involve some human factor, including error and the use of stolen credentials.

Behaviors that protect the company you work for: never reuse corporate passwords on personal services; use corporate email only for work activities — a malicious link clicked in the professional inbox compromises the company's network; do not connect unmanaged personal devices to the internal network or corporate VPN without IT authorization; when using public Wi-Fi, do not access company systems without a VPN; and report to the security team any suspicious message received on work channels — even if you did not click on it. An incident reported in time can prevent it from becoming a breach.

Companies have a responsibility to provide the tools and training their employees need to be an effective line of defense rather than an attack vector. This includes a corporate password manager, mandatory MFA, periodic awareness training and controlled phishing simulations. The LGPD also holds companies accountable for the personal data of customers and employees — a leak caused by poor internal practice can result in ANPD sanctions and significant reputational damage.

When digital security needs a specialist: what Decripte does

There are situations in which good individual practices are not enough. A company that processes customer data, runs critical systems or has remote employees faces an attack surface that goes far beyond what any 'end-user' guidance can cover. This is the point at which digital security stops being a set of habits and becomes a managed discipline, with processes, technology and threat intelligence working in an integrated way.

Decripte is a Brazilian cybersecurity company that serves organizations of all sizes — from the business with a single employee to the corporation with more than one hundred thousand people — with services that include risk assessment, implementation of technical controls, incident response, penetration testing, continuous threat monitoring and compliance management for the LGPD and other regulatory frameworks. If you have reached this point looking to protect your own business, your company or the company you work for, the next step is a specialized technical assessment — not a checklist.

A company's digital security starts with the habits of each person in it. But it ends in processes, architecture and rapid response when something goes wrong. The two layers need to work together.

Passo a passo

  1. Install a free password manager such as Bitwarden and start migrating your passwords to it, creating long, unique passwords for each service as you log in.
  2. Create a strong master password for the manager using an unusual phrase of at least 20 characters with letters, numbers and symbols — and write it on paper kept in a safe place.
  3. Enable two-factor authentication on your three most critical services today: main email, banking and WhatsApp. Use an authenticator app (Google Authenticator or Authy) instead of SMS.
  4. Check whether your personal data has already been exposed in leaks by visiting haveibeenpwned.com with your email. For each compromised service, change the password immediately.
  5. Review the extensions installed in your browser: remove any you did not consciously install or that request excessive permissions. Also check the apps on your phone with access to camera, microphone and location.
  6. Set up automatic locking by PIN, password or biometrics on your phone and laptop with a short inactivity timeout (30 seconds to 2 minutes). Enable disk encryption — it is native on iPhone and recent Macs; on Android and Windows, check the security settings.
  7. Learn to recognize the three warning signs of a scam: artificial urgency ('your account will be blocked'), a request for a verification code by a third party (never share it) and a slightly wrong website domain in the browser bar. When in doubt, close the channel and access the service through the official app.

Perguntas frequentes

What is digital security in simple terms?

Digital security is the set of practices and tools that protect your accounts, devices and personal data online. This includes using strong passwords, enabling two-factor authentication, recognizing scams and keeping apps up to date. The goal is to ensure that only you access your information and that it is not stolen, leaked or used improperly.

How do I know if my phone or computer has a virus?

Common signs include: the device being slower than normal for no apparent reason, the battery draining much faster, apps opening on their own, unknown apps appearing, excessive ads outside browsers and unexpected charges on your bill. To confirm, run a scan with an up-to-date antivirus (Microsoft Defender on Windows, or Malwarebytes). In severe cases — especially on Android phones — a factory reset may be necessary after backing up your data.

My WhatsApp was cloned. What do I do now?

Reinstall WhatsApp and confirm your phone number — this automatically disconnects the intruder. If the two-step PIN was changed, use the 'Forgot PIN' option and wait for the recovery email (it can take up to 7 days). Warn your contacts that your account was compromised so they do not fall for scams. After recovering, enable the two-step verification PIN under Settings > Account > Two-step verification to prevent future takeovers.

How do I create a strong password that is easy to remember?

Use a phrase with at least four unrelated words, interspersing numbers and symbols. Example: 'Cat-Flew$3Islands'. Avoid names, birth dates and obvious sequences like '123'. To manage different passwords for each service without having to memorize them all, use a password manager such as Bitwarden (free) or 1Password. You only memorize a single strong master password; the manager handles the rest.

What is two-factor authentication and how do I enable it?

Two-factor authentication (2FA) is an extra layer of security that requires a second code — beyond the password — to access an account. Even if your password is stolen, the attacker cannot get in without that code. To enable it, go to the service's security settings (Google, Instagram, bank, etc.) and look for 'two-step verification' or 'two-factor authentication'. The most secure method is an authenticator app such as Google Authenticator or Authy — avoid SMS if possible.

How do I identify a fake website or online scam?

Check the website address in the browser bar — scammers create domains similar to the originals (e.g., mercadolivre-promo.com instead of mercadolivre.com.br). Prefer to access banks and stores by typing the address directly or through the official app, never through links received by email or WhatsApp. Be wary of offers with artificial urgency, impossible prices or unusual requests for personal data. The PROCON website and Reclame Aqui help verify a company's legitimacy.

My personal data was leaked. What do I do?

First, confirm the leak at haveibeenpwned.com by entering your email. If confirmed, immediately change the password for the affected service and for any other where you used the same password. Enable 2FA if it was not already active. Watch for phishing attempts using your personal information in the following weeks — criminals use leaked data to create personalized scams. If the data included financial information, monitor your bank statements and ask your bank to preemptively block suspicious transactions.

Is using public Wi-Fi safe?

Public Wi-Fi networks — at malls, airports, cafés and hotels — represent a real risk because anyone on the same network can intercept unencrypted traffic. Avoid accessing internet banking, corporate email or any sensitive service on open networks. If you must use one, enable a trustworthy VPN before connecting — it encrypts all traffic between your device and the internet. Always prefer to use your phone's mobile data (4G/5G), which is individual and encrypted by the telephony protocol itself.

Your company’s digital security starts here.

Decripte protects companies — from 1 to over 100,000 employees — with a complete security platform and services. See for free what has already leaked from your business in the free Threat Management plan, or explore the paid plans.