Games Hotline Digital Safety Guide

Protecting Yourself During Online Harassment Attacks

This guide focuses on prevention. If you’re being targeted for harassment now, the Consumer Reports Security Planner has a list of resources and organizations to support you.

For emotional support and basic guidance about your situation, reach out to the Games and Online Harassment Hotline by texting SUPPORT to 23368 from anywhere in the USA.

NOTE: We’re sharing things we’ve learned about how to keep yourself safe from individuals, loosely organized groups & cybermobs. If you’re concerned with attacks from governments, major corporations, or other massively organized and/or resourced institutions, we recommend the Frontline Defenders Workbook on Security and the EFF Security Self Defense Guide.

This is for anyone who seeks to enhance their digital hygiene and security in light of anticipated or existing threats, but it is especially designed for women, Black, indigenous, and people of color, trans people, and everyone else whose existing oppressions are made worse by digital violence. It details best security practices for social media, email, online gaming, website hosting, and protecting privacy of personal information online, as well as the documentation and reporting of harassment, and caring for yourself emotionally during an online attack. You don’t need any specialized knowledge to use this guide – just basic computer and internet skills.

The authors of the guide have all been targets of cyber attacks ourselves; we’ve written the guide we needed when the attacks on us began. We’re all based in the USA, but we’ve done our best to make it useful no matter where you live.

We wish we didn’t have to write this. Going through even some of these steps to protect your online safety will cost you real time and sometimes money. It’s a tax on women, people of color, queer and trans people, and other oppressed groups for just existing online or daring to use our voices in public.

None of this is fair. It should not be our meticulous labor and precious funds that keep us safe; it should be our basic humanity. But that has proven heartbreakingly, maddeningly insufficient more times than we can count. So below are some of the things that we’ve learned that can help, even though we shouldn’t have to do any of them. While we fight for a just world, this is the one we’re living in, and we want to share what we know.

We also want to acknowledge that people with more financial and leisure-based privilege will have better access to implementing comprehensive strategies — a structural unfairness that highlights how unjust online harassment is. It’s also true that none of these are foolproof — you could employ all of these strategies and still be targeted.

And just to be crystal clear: if someone attacks, harasses or threatens you online, it’s not your fault, even if you haven’t previously taken any safety precautions.

It’s never your fault. Never. Ever.

Preventing Doxxing

Doxxing is when harassers publish the personal information of their targets. Often doxxing comes with spoken or unspoken encouragement for others to use your personal contact information to escalate the harassment against you or their target.

In general, harassers rely on finding information that’s already in the public record, such as corporate records, licensure records, and property records. Unfortunately, the specific public records available will vary from location to location — you’ll want to do research about your local laws and regulations, especially if you’re not in the US.

Data Brokers

Data brokers are an issue for people who have lived in the United States long enough to receive mail. If that doesn’t describe you, skip down to the next section.

If you live or have previously lived in the United States, your information is everywhere online. Your name, home and/or work address, phone number, email address, and other sensitive information are almost surely posted for public viewing on various websites. This is often how harassers find the info they use to dox their targets.

People finder websites are publicly available databases where an attacker can use the information they already have, like your name and other identifying information, to look up your email address, phone number, physical address, relatives, and more. You should check these sites to see if they’re sharing or selling your information. If they are, you should have the information taken down. Yael Grauer maintains a huge list of these sites with detailed instructions on how to opt out of each one. There are many “people finder” sites and this process can be overwhelming, so we recommend that you start with the ones marked as High Priority on Yael’s list.

It’s good practice to check these sites every three to six months because your info can be re-listed even after you’ve had it removed. Another option is using paid, automated opt-out services like Optery, Kanary, and DeleteMe. Even if you don’t end up paying for the automated opt-out service, they can scan data brokers for your information and provide a report of what they find. Then, you can use what you learn to do the opt-outs manually by following the instructions on Yael’s list.

Restrict What You Share

One free and low-tech way of reducing your risk of doxxing is to restrict what you share online. Especially consider not mentioning details about where you live, your current location if you’re traveling, the names of anyone you live with (those names can be used to find your address), and any information that can be used in accessing your accounts (so, your maiden name, or anything that you might use to answer a “security question,” like the name of your childhood pet, or the street you grew up on.) The less information available about you online, the less there is available for doxxing. Of course, restricting some of this information can feel onerous for a variety of reasons, so the balance is up to you.

