Protect yourself — practical checklist
The preventative checklist. Practical measures to close the most common attack vectors — sorted by effort, so you can start with the five-minute changes that close 80% of risk and add the longer items for higher-value accounts.
Five-minute changes (do these first)
Install a password manager
1Password, Bitwarden, Apple Keychain (free), or Google Password Manager (free). Spend an hour migrating your most important accounts. Stop reusing passwords. This single change closes more attack vectors than any other.
Enable 2FA on your email and your banking
Email is the recovery channel for everything else, so it's the highest-value target. Bank apps usually require 2FA already, but check that you're using an authenticator app rather than SMS where the app offers it.
Add a recovery email to your MyGovID account
If you ever lose access to the primary email on your MyGovID, the recovery email is what saves you from a multi-week recovery process. See forgot password.
Put a SIM port-out lock on your mobile number
Call your carrier (Vodafone, Three, Eir, GoMo) and ask them to require an in-store PIN for any SIM change. Closes the SIM-swap attack vector. 10-minute call.
Update your phone OS and apps
Most successful phishing attacks exploit known vulnerabilities that were patched months ago. Settings → General → Software Update.
30-minute audit (this weekend)
Take inventory of your accounts
Open your password manager (or your saved-passwords list). Walk through every account. Delete the ones you no longer use — every unused account is a soft target for a credential-stuffing attack later.
Check what email forwarding rules exist on your email account
Attackers often add hidden auto-forward rules to siphon copies of all email. Gmail: Settings → Filters and Blocked Addresses. Outlook: Settings → Mail → Forwarding.
Review the third-party apps connected to your Google / Microsoft / Apple ID
Old or unused app authorisations can become attack vectors. Revoke anything you don't actively use.
Set up a credit-report alert
Central Credit Register (centralcreditregister.ie) provides a free credit report once a year. Request it; check for accounts you don't recognise. Add to your calendar to repeat annually.
Take inventory of where your home address is stored
Online retailers, food-delivery apps, friend's-event-invitation systems. Where you can, replace home address with a parcel-locker or work address. Reduces the surface for doxing or in-person impersonation.
For higher-value accounts (banking, Revenue, MyGovID, work email)
- Use a hardware security key on accounts that support it (Google, Microsoft, GitHub). Yubikey or similar; about €40. Resists phishing in ways app-based 2FA can't.
- Set a unique, long password (20+ characters) — easily generated by a password manager. Don't reuse across accounts.
- Set up logging-in alerts wherever the platform offers them (Microsoft, Google, Apple, banking). You want a real-time notification of any new sign-in from a new device.
- Check the "active sessions" list monthly. Most platforms show you which devices are currently signed in; sign out any you don't recognise.
For phone-based risks
- Set a PIN on your SIM. Settings → Mobile/Cellular → SIM PIN.
- Set a strong device passcode (6+ digits or an alphanumeric password). Avoid the default 4-digit PIN.
- Enable Find My iPhone / Find My Device with the option to remotely wipe.
- Don't put your phone number in your public social-media bio. Phone number is the start of half of all account-takeover attacks.
Phishing — the recurring vector
The single most common attack pattern in Ireland is phishing-by-text or phishing-by-email impersonating MyGovID, Revenue, An Post, a bank, or a delivery company. Defences:
- Never click "verify" links in alert messages. Type the institution's website by hand. The detour of two seconds defeats almost all phishing.
- Know that MyGovID, Revenue, the DPC, the Department of Social Protection, and An Garda Síochána will never ask you to verify or update credentials via a clickable link in an email or text. If you receive one claiming to be from any of them, it's a phishing attempt.
- Forward suspicious texts to 7726 (the Irish "SPAM" reporting short code). Most carriers participate.
- Forward suspicious emails to reportphishing@garda.ie if they impersonate a state body.
Family-level protections
- Help older relatives set up password managers and phone-based 2FA. They are disproportionately targeted by phone-call scams ("we are calling from the Revenue") and benefit most from the recent-activity alerting features.
- Make sure children's accounts (banking, social, gaming) use 2FA where supported. Their accounts are common entry points to family-shared payment methods.
- Agree a family-only "safe word" for cases when someone calls claiming to be a relative in trouble. The "fake-kidnapping" scam variant has reached Ireland.