• Brett Shannon Johnson, an ex-cybercriminal, now advises on cybersecurity to prevent identity theft.
• He once ran a darknet network and was arrested by the Secret Service.
• Johnson said freezing everyone in your home's credit is one of the first safety steps.

This as-told-to-essay is based on a conversation with Brett Shannon Johnson, a former cybercriminal turned cybersecurity professional. Business Insider confirmed Johnson's criminal history using court documents and contemporaneous news reports. The conversation has been edited for length and clarity.

I'm a reformed cybercriminal who used to commit credit card fraud and identity theft, but I've thankfully turned my life around.

I helped build and run an early version of the "darknet," which provided a trust mechanism that many criminals continue to use to this day. In October 2004, the Secret Service arrested 33 people associated with my network. They picked me up four months later and offered me a job as an informant. I'm the idiot who continued to break the law for the next 10 months while working for the Secret Service until they found out about it.

I was arrested, escaped, caught, and then sent to prison to serve seven years. Still, I was given the opportunity to turn my life around, and I took it. I'm well aware that I didn't deserve that, but I'm very blessed.

I now consult and speak as a cybersecurity expert, and I help protect internet users from the types of crimes I used to commit.

How to build a toolbox for online safety

Protecting yourself from someone like I used to be, starts with understanding your place in the cybercrime spectrum — everyone has a place.

If you work in food service, that's different than if you're a CEO or working payroll. I'll still get you, but it differs. It's not likely that I'll hit a food service worker with a business email compromise or send them a deepfake. Understand what's realistic and design security around that.

Whenever I give a presentation about protecting yourself online, I tell people to think of it as building a toolbox. The criminal has a toolbox, and in it, they have a variety of tools with which to attack you. As a defender, you need to have a toolbox, as well, to prevent a stolen identity.

The good thing is that the tools you need aren't horribly sophisticated.

1. Use situational awareness online

People tend to have very good situational awareness in the physical world. If we're in a store, we know if something's off or if something just feels wrong. That doesn't translate very well in an online environment, but it should.

Understand that every platform and every website that you go to has predators — every single one. That doesn't mean not to go there, it just means to be aware of that. If we can just have that awareness in the back of our heads, that will automatically raise our security level.

2. Freeze the credit of everyone in your house

Contacting the three main credit agencies to block access to your credit accounts is the best tool to stop new account fraud.

Credit freezes are free. Unfortunately, only about 12% of the population has one. A credit freeze stops all new account fraud, so, as a criminal, I cannot pull your credit report.

It's a good idea to freeze the credit of every single person in your family, including kids, because kids are often targeted for identity theft. Most adults have existing accounts. It doesn't stop fraud on those. So you also have to monitor those accounts.

3. Place alerts on accounts where you can

You must also be aware of your email, retail, social media, bank, and credit card accounts. Every account has value to an attacker.

Make sure you have alerts on those accounts that communicate whenever they're accessed or used.

4. Practice good password security

Make sure that you're practicing good password security. Most people use the same or similar credentials across multiple websites, and hackers know that. This opens you up to credential stuffing.

It's an automated program. I can fish you out, get your password, and log in to your Hulu account. I go to sleep, plug those credentials in and this program will actually ping tens of thousands of different websites overnight and see what it gets access to.

If you use the same credentials for Hulu as you do for your Chase account, Bank of America, tax records, or whatever, I have access to those as well.

To avoid this, I use the free Google Chrome password manager, which generates unique passwords for every login and saves them for you.

5. Set up multifactor authentication for your accounts

Multifactor authentication is an outstanding tool. It's not bulletproof, but when you use it in conjunction with other tools, you become much more secure.

I used to preach about password managers. These days, I'm not explicitly recommending them because they've had some issues. I use a combination of passkeys, authenticators, and a password manager.

6. Watch what you share on social media

Understand that those 3,000 Facebook friends aren't friends. One of the things that I used to do was see what a person had on Facebook. I'd pull your identity profile and see what you had posted of interest. I'd find out your birthday, your mother's maiden name, when you're going on vacation, those types of things.

So, watch what you share on social media.

Getting inside the mind of a cybercriminal

You need to understand that these attacks happen for one of three reasons. It's status, cash, or ideology.

