Security Privacy Non-Expert February 2026 • 10 min read

Security for Non-Coders: What Actually Happens When You Get Hacked

Most security advice tells you what to do. Use strong passwords. Turn on two-factor authentication. Don't click suspicious links. Fine. But it never explains why those things matter, or what actually happens when they fail.

That's a problem. Because when you don't understand the threat, the advice feels arbitrary. You skip it. You half-do it. You think "that wouldn't happen to me" because you can't picture what "that" actually looks like.

This post is different. I'm going to walk you through what actually happens during the most common types of attack. Not in theory. In practice. What the attacker does, step by step, and why it works.

"You don't need to be a security expert. You need to understand enough that the advice makes sense. Then you'll actually follow it."

The kill chain in plain English

Security professionals talk about a "kill chain" when describing an attack. It sounds dramatic, but it's just a sequence of steps. Every hack follows roughly the same pattern:

Get in. Find a way into someone's account or device. This is the hardest part for the attacker.
Look around. Once in, figure out what's there. Emails, files, contacts, other accounts.
Dig deeper. Use what you found to access more things. One account leads to another.
Take what's valuable. Data, money, access to other people, or a foothold for later.
Stay hidden. If possible, keep access for future use without the victim noticing.

The key insight: step 1 is where you have the most power to stop things. Once an attacker is past step 1, everything else gets much harder to prevent. That's why "get in" is where all the security advice focuses.

Phishing: the attack that works on everyone

Phishing is the single most common way people get hacked. Not because people are stupid. Because phishing is genuinely good at what it does.

Here's what a modern phishing attack actually looks like, step by step.

🎣 How a phishing attack works

Step 1: The message arrives. An email that looks like it's from your bank, your email provider, Microsoft, Amazon, or your employer. The sender address looks right (it's spoofed or from a lookalike domain like "rnicrosoft.com"). The formatting matches. The logo is real.

Step 2: Urgency is created. "Your account has been locked." "Suspicious login detected." "Payment failed." The message creates a reason to act quickly without thinking.

Step 3: You click the link. It takes you to a page that looks exactly like the real login page. Same colours, same layout, same URL structure (except the domain is slightly different).

Step 4: You enter your credentials. The fake page captures your username and password, then redirects you to the real site. You log in normally and think nothing happened.

Step 5: The attacker now has your password. They try it within minutes, often automated. If you don't have two-factor authentication, they're in.

Why does this work? Because phishing doesn't attack technology. It attacks attention. You're busy. The email looks legitimate. The request seems reasonable. You're on autopilot.

The people who get phished aren't careless. They're just human. Security researchers have shown that even people who know about phishing can be caught by a well-crafted message that arrives at the right moment.

⚠️ What phishing looks like now

Phishing has evolved well beyond the "Nigerian prince" emails. Modern phishing uses AI to write flawless English, copies real email templates pixel for pixel, and targets you based on information scraped from LinkedIn, social media, and data breaches. Some attacks even reference your real colleagues by name.

Credential stuffing: when one breach becomes twenty

This is the attack most people don't know about, and it's arguably more dangerous than phishing because it requires zero interaction from you.

🔒 How credential stuffing works

Step 1: A company gets breached. Some service you signed up for years ago gets hacked. Their database of usernames and passwords is stolen. This happens constantly. Billions of credentials have been leaked.

Step 2: Your credentials appear in a dump. Your email and the password you used for that site are now in a list being shared or sold online.

Step 3: Automated tools try your credentials everywhere. Software runs your email/password combination against hundreds of popular sites: Gmail, Amazon, Netflix, banking sites, social media, PayPal. Thousands of accounts per minute.

Step 4: Wherever you reused that password, the attacker gets in. If your old forum password was the same as your email password, your email is now compromised. From email, everything else falls.

This is why password reuse is the single most dangerous habit in digital security. Not because any one password is weak. Because when one site gets breached (and they do, constantly), every account sharing that password is exposed.

💡 A real scenario

You signed up for a recipe website in 2019 using your email and your go-to password. The recipe site gets breached in 2024. You never hear about it. In 2025, someone buys the leaked database and runs your credentials against 500 popular services. Your email uses the same password. They're in your inbox within an hour. From your inbox, they reset your Amazon password, your PayPal, and your cloud storage. You find out when your bank texts you about an unfamiliar purchase.

You can check whether your email has appeared in known breaches at haveibeenpwned.com. It's run by a security researcher, it's free, and it doesn't require you to enter your password. Just your email address.

What hackers actually do once they're in

This is the part that most security advice skips entirely. What happens after the password is compromised? Understanding this makes the "why" behind every piece of prevention advice click into place.

First minutes: the email takeover

Email is the master key. If an attacker gets into your email, they can reset the password on almost any other account you have. Here's what they do first:

Set up mail forwarding. A rule that silently forwards all incoming mail to the attacker's address. Even if you change your password later, they keep getting your emails.
Search for financial accounts. They search your inbox for "bank", "PayPal", "password", "verification code". In seconds they know every service you use.
Reset passwords. Starting with the highest-value accounts: banking, payment services, crypto, cloud storage. The reset emails arrive in your inbox. The attacker catches them. You might not even see them.

