Most attackers do not “pick victims” by personality. They pick by access cost and expected payout. If your email, phone, and public identifiers make it easy to verify you and reset your accounts, you look expensive to defend and cheap to attack.
| Reduce targeting pressure | Do this | Why it changes outcomes |
|---|---|---|
| Control-plane hardening | Secure your primary email and enable strong 2FA | Email controls resets for most accounts |
| Phone number stability | Harden your carrier account and reduce public phone exposure | Phone takeover breaks SMS recovery and SIM-based 2FA |
| Limit public identifiers | Remove public email/phone/address from profiles and bios | Reduces phishing, impersonation, and doxxing leverage |
| Constrain inbound channels | Restrict DMs, message requests, and tagging | Blocks the easiest social engineering path |
| Make compromise noisy | Turn on sign-in alerts and review sessions | Shortens time-to-detection |
Key idea: most “targeting” starts with exposed identity and easy recovery paths. Reduce exposure and harden recovery to become a worse return on effort.
Start with the control plane: email, then everything else
Most account recovery, impersonation cleanup, and fraud response depends on one thing: the email inbox that receives security alerts and reset links.
- Secure email with a unique password and 2FA.
- Remove risky mailbox rules (forwarding, delegates) and review recent sign-ins.
- Prefer stronger authentication methods when available: passkeys and security keys reduce phishing risk materially.
Reduce the ways strangers can reach you
Attackers need a channel. If strangers can DM you, tag you, email you directly, or call you from a number they found on your profile, you have a direct path for social engineering pressure.
- Restrict DMs and message requests on social platforms.
- Limit tagging and mention permissions to people you follow or friends only.
- Use separate emails for public contact versus account logins. Avoid using your login email as your public contact email.
Public information that increases targeting
“Attack surface” is not only software. It is also the set of facts attackers can use to verify you, pressure you, or impersonate you.
| Public signal | How attackers use it | Safer alternative |
|---|---|---|
| Phone number in bio | SIM swap attempts, vishing, WhatsApp/Telegram takeovers | Use a separate public number or remove the number entirely |
| Personal email address | Phishing, credential stuffing correlation | Use an alias for sign-ups and keep your primary inbox private |
| Home address or location routine | Doxxing, stalking, coercion | Remove address hints and avoid posting real-time location patterns |
| Same username everywhere | Cross-platform correlation and impersonation | Use different usernames for different contexts when safety matters |
| Public family and employer details | Convincing pretexting and “I know you” scams | Limit the level of detail, especially on less secure platforms |
Make account takeovers harder to monetize
Most targeting is driven by what attackers can do after they get in: steal money, run ads, scam your contacts, or sell access. You reduce targeting pressure when compromise yields less value.
- Use unique passwords, stored in a password manager, to stop breach cascades.
- Turn on sign-in alerts for key accounts, especially email, financial, and social accounts used for identity.
- Review active sessions periodically and sign out anything unfamiliar.
- Minimize connected apps and revoke third-party access you do not need.
Common mistake: chasing perfect anonymity. Practical controls reduce real targeting without making day-to-day life harder.
When targeting is personal (harassment, stalking, or extortion)
If you are dealing with targeted harassment, you are solving two problems at once: safety and visibility. Avoid direct engagement with hostile accounts and preserve evidence before you start removing things.
- Preserve evidence (screenshots, URLs, timestamps) and keep it private.
- Lock down your accounts and remove public contact info.
- Use a structured response: what to do about online harassment.
Practical next steps
- Privacy pass on social platforms: manage your privacy settings for social media.
- Footprint reduction where it matters: reduce your digital footprint.
- Improve scam resistance: how to identify scam emails.
- Build a stable baseline that prevents most repeat incidents: protect yourself from hackers and cybercriminals.
Being “hard to target” is mostly being hard to social-engineer. When contact surfaces are constrained and recovery channels are protected, attackers lose their easiest levers.
The stable endpoint is a smaller footprint, strong authentication, and fewer pathways for strangers to verify your identity through public details.
That endpoint does not require paranoia. It requires consistent rules that you follow when you are tired, busy, or stressed. Those are the moments attackers count on.