So.
You want to improve your online security. Ready?
Buy a fire safe (assuming you don't already have one). You can get one that is data rated for 30+ minutes for about 100 quid.
Keep it somewhere safe, but not obvious. Don't keep it in the primary bedroom. Or anything obviously a study.
Next up. For everything you can, enable two factor authentication, if at all possible choose the authenticator app option. I use Google authenticator, ms also make one, there are others. When you do any system set up properly should give you some emergency codes. Usually a set of ten. Now. Write these down. On an index card, label the site they are for. And out them in an envelope in your fire safe.
Take regilar backups into an external disk. Keep this disconnected when ever you're not actively using it. Keep the disk in the fire safe. If you can. Have 3. Do backups every 2 weeks. Rotate. Do not leave them plugged in. Mac makes this easy with time machine.
Next up, in your email. Never ever ever ever, and I can't stress this enough. Click a link in an email. An external org that my employer uses sent me an email using a "secure messaging platform" it just comes through as "an account has been created for you on <website>." And a link. I marked it as phishing and ignored it. I got a call on Tuesday from an unknown number. They said I had a phone appointment with them, and they sent me a message about it. Guess what that website was. I said I was unwilling to talk to someone I'm not expecting on an unknown number. They said my employer would still be billed. I said I don't care. I later explained this all to my boss. He completely supports this action. An appointment has been made in person instead. The problem is there is absolutely no way to tell if I was being phished, or it was genuine. You have to be paranoid. Click nothing.
When it comes to online payments. Use PayPal where ever you can. If you can't use PayPal and have to use a credit card. Consider getting a separate card with a limit of say 200 quid. So that worse case if your card details are stolen, the most you lose is 200 quid, and hopefully only while your bank fucks about to work out what is going on.
Did I mention don't click links in emails? Same for texts. Or instant messaging.
You got a parcel tracking link sent from someone? Take the tracking number only, and paste that into the courier website.
Never open attachments.
Assume everyone is trying to scam you. Assume everything is phishing, and assume every attachment is malware.
And you'll still likely get hit at some point. But that's what the backups are for.
Don't open attachments. Don't click links. Make backups. Use 2fa. Have backup emergency codes for your 2fa offline in a firesafe. Keep your backups in there.
Oh, and finally. Use a password manager. Write the password for that down. Put it in a sealed envelope in your safe.
The question should not be "am I being paranoid?". It's "am I being paranoid enough?"
J