First hours: lateral movement

"Lateral movement" is the security term for using access to one thing to get access to other things. From your email:

Cloud storage (Google Drive, Dropbox, iCloud): Personal documents, tax returns, photos, identity documents. Some people store scans of their passport or driving licence.
Social media: Used to impersonate you. Send messages to your contacts. "Hey, I'm in a bind, can you send me some money?" It works because the message comes from your real account.
Work email or tools: If your personal and work emails are linked, the attacker can now potentially access your employer's systems. This is how many corporate breaches start.

⚠️ The quiet persistence trick

Smart attackers don't drain your bank account immediately. They set up hidden access (email forwarding rules, recovery phone numbers changed, app passwords created) so they can come back later. You change your password thinking you're safe. They still have access through a backdoor you don't know about.

What they take

It depends on the attacker's motivation. Most automated attacks are looking for:

Money: Direct transfers, fraudulent purchases, crypto theft
Identity documents: Passport scans, driving licences, utility bills (used for identity fraud, opening accounts in your name)
Access to sell: Compromised accounts are valuable. A verified PayPal account, a social media account with followers, a corporate email login. These are sold in bulk.
A foothold for bigger targets: You might not be the goal. Your employer, your contacts, or someone in your address book might be.

The three things that actually stop most attacks

Now that you understand how the attacks work, the standard advice makes more sense. But instead of a long list, here are the three things that block the overwhelming majority of attacks on personal accounts.

✅ 1. Use a password manager

Every account gets a unique, random password. You don't need to remember them.
Credential stuffing becomes useless because no two accounts share a password.
Password managers also detect fake login pages (they won't autofill on "rnicrosoft.com").
Good free options: Bitwarden. Good paid options: 1Password.
Start here: Install Bitwarden. Add your 5 most important accounts. Change those passwords to generated ones. Do the rest over the next week.

✅ 2. Turn on two-factor authentication everywhere

Even if an attacker has your password, they can't log in without the second factor.
Use an authenticator app (Google Authenticator, Authy, or your password manager's built-in TOTP). Avoid SMS codes if you can. SIM swapping is a real attack.
Priority order: Email first (it's the master key), then banking, then cloud storage, then everything else.
For your most critical accounts (email, banking), consider a hardware security key (YubiKey). It's the strongest form of 2FA and stops phishing entirely because the key checks the actual website domain.

✅ 3. Check your email forwarding rules right now

If you've ever been compromised without knowing it, this is the most likely thing an attacker left behind.
Gmail: Settings > See all settings > Forwarding and POP/IMAP. Also check Settings > Filters and Blocked Addresses for any rules you don't recognise.
Outlook: Settings > Mail > Forwarding. Check that forwarding is disabled or only pointing where you expect.
If you find anything you didn't set up, change your password immediately and review all connected app permissions.

Quick wins you can do today

If the full checklist feels like too much, start with these five things. Each one takes under 5 minutes and meaningfully reduces your risk.

Check haveibeenpwned.com. Enter your email. If you're in known breaches, change those passwords today.
Turn on 2FA for your email. This one action blocks the majority of account takeover attacks.
Check email forwarding rules. Takes 30 seconds. If something's there that shouldn't be, you've found a problem.
Install a password manager. Bitwarden is free. Add your top 5 accounts.
Update your most-reused password. You know the one. The password you've used on 15 different sites. Change it everywhere, using unique generated passwords.

What to do if you think you've been hacked

If you notice suspicious activity or get a breach notification, speed matters. Here's the order of operations:

Secure your email first. Change the password. Check and remove any forwarding rules. Review connected apps and revoke anything unfamiliar.
Change passwords on financial accounts. Banking, PayPal, any service with payment methods. Use your password manager to generate new ones.
Check for unauthorised activity. Recent logins, unfamiliar devices, transactions you don't recognise. Most services show this in security settings.
Enable 2FA on everything you haven't already.
Contact your bank if you see any unfamiliar transactions. Faster reporting generally means better outcomes for fraud recovery.

💡 The 15-minute rule

Security incident response follows a simple principle: the faster you act, the less damage occurs. Most automated attacks cash out within hours. If you catch and respond to a compromised account within 15-30 minutes, you can often prevent the worst outcomes. That's why breach notification emails exist, and why you shouldn't ignore them.

The honest truth about security

Perfect security doesn't exist. Every system can be compromised given enough time and resources. The goal isn't to be unhackable. It's to not be the easy target.

Attackers are lazy. They're efficient. They go after the accounts that are easiest to break into. A unique password and two-factor authentication make you significantly harder to compromise than someone without them. Most automated attacks will simply skip you and move on.

You don't need to understand cryptography. You don't need to run your own VPN. You need a password manager, 2FA on your email, and enough understanding of how attacks work to recognise when something isn't right.

That's the whole thing. The rest is details.