Passwords & Login Security

Passwords are necessary for almost everything we use these days, and they are crucial in protecting our information online. Here are a few important things to remember when creating passwords.

Use a Password Manager

You might already be familiar with password managers like Apple Keychain or the password manager built into your browser. Password managers can create and keep track of highly random, high-security passwords for all your online accounts in securely encrypted “vaults”. Some password managers will even autofill your passwords so you don’t have to type them out.

If you’re already using Apple Keychain or the password manager built into your browser, you should make sure the passwords saved in them are strong. If you’re starting from scratch or don’t mind switching to another system, we prefer using dedicated password manager apps like 1Password and Bitwarden. These apps have additional features such as secure cross platform syncing, safe ways to share passwords, and even alerts if your password is in a data breach. Both 1Password and Bitwarden have browser extensions and iPhone or Android apps, so your passwords will be available wherever you go.

Not only are password managers super secure and convenient, they make the rest of the tips in the Password and Login Security section easier. For more information on password managers, check out the Password Manager section of the Consumer Reports Security Planner. 

Have a Lot of Different Passwords

We recommend using a unique password for every account you own. It might be tempting to just use the same password for everything, but if you do, someone who figured out what your password was for one account and knew your email would be able to log in to other accounts. By using a different password for every account, you’ll limit the damage to just the single account that was compromised.

You probably have more accounts than you think! Here are some types of accounts you may have: email, bank, credit card, social media, services, apps, petition sites, health insurance and hospital record websites, municipal and other government sites, and accounts for utilities like water, power, and internet, website, hosting and domain related sites, budgeting sites. Once you realize how many accounts you have, using different passwords for everything might feel intimidating. This is why it’s critical to use a password manager to create and store those passwords.

Security people used to recommend changing passwords on a recurring basis, but best practices have evolved in recent years to focus on having unique passwords everywhere – if your passwords are unique, changing them matters a lot less. We recommend checking the service Have I Been Pwned regularly to see if your passwords have been compromised in data breaches, and only changing the ones that have.

Make Your Passwords Difficult

Passwords should be long and hard to hack. In practice, that means passwords should be a mix of upper case letters, lower case letters, numbers, and symbols. Ideally, you’d use 8-20 characters (or more). Do not use personally significant keywords that attackers can look up (like phone numbers, birthdays, pet names, or family member names) in your passwords. 

Most password managers will create and save strong passwords for you, so you won’t have to copy and paste or type them into the password manager manually. You can also use a site like Password Generator to create passwords, but you’ll have to save your passwords to your password manager manually. 

Sharing Your Passwords

Passwords are only as secure as they are secret. Never share your passwords with anyone – not even your best friend or your partner — unless it is absolutely necessary. The fewer people who know a password, the less vulnerable it is. If you do need to share your passwords, the best way to do it is to use the built-in sharing function of a password manager. Make sure to establish rules so that everyone who has the shared passwords maintains them in a secure way.

Turn on 2-Factor Authentication

2-Factor Authentication (also known as 2-Step Verification, 2FA, or Multi-Factor Authentication) protects your accounts from attackers even if they’ve figured out your password. After you’ve set up 2FA on an account, when you or anyone else tries to log in to that account, you’ll need to enter a code from an app or a text message to finish logging in. For more information on setting up 2FA, check out this guide on Consumer Report’s Security Planner. To see what 2FA options are available for any specific site or service, look it up on the 2FA Directory.

Use Security Questions

Many sites ask you to create one or more security questions that they can use to verify your identity if you forget your password. You should make the answers something only you know — something that cannot be found online or figured out from your social media.

We recommend creating complex passphrase style sequences of random words for your security question answers. Then, save the security questions and their answers in your password manager to ensure that you don’t forget them and can access them easily when you need them.

Email Addresses

You may want to have several different email addresses for different purposes, whether it’s separating out personal and professional communications or siloing off individual projects. If you own your own domain, you can also set a unique email address for each account that you can track with a password manager, along the lines of websitename@yourdomain.com.