Most attacks are cash-based. When cybercriminals attack for status, it's to impress their criminal peers. They're trying to do something that no one else can do and gain respect — that equates to more money at the end of the day. When it's done for ideology, someone's pissed them off, and they're looking to attack them.

The criminal is simply looking to profit at the end of the day. That means they attack the lowest-hanging fruit. They're looking for the easiest access that gives them the largest return on that criminal investment.

If you just put the base level of security, you're not that lowest-hanging fruit anymore. That matters because, as a criminal, I'm not going to waste my time trying to hit you when there are much easier targets that are out there.

Editor's Note: This article was originally published in September 2022 and has been updated.

• Hackers and scammers are getting more sophisticated in their methods.
• Elaborate social engineering schemes and AI are some ways that scammers are upping their game.
• One cybersecurity expert explained four ways to protect yourself going into 2025.

The end-of-2024 hack of US Treasury Department computers is a reminder that if the government isn't immune to tech trouble, neither are you. So, keeping your online accounts and information secure matters.

While state-backed hackers like the ones suspected of tapping into the Treasury's computers are sophisticated, there are still threats from small-time cybercriminals, Etay Maor, chief security strategist at Cato Networks, told Business Insider.

Still, individuals can use various tactics to avoid hackers and scammers gaining access to their information. Many have been around for years, but recent developments, such as the rise of generative artificial intelligence, call for new strategies, Maor said.

"It's a pain to remember another password or to enable another application to send you an SMS," Maor said. But, he added, "It'll help you not be the lower-hanging fruit" for those smaller hackers.

Here are four tips for enhancing cybersecurity and avoiding hackers and digital scammers going into 2025.

Use strong passwords — and have a secure place to keep track of them

Using the same password repeatedly for different accounts makes a scammer's job easier, Maor said.

Instead, he pointed to some long-standing advice: Create a separate password for each account, and make each one "strong" — usually, at least several characters long, with a variety of letters, numbers, and punctuation marks, and without common words or sequences like "123456".

But keeping track of all those passwords can be tough. Maor said he has a pattern that he uses to create new passwords. It's mostly secure, though he said that hackers might be able to figure out his pattern if they got enough of his passwords. There is also password-keeping software, but bad actors can hack those, too.

Perhaps a more secure option is a low-tech one, he said. "For me, writing them down on a piece of paper is much more secure than having the same password everywhere," Maor said. Just make sure you don't leave it lying around in plain sight.

Be aware of social engineering scams

Some scammers don't use AI but instead rely on their own communication and relationship-building skills to steal money or information.

Basic versions of this scam can include direct messages from people on Facebook or other social media apps who try to befriend you before asking for money or personal information, Maor said.

Others are more sophisticated, he added.

"If I'm now an attacker and I want to attack your boss, I might connect with you on LinkedIn, and then I'll try to connect with your boss," he said. That will create a mutual connection that could make the hacker appear more credible to the boss, Maor said.

Avoid AI-based scams by making a plan with family and friends

Some scammers use AI voice generators to create convincing clips of people saying they're in trouble and need money. The scammers then call the subject's friends and relatives and use the AI-generated voice to rip them off.

Maor said he already has a plan to avoid such scams with his family: They have agreed on a "secret word" they can ask for if they get a request they suspect might be AI-generated.

"It's not something very common," Maor said of the word his family picked. "And I think we shouldn't be afraid to do that in our corporate environment and in a private environment as well, just to confirm."

AI has also made phishing scams, which typically involve scammers sending emails that look like they're from a reputable source in order to get personal information about the recipient, more convincing.

Most guidance for avoiding phishing scams suggests looking for obvious typos in emails to identify potential phishing scams, Maor said. But scammers can now use AI to create grammatically passable messages in any language they need, he added.

Make sure to use two-factor authentication

While it's been around for years, two-factor authentication — that is, asking a website or app to send you a code via email, text, or call that you must enter in addition to your password to log in — remains a good way to protect unauthorized people from accessing your accounts, Maor said.

It's also possible to use an authenticator app like Duo or Microsoft Authenticator to sign off on login attempts or a physical security key, which, when used near the computer, confirms that it's really you trying to log in, according to the Federal Trade Commission.