1. Do not download and run everything you see. The free Adobe Photoshop download button? Don't do it. The free "online" movie maker which needs to be installed? Don't do it. Only download and run from reputable, trusted sources, and do not download and install anything unless you really need it because the truth is that the more software you install, the attack vector increases. If you have 100 third-party programs installed, what if <installed program #60> had their network breached and a malicious update was pushed out (this has happened several times to start the spread of the Petya and IIRC WannaCry in Ukraine)? Then you will become infected, and this could have been prevented if you had not left the <installed program #60> installed for 2 years when it wasn't needed.
2. Do not believe everything you read on the internet. Social engineering is a huge thing and based on what I see people saying online, it seems not many people actually take it seriously or even refer to it as "social engineering". Attackers are constantly trying to find new ways to social engineer potential victims, and it works with every single human being in the world - it won't work indefinitely because some have more experience than others however even the most experienced can be socially engineered and this is because the technique works by how our brains operate. Social engineering has been used for as long as I can remember (ever since I got interested in Information & Security at least) and has been used to trick victims into downloading and installing software even if they were trying to apply good practices, entering personal account credentials on fake banking websites/sharing personal information, etc.
For example, as we already know, scams are real. People get scammed all the time and every-day you can expect people to be scammed out there in the world. However, there are some people who are ordinary and will actually identify that they are targeted by a scammer, and will respond to the e-mail or the text message telling them that they know it is a scam and they are not going to provide the requested information. Here's the thing though. Even though the individual identified the scam and did not fall for it, they still responded... And this indicates to the criminal on the other end that the target is real, and the communication method to reach them was successful. Not only this, but the responses even about them having identified the scam could potentially in-fact expose/leak sensitive and personal information depending on the situation, or escalate to this. This could be a form of a successful social engineer attack, even if it seems it is not. Why? Because the victim fell to responding in the first place to verify that the targeted account is active and in-use. Use this example as an indicator to yourself to simply delete bad text messages, e-mails or other forms of communication from suspicious/untrusted sources, and not to respond in the first place - even unknown calls counts.
3. Do not be click-happy. It is possible to believe you are invincible, go online and then end up infected. It could be something simple and easy like a rogue browser extension, or accidentally opening a link which syncs with an existent application installed on your system. Click-happy behaviour is one of the easiest ways of landing an infection. If you don't know or don't trust then don't click.
4. Do not use torrents unless you know what you are doing and are not trying to use illegal software. Hack-tools (commonly referred to as "cracks") are illegal in most areas and they are commonly modified by attackers (e.g. it is indeed true that some of them really do work however nothing is free in this world and attackers can grab genuine illegal/pirated software and modify it) so when they are used, a malicious payload becomes executed. Torrents in general is a great way for an attacker to spread malicious software because of the demand from the communities of people who actively download premium software, films and other forms of media for free when they know they aren't supposed to. At the same time, when they request assistance online, most forums refuse to help them due to the usage of pirated/illegal software - and then if they were to have their bank account compromised or similar, and they try to report it properly, how will it go down when they admit they were trying to access illegal software? From an Information & Security point-of-view I have to say that becoming infected via this way is not fair, but from a personal and non-professional point-of-view, I have to say that I think if someone gets infected whilst trying to steal money from a company, then they were pretty much asking for an infection by trying to do such in the first place.
5. Use temporary e-mail accounts to register online profiles if you do not need to use your real e-mail address and keep communication with the service. The reason this can be helpful is because if a service becomes breached (happens all the time to many companies) and user account credentials become exposed (even if they are encrypted sometimes they do become decrypted one way or another - brute-force tends to not be appropriate for strong encryption due to the time it would take for a large traditional database but keys can be stolen as well so you cannot count your chickens) then the attacker may gain your true e-mail address, which could lead to further attack. Some people believe that home users are never a target for their accounts being compromised/data collection by attackers in 2018 but actually this is not the case because attackers may not need to use the data themselves but they can sell it on to other people who may want the data for a lot of money on bad areas of the internet.
Temporary e-mail account services:
nada - Temporary Email
Temp Mail - Disposable Temporary Email
TempMailAddress | Disposable Temp Mail
Sometimes they may be blocked by registrations, and do not use such services for genuine communication because you do not know what is behind closed curtains and then your personal messages may become compromised.