The important thing to consider when it comes to email addresses is that if an adversary has access to the email address associated with a particular online account, they can typically request a “password reset” and take over the online account. So it’s essential to use strong passwords and two-factor authentication on one’s email accounts, to keep any accounts attached to them safe.

Website Security

If you have your own site, there are proactive measures you should take to protect yourself from harassment and make sure your site isn’t taken down by attackers.

Domain Registration

If you own one or more web domains, your contact information may be publicly available via the “whois” protocol or various public Whois search sites, like domaintools.com. Many domain name registrars offer the option to keep this information private either for free or for a small fee. The availability of private registration services depends on the top level domain — for example, .ca has free private registration, but .us domains cannot be registered privately. Contact the helpdesk of the company you registered your domain names for assistance.

If you’re not able to register your domain privately, an alternative is to register your domain to a virtual mailbox or PO box.

Website Hosting

These days, many personal websites run on hosting services like Squarespace, Wix, WordPress.com, or Weebly. These services all operate their own security teams and are relatively resilient to things like DDoS attacks. It’s still important that you have good general account security practices (like using unique passwords and two-factor authentication), but it’s much less risky to have a website using one of these services than it is to run a site on your own hosting.

If you’re using custom WordPress plugins, have a custom site using a self-hosted content management system like Drupal or Joomla, or if you’re using something even more customized, there are additional things to consider:

• Make sure that your CMS (content management system) and any installed plugins are kept up to date
• Be thoughtful about what data you store in private areas of the site
• Consider hardening your site against DDoS (Distributed Denial of Service) attacks by using a CDN (content delivery network)
• Back up your site on a regular basis so that even if something catastrophic happens, you can always set it back up on a new hosting provider.

The EFF has extensive documentation on keeping your self-hosted site online. If this all seems overwhelming, we recommend using one of the simple hosting options we mentioned at the start of this section.

Comments On Your Site

If your site is a home for your community (for example, a blog) it might be important to you to have comments enabled. It’s a good idea to moderate comments before they appear on your site. Not only does this cut down on the amount of spam that appears, but it also ensures that nasty comments and defamatory statements do not appear on your site. Having people register for a commenting account using a service like Disqus can keep attackers from spamming your website with hateful comments.

You don’t have to have comments enabled for your site. If your site provides static information, it might be better to turn comments off altogether and focus on fostering your community on venues with strong built-in moderation tools, like Discord.

Social Media

Many of us use social media to connect with friends and family, and as a professional tool as well. Unfortunately, social media is also one of the most common channels for harassment, abuse and doxxing.

General Social Media Account Security

Every social media platform has its own set of security options and concerns. To make matters more complicated, those options can change with little notice. For a guide to what your options are and how to think about them on some of the major platforms, we recommend this guide from the Consumer Reports Security Planner. In addition, this NNEDV guide designed to help survivors of intimate partner violence navigate Facebook is really great. 

The right balance of security settings is up to you. The important thing is to make informed decisions about what works for you. We also recommend you re-check your settings against these guides every 6 months or so, in order to keep up with changes the companies may make.

Turn Off Location Data

Harassers and attackers can use location data from social media apps to locate your frequent hangouts and figure out your home address. To prevent this, turn off location sharing on your social media using the privacy settings on your iPhone or Android so that the only apps that have your location are the ones that need it, like Google Maps or Apple Maps. We recommend making sure your camera app doesn’t have access to your location as well so that it isn’t leaked in the EXIF data of pictures you share.

Be cautious about where you check in on Facebook or what locations you tag on Instagram. If it’s a place you go to often, it might be best to keep that place private.

Most social media sites let you delete your location history so that attackers can’t find it in the future. Here’s how to do it on Facebook and Twitter. On Instagram, you’ll have to delete location data post-by-post.

Decide What You Want To Share

You probably have a great community and want to share with them. But before you post, ask yourself questions like:

• What information and photos are available publicly? Will sharing this information make it easy for an attacker to find you? What about if you combined it with your name and your city, if you’ve shared those?
• How would you feel if a harasser turned this photo into a harassing meme?
• Will sharing your birthday make it easy for someone to find you and compromise your accounts?
• Does this picture contain any distinctive landmarks, like trees, signs, or landmarks, that someone can use to find my location?

