Here's the part that should make you feel better, not worse: almost no one is hunting you personally. You're one address in a list of millions, and that scale is exactly what you can use against the attacker.
A numbers game, not a manhunt
Most attacks are wholesale. The same fake message or password-guessing script (a small automated program) is fired at millions of people at once. The attacker doesn't read your replies one by one — they let the tool run and collect whoever falls for it.
At that scale the math is brutal but simple. If a scam reaches a million people and just 0.1% respond, that's a thousand victims for almost no effort. The attacker never needed to care who you are.
The most common version is credential stuffing: bots take usernames and passwords leaked from one breached website and try them, automatically, on hundreds of other sites — your email, your bank, your shopping accounts. They're betting you reused that password somewhere.
The too-boring-to-target trap
Bots don't pick by how important or interesting you are. They hit everyone in the list the same way. Being ordinary doesn't hide you — a reused password does the exposing, all on its own.
Why laziness is your friend
Because these attacks are automated, they're optimised for the easy win. The moment a tool hits any real resistance, it gives up and moves to the next address — there are always millions more.
You don't have to be unbreakable. You only have to stop being the easiest target. Think of a herd of gazelles: you don't need to outrun the lion, just not be the slowest one.
A few cheap defences are usually enough to make the tool fail and look elsewhere:
- A unique password for every site breaks credential stuffing instantly — one leaked password unlocks nothing else.
- Two-factor authentication (a second step at login, covered in the Accounts section) means a stolen password alone isn't enough.
- Updates close the known holes that automated tools are built to exploit.
Each of these turns a quick automated hit into too much work, so the bot moves on.
Automated means preventable
Here's the reframe worth keeping. "Impersonal and automated" sounds menacing, but it actually means predictable. These attacks follow the same handful of recipes against everyone, so the same handful of defences stop them. That should lower your anxiety, not raise it.
The mindset shift
Automated attacks aren't all-powerful — they're lazy and repetitive. Set up a few defences once, and the bots simply fail and leave.
Truly targeted attacks — where a specific person spends real effort on a specific you — do exist, but they're rare for most people and need a different approach. We'll flag who should worry about that later in the course.
Do this now
- Pick your most important account (start with email) and give it a password you use nowhere else.
- Make a mental note of any password you've reused across sites — that's the one credential stuffing is waiting for.
- Remember the goal: not perfect, just not the easiest target in the list.