Half of all cyberattacks start in your browser: 10 essential tips for staying safe
Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
- Browser activity is involved in nearly half of all cybersecurity incidents.
- Attack vectors include malicious links, credential-harvesting scripts, and content injection.
- Following these key best practices will help you stay safe online.
Web browsers are among the top targets for today's cybercriminals, playing a role in nearly half of all security incidents, new research reveals.
According to Palo Alto Networks' 2026 Global Incident Response report, an analysis of 750 major cyber incidents recorded last year across 50 countries found that, in total, 48% of cybercrime events involved browser activity.
Individuals trying to connect to the web, including business employees, are exposed to cyberthreats on a daily basis, and it only takes one successful intrusion or malicious download to lead to serious consequences, such as surveillance, data theft, ransomware infection, or financial damage.
Palo Alto Networks security researchers listed some of the most common threats we face through our browsers today -- phishing and malicious links, credential-harvesting pages, spoofed websites, and even Clickfix, a covert initial access method that lures you into accidentally performing malicious actions through fake online instructions or alerts.
As our browsers -- these ubiquitous applications for accessing the internet -- have become security minefields, it's a good time to review some best practices for staying safe online -- as well as other measures you can take to reduce the risk of becoming a cyber victim.
Here are 10 things you can do to protect yourself.
1. Keep your browser updated
It may seem like basic advice, but how many times have we all thought, "Oh, I'll accept the update later," and then never do? Still, accepting software updates is your first and most important line of defense against intrusion or your browser being compromised by malware. Accept updates as soon as they are available, as they will almost always include fixes for vulnerabilities and bugs.
2. Check URLs and look for padlocks
If a website is HTTP-only rather than HTTPS, communication between your browser and the website isn't secure or encrypted, enabling anyone to read and analyze traffic and potentially insert themselves via a man-in-the-middle attack.
If you browse these domains, you may risk malware, scams, and malvertising, and you may lose your data if you are performing tasks such as submitting personal information or attempting to make a purchase. While HTTP-only websites are safe enough just to browse and view -- and some browsers will now try to automatically upgrade HTTP to HTTPs when possible -- you should never give them any personal information or financial data.
Also: Your home Wi-Fi isn't nearly as private as it should be - 6 free ways to lock it down
If you are visiting a new website, look for a padlock in your address bar and the HTTPS in the website address. On some browsers, you might not see a padlock, and URLs might be shortened, but you will still be warned when you are visiting an insecure site.
If your browser supports DNS-over-HTTPS, you should also consider enabling it when available, as it masks your activity from ISPs. This may appear in your browser settings as Secure DNS, such as in Google Chrome.
3. Sign up for a password manager
When possible, avoid in-browser password managers and opt for a standalone password and credential management service instead.
Why? Because if your browser is compromised, so might be your entire vault. Not only this, but credential management is often just a bolt-on, whereas a standalone password manager is just that -- and its reputation relies upon being secure, encrypted, and defended against the latest threats.
Also: The best password managers of 2026: Expert tested
4. Use an ad blocker
To reduce tracking and potentially pop-ups that could serve you malware or Clickfix scripts, explore ad blockers to bolster your browser security. They can significantly improve your browsing experience, speed up page loading times, and reduce website fingerprinting. We have a guide on the best ad blockers available; one of my current favorites is Ghostery.
Also: The best ad blockers: Clean up your browsing experience
5. Try private or incognito mode
Most browsers will offer a private or incognito mode. These optional browser windows aim to reduce your susceptibility to tracking by not saving your website visit logs or searches made in your browser, which can reduce targeted advertising rates and can improve your privacy, especially if you are on a shared computer.
They are a minor improvement, not a security miracle. These windows only prevent data from being saved locally, and they won't stop other parties -- such as your ISP -- from seeing what you've been doing online. Still, you should know they exist.
6. Switch to an anonymous search engine
A popular search engine alternative to Google or Bing is DuckDuckGo, which bills itself as a privacy-first service. DuckDuckGo does not collect user data or track users across the web, nor will it save your search history or sell your activities to marketers, all of which can lead to targeted advertising. Cookie pop-ups and trackers are blocked by default, too.
It's popular enough to have expanded into a full-fledged browser, and you should consider using it to keep your queries out of third parties' hands.
Also: If you're into online privacy, try this popular Google alternative
An easy tweak to your existing browser experience is to visit this service and set it as your default search engine. I've done so and recommend you do the same.
7. Install a VPN
A virtual private network (VPN) is software that encrypts your online communications, disguising your IP address and hiding your online activity.
VPNs can be used for a variety of purposes, including unblocking geo-locked content and avoiding ISP-based throttling, but their main benefit is as a privacy tool when browsing the web. Through encryption, VPNs help prevent third-party profiling and eavesdropping and are crucial if you have to use an untrusted public Wi-Fi hotspot.
Also: Best VPN services 2026: Expert tested and recommended
Some of the best VPNs available include NordVPN, ExpressVPN, and Surfshark.
8. Use a more secure browser
To avoid tracking, surveillance, data collection, and security vulnerabilities, transition to a browser known for its strong security.
Secure browsers place a high emphasis on user security and privacy. They are built by developers who actively try to stop attempts to track you by using methods including default anonymous search engine integration, blocking third-party trackers, strict cookie policies, upgrading unsecured HTTPS connections, using IP-masking server relays, and preventing browser fingerprinting.
Our top picks right now include Brave, Tor, and DuckDuckGo.
9. Use Tor to stay hidden
The Tor browser uses the onion network to disguise traffic, rerouting your requests through nodes that mask your IP address and make tracking very difficult.
Since your traffic is routed through middleman nodes, it won't be as fast as in a typical web browser. Furthermore, its high level of security and anti-tracking technologies means that some websites may not display correctly, especially if they are laden with scripts.
Also: Why the most private way to browse the web isn't incognito mode (but this instead)
These issues aside, Tor is an excellent way to browse the web without exposing yourself or your data. You'll need to use a VPN, download the software, and connect. If you want to visit a specific website, you may need to know its .onion address.
10. Be wary of AI browsers
Finally, stay wary of any browser focused on AI. AI browsers such as Atlas and Comet are powerful and have a lot of potential, but they have also created a new attack surface for cybercriminals to exploit.
One of the main issues right now that impacts AI browsers -- and without a clear solution beyond large language model (LLM) hardening -- is prompt injection attacks. These attacks, whether direct or indirect, force an LLM to act in a malicious way. For example, a hidden instruction buried in a web page or URL could make its way into an AI browser chat assistant, leading to the exposure or theft of your data.
Also: I've been testing the top AI browsers - here's which ones actually impressed me
If you are using one, keep personal data sharing to a minimum. AI chatbots are useful, but it doesn't mean they are secure.
Post Comment