Minimizing the amount of information that is freely available about you, especially on your basic and public social media profiles, is going to make you more secure, though it’s also a sacrifice in that it limits what you can share with your community. There’s no right or wrong answer about how much to share, but do make the risk/reward assessment deliberately.

Be Cautious In The DMs

Direct messages on social media are only as safe as your account’s security.

Moderating Your Community

Discord

You might already have a discord set up for your community. We recommend restricting access to new users who just joined your server until they are vetted or assigned a role. The Games Hotline guide for protecting your Discord from hate raids has further detailed settings and permissions overviews to improve the security of your Discord as a whole. It also includes a handy server template that you can freely copy, explore, and tweak on your own.

If you haven’t already had a look at Discord’s Moderator Academy, it’s full of helpful documents on choosing and training new moderators for your team, reporting abusive users to Discord, and moderating voice channels. 

Twitch

If you use Twitch to live stream games, you’re probably already familiar with moderation on Twitch. The following chat configurations can be powerful tools to prevent harassers from flooding your chat:

• Turn on Twitch’s Automod and configure it using this guide. If you’ve already got Automod on, you can temporarily turn it up a level or two if you’re experiencing an uptick in abuse.
• Prevent harassers from using bots and throwaway accounts by requiring chat verification.
• Turn on the Delete Links setting in your Channel Settings to automatically delete links posted in chat unless they’re from you or your team.
• Put Twitch chat in slow mode or have a cooldown on chat.
• Buy your moderators time to act when they see inappropriate messages by setting a non-moderator chat delay.
• Restrict chat to followers only or even to followers who have followed you for at least some length of time.
• Restrict chat to subscribers only.
• Turn on Uniquechat to prevent harassers or bots from spamming messages.

If you’re the target of a harassment campaign, it might be helpful to check out Twitch’s guides for using moderation features to manage harassment and combating targeted attacks.

You can also use a third party moderation bot to moderate your chat. Nightbot, Moobot, and PhantomBot are all popular options.

Facebook Pages

You probably already have a personal Facebook account. If you have a public persona, you may want to create a public Facebook page. A public page allows you to connect with your community on your terms. Facebook users who follow your public page can see the articles and updates you post on it without being “friends” on your private Facebook account, allowing you to maintain some separation between your private and public lives.

We recommend going through your Facebook friends list and unfriending anyone you don’t know personally, and directing those people to follow your public page. You might decide to be really selective and cull your friends list down to people you have a strong connection with, like your close family and long standing friendships. It’s up to you to decide where to draw the line between your private and public lives.

Twitter Blocking & Muting

Blocking and muting on Twitter can be done on a case-by-case basis. We understand all too well that when you are being attacked by a mob, it is nearly impossible to manually block or mute everyone sending you nasty and/or threatening messages. However, there are now sophisticated blocking tools available to you, like Twitter’s Tweetdeck.

Blocking a harassing account will remove any tweets from that account from your timeline and stop that account from seeing your Twitter profile and tweets, although the person behind the account can see your profile if they’re logged off or logged into a different account. Muting a harassing account will only remove any tweets from that account from appearing in your timeline. When you mute an account, you can still go to their profile to view their tweets.

Blocking or muting an account won’t notify that account. They might figure out you’ve blocked them by attempting to visit your profile, but if you chose to mute them your profile will look the same to them.

Twitter offers shareable block lists that can help preemptively block potentially harassing accounts so you don’t see those messages in your mentions. You can share and use friend’s block lists directly on Twitter.

Monitor Your Information Online

Sometimes bloggers and journalists write posts about us without our knowledge. It can be important to keep an eye on the information that is on the internet about you.

Information Monitoring

Although there are paid information monitoring services, you can set monitoring up yourself through free services like Google Alerts and Visualping.io.

You can use Google Alerts to send you email alerts when your name appears online. When you’re setting up your alerts, include not just your name, but common nicknames you have, common misspellings of your name, as well as your phone number and your street address, to monitor if anyone is sharing these publicly. Because you’re using sensitive information, when you set up your alerts, make sure the Google account you’re using is secured.

Visualping.io allows you to monitor specific sites and threads for activity. They have a free tier, but you can pay for the service to have more pages monitored and more frequent checks.

