Cybersecurity is critical for everyone who goes online, but it’s of particular importance to investors. Why? Because they tend to be the ones with the money. And while banks are generally obligated to cover unauthorized withdrawals reported within 60 days of the transaction showing up on your statement, that does not apply to retirement accounts — which total some $37.5 trillion nationwide, according to the Investment Company Institute — or other investment accounts. One bad password or hacked home Wi-Fi router can erase the portfolio meant to fund your retirement.

Experts say there are a handful of common threats, but there are also some easy life hacks to help you prevent cybercriminals from harming you and your investments. “Look, everyone is probably already pretty cybersecurity savvy, they just don’t know it yet – and many haven’t acted on it if they do,” says Onkar Birk, former managing director for Alert Logic by HelpSystems, a leading managed detection and response provider for businesses. “If you’re a homeowner, you are already taking certain precautions every single day without even thinking about them. You lock your doors and don’t let strangers walk into your house. You don’t leave your keys inside your car. If you have a keypad entry and someone sees you type your code, you change it.” Take those concepts from the physical to the virtual world, he says, and you already have the tools you need to secure your digital space. Here are the building blocks for protecting your assets.

Create strong passwords

It sounds simple, but so many of us become complacent and use the same password over and over: the name of a child or pet, followed by a number and an exclamation point. (You know you’ve done this!) Those passwords are easy for us to remember but not all that hard for a sharp thief to figure out.

“You’d be shocked to know how much I can learn about you from your social media accounts,” says Gage Mele, manager of cyber intelligence for Anomali, an intelligence-driven detection and response security company for global enterprises. Breadcrumbs about your life are scattered across your social media accounts for bad actors to collect and craft into some good guesses at what your passwords may be. (Automated programs designed to test multiple password variations do the rest of the work.)

The easiest way to prevent a break-in is to use a strong password — one that has 10 to 12 characters, includes a number and a symbol, and has no family members’ names or birthdays or words found in the dictionary, says Mele.

Once you’ve come up with one great, hard-to-crack password, don’t stop there. Reusing passwords across sites means that one lucky guess could pay off over and over. Every site should get a unique password. Most people would find that quite daunting, so see the next section.

Use a password manager

We all check our balances, conduct trades and transfer money online, all of which require a password to log in. Birk suggests changing passwords to truly important websites (like your bank!) monthly. But if you’re like most customers, you have multiple accounts and routinely make financial transactions across several financial institutions at the click of a mouse. Changing all of those passwords monthly is not realistic. Birk has another concern: “Passwords can also be set so that you’ll be prompted to change them regularly, but I am personally not a fan of this. That’s because changing passwords regularly taps into the brain’s natural tendency to save time, which can then lead to weaker passwords that are easier to remember.”

This is where a password manager comes in. Downloaded as an add-on to your browser or as a third-party app, such as 1Password or LastPass, managers can be annoying to set up. But once you overcome that hurdle, these tools can be invaluable. Once you download the program, the next time you visit a password-protected site, a pop-up will ask you if you want to add it to the manager. Click yes, and in the future, it will autofill for you. Once you’re in, “a lot of these password managers will generate pseudorandom passwords for you, and you make those any length you want,” says Mele.

Use multifactor authentication

Most financial institutions offer you the option of having you log in using both a password and a code they’ll send to your mobile device. Accept that option. It’s a little bit of a nuisance, but it means a criminal would have to both know something (your password) and have something (your phone) — and be able to get into your phone! — to get into your account. That’s a very high barrier.

Be extra vigilant with your email

Think back across every email you’ve ever sent or received. There’s a lot there — some of it deeply private, some of it financial, some of it full of personal facts about your family and friends. Your email is a treasure trove for criminals, and for that reason email is an often-targeted account. In fact, cybersecurity experts like to joke that there are two types of people: Those who are aware they’ve been hacked, and those who think they haven’t been hacked. Translation: Chances are some of your personal information — maybe passwords, maybe your Social Security number, maybe just a list of previous addresses and phone numbers — are out there on a list for sale to criminals.

Maybe it’s harmless information, or maybe it’s your legacy email password, the one you’ve kept since your first email account. Once a bad actor owns your email account, there’s no end to the trouble they can get up to: impersonating you, using sensitive information with which to blackmail you or finding other passwords or credit card details.

Using a manager and a unique password is a good place to start, but setting up a recovery email with a completely different address can save months of misery if your email is compromised and you have to claw back your digital life. Mele sets up a backup system, so all his email accounts are recoverable from an entirely separate address. So, if he tries to log in to his primary email and finds that it’s been compromised, he resets that password using the other account for authentication. He also has multifactor authentication set up, so he’ll get a text with a code sent to his phone before recovering. “They’d have to have access to both accounts plus my phone to get into my recovery account,” says Mele. That would be extremely unlikely to happen. “Cybercriminals are foll0wing the path of least resistance.”

Change your home Wi-Fi login

As Birk reminds people, use the way you operate in the physical world as a guide for your digital life. No one would move into a new house or apartment without changing the locks, so why would you use the password given to you by your cable company as your Wi-Fi login? You already know that password is on a list, at the very least at the cable company … and perhaps many other dark places.

“Any default passwords, change them now,” urges Mele. And never leave your Wi-Fi open without password protection, inconvenient though that may be for guests. If a bad actor were to get onto your network, they’d have access to everything that streams by — which includes valuable bank logins.

To ensure that system hasn’t been compromised, keep all relevant software updated, says Birk, who recommends automating updates to your browser, your laptop and your software. “That way you’re up to date with any patches to thwart security breaches,” he adds. Then you can set it and forget it.

Also, using public Wi-Fi for anything password protected, especially financial transactions? Don’t. Use cellular data or wait until you get home.

Phishing, smishing, vishing and other silly-named scams

You may have heard of the Nigerian prince who really, really needs your help (not real, not true) or have gotten a text regarding your car’s warranty, which is about to lapse (also not true). But scammers are getting ever more creative with their cons. Don’t fall for their tricks.

These include cleverly engineered emails, texts and even phone calls that try to get you to give away personally identifying information. Many of us are awaiting a package from Amazon, so a scammer can send a text to thousands of people using a list of numbers purchased illegally, and include some nicely written, fear-inducing lines about how your package has been held up and please click here immediately to prevent it from being sent back. Don’t click! Same goes for email attachments or links in emails from addresses you don’t recognize. “Be a little wary of any email that asks you to take an action. Think before you act,” says Birk. “Scrutinize the URL or the sender’s email address — criminals sometimes use lookalike names and domains.”

If everything looks OK, and the email sounds important but still looks suspicious, verify that it’s for real by calling the sender — but not using the phone number on the suspicious email. Alternatively, go to the actual company website, log in and see if that supposed package or car warranty is truly in peril. “A sense of proportion is key,” says Mele. “If you get some email saying we need this information confirmed right away, like bank or credit card data, don’t panic. Delete it and move on. But if you get an email from your co-worker that seems suspicious, call them. When in doubt, confirm the authenticity of the email through other forms of communication.”

In the end, advises Birk, “act as you would in the physical world. If someone turned up and said, ‘I’m here to fix your roof, can I come in?’ would you let them? Or if they knocked on your door and said tell me all about your bank account, would you tell them? Of course you wouldn’t.”

Then simply translate that thought process to your digital world. “These scams are pervasive, and we can’t change that,” says Birk. “But what you can change easily is your mindset.” If you don’t, he adds, you may as well keep your front door unlocked.