6. Use a Virtual Private Network (VPN) or a proxy. This will mask your IP address by passing connections through the service's own servers which can be located in many different countries. Your IP address is important because an attacker can use your IP address to attack your network (e.g. scans to find vulnerabilities, DDoS attacks to use up your network resources and take your network down which can lead to further insecurity for attacks, etc.). Your IP is like an online digital fingerprint and everywhere you go online your IP is logged. It can also be used to roughly trace you back to your location (although there's a range scenario and it won't be 100% accurate). There are free options such as
CyberGhost for system-wide VPN.
7. Use an ad-blocker. Malvertising campaigns may still be on the rise, I am not entirely sure because I lack experience when it comes to malicious advertisement research in analysis however as I noted previously regarding the AdSense crypto-currency mining discovery, this is advertisement related and by blocking advertisements, it could have been prevented. As well as this, many websites nowadays have a rise in implementing crypto-currency miners (not usually reputable ones but the rise is definitely there in my opinion) and thus it would be in your best interest to just block advertisements. It won't be perfect but it will definitely work very well at it's job. There are some web-browsers like the
Brave browser which can allow you to block advertisements and still support good trustworthy services which rely on advertisements for their income to keep their project's free, so there's that as well.
8. Don't use Microsoft Office (desktop) unless you really need too. At-least use a local editor which doesn't have support for features like macro's, or an online web-based replica (e.g. I believe Microsoft have MS Office online now as well, and there's also Google Docs).
9. Make use of the built-in Windows protection mechanisms such as User Account Control (UAC) and system-wide SmartScreen (SS). It will take some time to learn and understand how to use them but once you do it will be beneficial in keeping you safer. UAC was implemented for administrators and not for security however it can still be leveraged for enhanced security, and SS is a reputable cloud system by Microsoft to flag unknown downloads/program execution's.
10. Use an Anti-Virus, Default-Deny, or a good layered protection configuration. You wouldn't ride a motor-bike without a helmet, or drive a car without a seat-belt, or go abseiling down a fake tower for your ninja training, so don't use a system without protection. Windows has built-in Windows Defender starting from Windows 8 but most people find it more convenient to use something else. It's honestly up to you, you can try different security software out and see which one works best for your needs and you are most comfortable with.
11. Keep all your software up-to-date, including OS patches. Keeping your software up-to-date will provide you with the latest security patches to prevent previously discovered vulnerabilities from being an attack vector of exploitation which can be an entry-point for an attacker to gain privileges they should not have, spread malicious software across a connected network, among other things.
12. Any social media you use, put privacy settings on. If an attacker can openly read your Facebook (as an example) then they may be able to gain information about you (potentially even contact information) and also from contacts on your friend's list. You don't want this. Play it safe. Identity theft is also something which is real and if an attacker can find lots of information about you online with research they could pretend to be you and even have your PayPal credentials reset, so really take this one seriously. I've noticed banks in my area increasing awareness with TV advertisements lately regarding fraud and they were amazing adverts because of how effective they were. Social engineering is huge in this as well... So note that carefully.
13. Change your phone number every few months. If your phone number became shared somehow then by changing it, the share is now meaningless. Neither assume everything you do on your phone is safe, think of the security like it is on a normal system.
14. Use a Chromebook unless you need a Windows/OS X system. A Chromebook will not be 100% secure because nothing is full-proof however it's very limited in what it can do which makes it a perfect contender for enhanced security unless your needs do not work with it. A Chromebook is primarily used for online browsing (e.g. bit of shopping here and there, checking e-mails, etc.) and thus attack vectors decrease a lot... You cannot run native programs. You can still be targeted with phishing/scams and rogue browser extensions though, not to mention malicious Android applications, so it isn't a green card to become invincible.
15. Make sure you use secure passwords and change them regularly. Do not re-use the same passwords either because then if one password becomes compromised, multiple accounts become compromised, all at the same time. Make sure the character limit is at least 8-12 characters and consists of both lower/upper case, numbers, and special characters.
I originally was not intending to make such a large reply to this thread which explains why the order of the items in the above list are random... There will be many more good online practices and I am sure other members here will be happy to respond and share many more to help you. Discussing good practices and reading other people's is a brilliant way to learn because it can make you think differently and you may even start picking up on other's techniques and applying them yourself to help you out. The thing with online safety is that there is never an end to safe practices - as criminals evolve with their techniques, we must adapt to the evolving to protect ourselves. Every single day you will learn something new and things you knew years or months ago you may learn in 5x more detail tomorrow. That is the best thing about learning on security... you can never reach the "end".