Portmint Lighthouse
CoursesStaying Safe Online

Safe Browsing and Downloads

Pip Lesson 7 · taught by Pip

Most trouble online starts with a single click on something that looked fine. The good news: a few habits catch the vast majority of it before it ever reaches you.

Think of the web like a harbor full of boats. Most are honest fishing vessels. A few are painted to look just like them but are running something else. You don't have to inspect every boat — you just learn the three or four tells that give a fake away.

Read the address before you trust it

A web address (the bit in the bar at the top, like bank.example.com) is the boat's registration. The part that tells you who really owns it is the name that sits right before the ending — the .com, .org, or .co.uk.

Read it from that ending backwards. In login.yourbank.com, the name just before .com is yourbank — the real owner. But in yourbank.login-secure.com, the name just before .com is login-secure, a stranger borrowing your bank's name as decoration up front. Scammers count on you reading left to right and stopping early, where the comforting word sits.

Watch for small swaps too: paypa1.com with a number one, or extra words bolted on like amazon-account-verify.com. The lock icon only means the connection is private, not that the owner is honest — a scammer's site can have one too.

When in doubt, don't click the link. Type the address you already know, or use your own saved bookmark.

Fake buttons and risky attachments

On download pages, the biggest, brightest "Download" button is often an advert in disguise, planted to get you to install something you didn't want. The real link is usually smaller and plainer, off to the side. Before clicking, rest your mouse over it (or press and hold on a phone) and read the address that pops up — if it doesn't match the site you're on, skip it.

Attachments are the other soft spot. Treat a file you weren't expecting like a package left on your doorstep with no return address — even if the sender's name looks familiar. Be especially wary of files ending in .exe, .zip, or a document that insists you "enable content" or "enable macros" to read it. That prompt is the trapdoor.

Keep your devices fresh

Updates feel like a nuisance, but most of them are quietly patching the exact holes that bad sites try to crawl through. An out-of-date browser is an unlocked back door.

Turn on automatic updates for your phone, computer, and browser, and let them install. A device that updates itself is doing a chunk of your security work while you sleep.

Your turn

Open the website you log into most often. In the address bar, find the name that sits right before the ending (.com, .org, and so on). Is it really the company's name — or a stranger's name, with the company's bolted on at the front as decoration? Practising on a site you trust makes the fakes jump out later.

Next we'll cover backups — so when a bad day does happen, it stays small. 🔦

Stuck or curious?

Ask Pip about this lesson — tap the porthole bottom-right.