The 5 habits that beat every scam.

Over the past year we've covered 51 tips, techniques, scams, and defenses. If you had to pick five habits — the ones that, if mastered, beat the vast majority of real-world attacks — these are them. None are technical. All are practical. And teams that run on these habits simply don't fall victim to what we see hitting everyone else.

Habit 1: Pause before clicking

Every phishing attack needs a click, a tap, or a scan. A 10-second pause before any action defeats most of them. Urgent emails, unexpected attachments, unsolicited texts, QR codes in random places — all get a pause.

Habit 2: Verify financial and HR requests verbally

Any email or voice request involving money, banking changes, wire transfers, or personnel actions gets a verbal callback on a known number. Always. Regardless of how legitimate it looks. This one habit blocks BEC, vendor email compromise, deepfake scams, and CEO fraud.

Habit 3: MFA everything, use strong MFA

Every account that supports MFA gets it. Use authenticator apps or hardware keys, not SMS. For high-value accounts — email, banking, payroll, domain — use hardware keys. One leaked password should not equal one compromised account.

Habit 4: Use a password manager

Unique passwords on every account, managed automatically. Family plans cover your personal life. Business plans cover work. Nothing else scales — and reuse is how breaches cascade.

Habit 5: Test your backups and practice your plan

Backups that haven't been tested aren't backups. Plans that haven't been rehearsed fail under pressure. Once a quarter: test a restore, run a tabletop, verify the controls you thought were in place are still in place.