On Twitter, you can monitor when someone tweets your name without tagging you through a search column in Tweetdeck or even by using Twitter’s search function and saving the URL to look at every once in a while.

Because these programs are free, they’re a little limited, but they’re still accurate and useful.

Images and Photos

Every once in a while, you may want to do an Internet search of yourself to see what images appear on various search engines. If there is a particular photo you are concerned about you can do a reverse image search with sites like Google Images or Tineye where you upload an image and they run a search for it across indexed sites on the web. This can be helpful in monitoring your unwanted online presence.

Own Your Namespace

If you can, try to secure accounts in your name and in variations on your name on every major platform, even ones you don’t intend to use, to make it harder for anyone to pretend to be you. You may also want to register as many of the email domains with your name as possible to ensure that you own them and no one else can use them to pretend to be you; for example yourname@gmail.com, yourname@yahoo.com, yourname@protonmail.com, yourname@aol.com, yourname@mac.com.

Should you need to take a break from a social media account you already own, do not delete your account. If you delete your account, other users might be able to claim your handle and use it against you. Instead, make the account private or deactivate it. If those aren’t options, simply delete the app from your device and turn off the email notifications. 

Online Gaming Security

There are a number of security steps that can be taken to protect your privacy and security when gaming online, some of which overlap with suggestions throughout the rest of this document. You can, of course, implement some or all of the following recommendations to best suit your specific needs.

Passwords & Two-Factor Auth

Secure your accounts using the Passwords & Login Security section.

Gamertag/Handle/Online ID

Many people want their friends to be able to find them easily. But if you’re being targeted, being easy to find might not sound so attractive. Using different and dissimilar gamertags for each gaming platform and for usernames for other accounts makes it difficult for attackers to find your other gaming accounts even if they manage to compromise one. For example, AppleSauce54 on XBOX and AppleySaucey54 on Battle.net are easy to link together.

It’s up to you to decide if it’s worth it to sacrifice the uniformity of your gamertags for the additional security of having dissimilar gamertags.

Profile

Avoid using information or photos that reveal personal details about yourself. Do not answer security questions with real answers. Responses should be impossible to guess and impossible to look up online — avoid animal names, partner’s names, school names, street addresses, etc. You could use passphrases to answer security questions and store those in a password manager for easy access. Avoid using your real birthday.

Email Address

Use a couple of different email addresses for different gaming accounts. For the highest security, you can even use a unique email for each account. This can help make it more difficult to access all your gaming profiles if one account is compromised.

Privacy Settings

Most online gaming systems offer a selection of privacy settings, some more than others. Look through each system’s preferences/settings regarding:

• Automatic vs sign in each time login
• Who can see when you are online
• Who can see what you are playing
• Who can send you voice and text communications
• Who can send you friend requests
• Who can see your profile
• Who can see your gaming history
• Who can see your friend’s list
• Who can see your game clips
• Settings regarding uploading game clips to online servers
• Sharing gaming content to social networks
• Requests to join multiplayer games
• Adding and blocking friends
• Who can see your real name

As you look through the options for each setting, think about what might happen if an attacker had this information or that level of access. The specific settings you’ll choose depend on what’s right for you.

Live Streaming Games

If you live stream games on Twitch, check out the settings we recommended for chat in the moderation section. If you use other live streaming services, like Youtube or Facebook Gaming, look for similar moderation tools. 

Hate Raids

Hate raids are yet another symptom of the systemically racist, sexist, queerphobic, oppressive culture we live in. They are a tool used primarily to silence and intimidate streamers, and we have seen how they are unfairly and disproportionately targeted at Black women, queer, and BIPOC streamers. Our guide How do I stay safe from a hate raid? has specific suggestions on what to do before, during, and after a Hate Raid.

SWATing

SWATing, also known as swatting, is a dangerous and traumatizing escalation of doxxing attacks. SWATing attacks are when a harasser calls emergency law enforcement claiming something violent and dangerous, such as a shooting or a kidnapping, is happening at a target’s house. The harasser’s goal is to activate local SWAT teams. It’s most common in the gaming and streaming community: harassers attempt these attacks during their target’s live stream events so that the SWAT team attack will be live streamed. 

