General Online Habits
This section is a collection of general advice and miscellaneous tips that don't really make sense on any other pages.
Phishing & Clicking Links
Phishing has been and remains one of the top ways to gain unauthorized access to a specific machine, account, or network. Phishing occurs when a person clicks on a link and either enters information or downloads a payload that gives a malicious actor access to an account or device. In the case of malware, the attacker can access the data on that machine or the network the machine is connected to. Typically this link-clicking occurs in the form of an email that appears to be legitimate, such as an email that appears to be from your bank asking you to confirm account details or to see an enclosed attachment. Phishing could also come in the form of malicious advertising. This is why ad-blockers are so important. The final common phishing technique is when an attacker calls you claiming to be an official (ex, from the IRS) and asks you information about yourself.
The best way to avoid phishing is to be overly cautious. If something seems out of character, contact the person and ask about it. For example, if your bank sends an email requiring confirmation of something, ignore the email and go straight to their website. If it's legitimate, the same warning will pop up when you log in or be waiting in your messages. If you're still not sure, contact their support team and ask.
Think carefully about what information you share and what it reveals. Back in the early days of social media, it was common that people would publicly share that they were going on vacation for a week, so criminals in the area would find the house androb it while they were gone. That exact crime may or may not live on, but the principle still does. One woman had a stalker find her because she took a selfie where the street sign was visible. I'm not saying don't share anything online, simply to be mindful of what information is visible in the photo, such as a company logo on your shirt or financial information in your screenshot.
Additionally, this extends into non-public internet spaces. For example, next time you sign up for a website or pay for something online, try submitting no information at all. It will likely relaod the page and mark the mandatory fields, but you might be surprised what information is optional. You should view every website as a data breach waiting to happen, and anything that isn't a password or card number is probably not encrypted, so the less personal information you hand over the better. If you are required to hand over information but the requesting site or service doesn't actually need it, consider using disinformation.
If you are simply a "lurker," - someone who likes to view content but not comment - there are a lot of really great front-ends available that allow you to view content while reducing or eliminating the number of trackers on a website, almost like a proxy. For Twitter, there's numerous Nitter instances. For YouTube, there's a host of Invidious instances and the NewPipe app for Android users. For Reddit, there's Libreddit and Teddit. For Instagram, there's Bibliogram. For TikTok, ProxiTalk has recently entered the scene. Sadly there are no web-based Facebook or Snapchat front-ends that I'm aware of. If you'd like, there's an extension called LibRedirect that you can use to automatically redirect any links you click to the front-end of your choice.
If you feel the need to have social media, try checking out the decentralized and more privacy-respecting Fediverse. This is a volunteer run, peer-to-peer social networking system, and one of the coolest things about it (in my opinion) is the "federation" for which it's named. Imagine if you had a Twitter account but wanted to follow someone on Instagram. In mainstream social media, you have to sign up for Instagram. On the Fediverse, you can follow them from your own platform even without creating a new account. For Twitter fans I recommend Mastodon. For Instagram fans, PixelFed. Facebook users might feel more comfortable on Friendica and YouTube users might find new content on PeerTube.
While I discourage mainstream social media services for a number of reasons, I understand that sometimes you have no choice in using them. My recommendation would be to not use the apps, post as little as possible, and make your profile as private as possible.
Whether you stick with mainstream social media or use a privacy-focused alternative, I discourage using the same username or handle across all your social media accounts unless you're building a professional brand. I suggest using your password manager to generate a two or three random word passphrase and then use that as your handle. Repeat as needed for every site and account. If somebody decides to cyberstalk you, this can make it harder for them to find all of your accounts.
Change your default search engine. Google tracks all of your searches and records them, and these are all added to your profile to create a more complete picture of you as a person. There are no perfect solutions in this space, but there are many options. Two of the most popular are DuckDuckGo and Startpage. Both, however, have questionable histories. SearXNG, Whoogle, or MetaGer are common alternatives, however none of these services (including DuckDuckGo and Startpage) are true search engines. Instead, they are "metasearch" engines, meaning that they don't actually pull their own results but rather proxy the results of other search engines like Google, Bing, or Yandex. This can present problems if the engine these services pull from decide to censor content. There are a handful of true search engines that are popular in the privacy community. In alphabetical order, these are Brave Search, Ecosia, Mojeek, and Qwant. Again, there are no perfect solutions here. Each service has drawbacks or controversies. Please do your research and select the one that best fits your threat model and priorities.
Delete any and all unused accounts. This includes old social media accounts, library accounts, work accounts, services you signed up for once and never used again, etc. If you can't delete them for whatever reason, change it to a secure password and hold onto it somewhere safe. The exceptions to this is that I recommend holding onto old email accounts, and I recommend "planting your flag" on important accounts that are prone to fraud, such as unemployment. For the email accounts, you never know what you once used them for and when you might need them again for that purpose.