What to do if you’re at risk

While we generally do not recommend interacting with law enforcement, if you fear you may be targeted with a SWATing attack, reaching out to your local law enforcement through their non-emergency line is typically the best preventative approach. 

Here are some best practices:

• Research your local police force’s practices. Some police forces have a SWATing protocol in place. Check your local law enforcement’s website to see if there’s any information.
• Call the police in advance. Share your concern and try to get a record filed ahead of an attack. Communicating with the police yourself, in advance of an attack, about the possibility of fake reports for your address can prevent them from deploying agents if they receive those calls. You’ll need to verify your identity, which may include providing documents or answering many personal questions. 
• Use a script. Here’s one we like:
  • Ask if they are familiar with SWATing.
  • If yes, explain: Someone on the internet is harassing/stalking me. There’s a chance they’ll try a SWATing attack, so I wanted to reach out and let you know. If you receive a report of a threat to my address, I need you to call my cell number before sending out emergency responders.
  • If no, explain: My personal information, including address/phone number/social security number was recently posted on the internet by someone who is harassing/stalking me. There is a chance that someone may call in a fake bomb or hostage threat at my address as part of the harassment, so I wanted to reach out and let you know that this could happen. If you receive a threat like this for my address, I need you to call my cell number before sending emergency responders.

What to do if an attack is imminent 

Here’s what you should do if you believe the threat is imminent. We recommend taking these steps even if you’ve already reached out to your local law enforcement.

• Put any pets into crates or kennels to protect them.
• Open doors throughout your living space.
• Consider putting a sign on your front door with a note that you’re experiencing ongoing online threats. You might want to include your cell phone number.

What to do if an attack happens

When the police arrive, do not try to explain the situation right away. Instead, answer their questions in short sentences first. After the situation has been deescalated, you can elaborate on your situation. Having a script, like the ones we provided above, memorized or handy can help you explain.

Downloads and Viruses

Only download games, game saves, cheats, mods, or other content from reputable and secure sources. Game “cracks” are a common way people get infected with malware. If you do need to use untrusted applications and content on a regular basis, consider having a dedicated computer for experimentation, or reinstall your operating system on a regular basis to clear out malware. Unfortunately, preventing these issues isn’t as simple as running an antivirus program — security experts no longer recommend that the average user run antivirus. Fortunately, this is because the built-in security of modern Windows and Mac computers makes them much more resistant to malware — unless you’re deliberately going out of your way to run sketchy software.

Physical Mail

Although physical mail is much less prominent now, you probably still get quite a bit of physical mail and packages sent to your home. Consider alternative options like a P.O. Box or Virtual Mailbox and/or consider using an alias or pseudonym when receiving mail to your home.

US Post Office Box

If you live in the US, you can get a PO Box and have all of your non-personal mail, including bills, catalogs, magazines, etc., sent to your PO Box instead of to your home address. That way, if your address is bought or sold, or if someone manages to access one of your accounts, they won’t have your home address. We suggest having your P.O. Box a reasonable distance away from your home or work. Ideally, it’d be in a different zip code or even a different town so it’s not easy to guess where you live based on your PO Box address.

Virtual Mailbox

Another option is getting a virtual mailbox, also referred to as a private mailbox. These are provided by companies that assign customers an address and unique mailbox number. The address they assign you might be located in a different city (or even a different state). When they receive your mail, they can even scan your mail before forwarding it to you, although they may charge extra for it. Virtual Mailboxes tend to cost more than P.O. Boxes even without paying for additional services.

Miscellaneous

Use a Secondary Number

In the United States, you can get a free secondary number via VOIP services such as Google Voice and have it ring to whatever phone you want. This allows you to avoid giving out your actual number. Look for a service that transcribes your voicemails and allows you to block callers.

If your number is doxxed or if you’re concerned about harassing calls, don’t pick up the phone unless you’re expecting the call — it’s easy to spoof phone numbers so it looks like your bank or your relative is the one calling. Attackers will get bored if they don’t get you, and you can just block their number after the first call and never hear from them again. Poof!

Pen Names

A pen name is a pseudonym that a writer publishes under to protect their true identity. This can be a completely different name or a name based on your given name. If you are worried about being doxxed or losing your privacy, especially if you have an uncommon first and last name combination, you may want to weigh your options when it comes to a pen name.

This is probably only a realistic option if you’re just beginning your professional career or starting a new project unrelated to your current professional life. If you decide to use a pen name, make up a name, perhaps your first name and an old family last name, a pseudonym based on your work, or a made up name altogether. For more information on using your real name versus a pseudonym, check out this guide from Gender and Tech Resources.

Camera Security

Covering webcams when they are not in use is a good idea in case someone gains access to the camera on your computer or mobile device. Some webcams even have built in covers. For those that don’t, you can easily cover the camera on your computer with a sticker or a post-it note. Choose something easy to remove so you’ll still be able to use your camera. If you want something nicer, there are more sophisticated covers, such as C-Slide. 

Video and Text Chat

Using secure chat and video call apps is a good idea in general. It may be surprising, but SMS is notoriously insecure. Facebook Messenger, Instagram DMs, Snapchat, and Twitter DMs are all also routinely used for sensitive conversations but are insecure as well. Specifically, when you send messages over these services, it’s possible for employees of the companies who operate the services to read your messages by intercepting them or even for an attacker to read them by gaining access to your account.

There are great options for secure messaging and video calls now, though. Signal and iMessage/ Facetime are the best options. WhatsApp and Facebook Secret Conversations are okay too. Whatever messaging or video calling platform you choose to use, make sure your conversations are end-to-end encrypted, meaning that the company operating the platform (or other adversaries) can’t listen in on or see the contents of your messages and calls. Signal and Facetime calls are both end-to-end encrypted by default, which is why we like them so much.

You should also be sure that any accounts used to access your calling service, such as your email, are secured with a strong password and 2FA if possible. Signal users should set a PIN and enable Registration Lock. For more information, check out the Consumer Reports Security Planner guide to secure communication.

Physical Device Security

There are steps you can take to make sure your physical devices can’t be used against you if they fall into the wrong hands. Follow these guides from the Consumer Reports Security Planner for each of the devices you own:

• Encrypt and backup your Android phone
• Encrypt and backup your iPhone
• Encrypt and backup your Mac computer
• Encrypt and backup your Windows PC computer

You can also enable Find My Device on both Android phones and iPhones so that if your devices are lost or stolen, you can remotely lock, erase, and find them.

Smart Device Security

You might also have smart or wifi connected devices. Whether it’s your gaming consoles, your smart TV and smart speakers, fitness devices, or a security camera, use the information in the Consumer Reports Security Planner articles we linked to make sure your smart devices won’t be used to invade your privacy or attack you.

Keep Your Phones and Computers Updated

It’s great security advice in general to keep your devices updated so you’re protected from known vulnerabilities with the latest security patches and updates. The Consumer Reports Security Planner has great instructions for making sure your iPad, iPhone, Android phone, Windows PC, and Mac are all kept up-to-date.

Documenting

Documenting and saving the harassment sent to you via Twitter, Facebook, email and other social media can prove useful especially if you decide to pursue legal action and/or report to law enforcement. Most computer and phone operating systems have a default screen capture system. Here are instructions on how to use the ones for Android, iOS, Windows, and Mac. Alternatively, you can use an app like Evernote’s Skitch or Microsoft OneNote.

It might be helpful to set up an email account or folder so that you can send yourself the screenshots of the harassing messages. Not only is it a convenient way for you or your helpers to create a dated record of the harassment, but it also backs up the screenshots. Just make sure to lock down the email account with a strong password and 2FA so that it’s safer from hackers.

For more guidance, check out the PEN Online Harassment Field Manual’s guide on Documenting Online Harassment.

Reporting to Social Media

Most online social media sites have their own abuse reporting tool. Follow the guides they provide to report abuse on their platforms. Here are links for more information provided by a few of the biggest sites:

• Twitter
• Facebook
• Instagram
• YouTube
• TikTok
• Twitch
• Discord

Reporting to Law Enforcement

Choosing to seek support from law enforcement can be a fraught decision. For many, especially people of color and trans folks, law enforcement may bring more harm rather than more safety. US law enforcement is still woefully behind in their understanding and sympathy when it comes to online harassment. There are still very few jurisdictions that have laws supporting victims of online harassment, and police often won’t engage with prevention of harm. They typically will only act after a crime (in the legal sense) has been committed. For all of these reasons, we do not tend to recommend law enforcement or legal action in most instances of online harassment. 

If you would like to reach out to law enforcement, officials recommend that targets report online harassment that directly threatens you to law enforcement immediately and with as much documentation as you can. This ensures that there is a timely, documented record of the abuse on file. To learn more about online harassment laws in the United States check out PEN America’s Online Harassment Field Manual.

Plan For Support & Back-up

If you think you might be attacked or harassed online, you don’t have to wait until it happens to ask for help. Sometimes, the people in our lives mean well but don’t understand how to support us. Maybe they don’t “get” online harassment and minimize the effect it has on you or they want to help but have no idea how.

For example, people might hop onto your Twitter timeline and “take on” your harassers, thinking they’re doing you a favor. Their intent was good, but the impact? Not so much. In fact, research shows that engaging with harassment prolongs the harassment. And by engaging with the harassers, they might give them an algorithmic boost and help get the harassment in front of more eyes, attracting more harassers to your feed. 

Friends & Family

If you feel up to it, it’s worth trying to have an “Online Harassment 101” conversation with the people in your life if you are being harassed or are worried you become the target of harassment. We’ve included some great resources that can help them understand online harassment.

When talking with loved ones, think about what you might want help with, and ask your friends and family in advance if they would perform certain tasks for you if/when the abuse starts. If you’re not sure what to ask for, look for the ASK A FRIEND sections throughout this document.

You might ask one person to provide emotional support, check in on you, and be someone you can vent to. Another person might monitor your Instagram and Twitter feeds, while another could monitor your email inbox, and a third could monitor the comments on gross websites that might be writing about you, so you don’t have to. Be sure to give your team whatever passwords and access they’ll need to do their assigned jobs in advance.

The advantage to setting this up in advance is twofold: first, you can respond faster if/when the attacks come, because your network has already agreed to step up. Second, you can decide in advance how you want people to handle things: Do you want your Twitter monitor to block and report anyone who harasses you, or do you just want them to monitor your feed to see if there are any threats you need to know about? Should the person reading your emails put them all in a folder in case you want to refer to them later when the crisis has passed, or should they just delete them? 

Employers

Depending on your employment situation, you may also want to alert bosses, colleagues, or co-workers that they may be hearing some troubling things about you and why. Harassers sometimes try to target the employment status of their victims, so the more you can get your workplace on your side before they start hearing confusing messages about you, the lower the harasser’s credibility will be, and the better your situation will be. But use your judgment: not every workplace will be equally understanding.

Self-Care

Being targeted online can make things feel completely out of control. But anyone who has experienced it will tell you that there are two critical things you can control: how you treat yourself and how you respond to the harassment.

You will hear a lot of advice about whether or not to engage with your harassers. There’s no right answer – it depends entirely on what’s most important to you. If your No. 1 priority is to stay as safe as possible, both physically and emotionally, it’s often best not to engage. But if you find that you’re willing to risk more harassment in order to directly address your harassers and call them out, that’s also a valid choice. You may also find that the most important thing to you is to expose the harassment and/or the people who are perpetrating it, in which case retweeting it, emailing it to reporters, bloggers or activists, or otherwise signal-boosting the attacks against you can be the way to go.

Regardless of what you choose to do about your harassers, also consider what comforts you most when you’re upset, angry, or triggered, and do the best you can to plan for it. Will you want to be alone or see friends? Will you want your favorite bubble bath on hand or your favorite flavor of ice cream? Will it feel good to exercise, or build something with your hands, or punch or kick things? Can you save a rainy-day fund so you can get some bodywork? Can a friend be on-call to come do childcare for an hour or two so you can just take a deep breath?

It’s so important to take care of yourself, even if that just means going to bed and pulling the covers over your head and crying. You’re going to have feelings. It’s ok to honor them. Whatever you can do to give yourself space to have them and take care of them will make you more resilient in the long run.

Your Mental Health

Online harassment, harassment, and abuse of any kind, is a traumatic experience. Seeking mental health services like trauma-aware therapy or counseling can help offer extra emotional support and resources during and after traumatic experiences. If cost is a barrier, this list of free and low cost mental health resources is old but still a great starting place.