Setting up your parents without calling tech support — a 30-minute guide that works once and lasts
Published 9 May 2026 · ScamSupport research · ~16 minute read
The data on UK fraud is unambiguous: the people getting hurt most are the ones who haven't set up the foundational protections. Cifas reports adults aged 61+ account for 29% of fraud filings, and the most reliable predictor of someone being scammed is whether they've already been scammed once before, because their details are now on lists that get re-targeted. Awareness campaigns help, but they can't substitute for actual setup. A password manager won't auto-fill on a fake bank login page; multi-factor authentication blocks credential theft even when the password is wrong; the habit of typing URLs rather than clicking links sidesteps the entire infrastructure trick. Together these three things shut down the majority of consumer fraud vectors.
This guide is written for the conversation where you sit down with a parent, in-law, neighbour, or older friend and walk through the setup with them. It assumes you have 30 minutes, both of their phones (their main mobile and a backup if they have one), their email account credentials, and a cup of tea. By the end, they should have a password manager installed, MFA on their three highest-value accounts, a printable card next to the phone that tells them what to do if a suspicious call or message arrives, and a recurring six-monthly maintenance routine that keeps the system working.
This isn't a comprehensive cybersecurity course. It's the minimum-effective-dose for an ordinary person living an ordinary digital life in 2026. If you do nothing else from this article, do the seven steps in The 30-Minute Setup.
Each step has its own section below with exact instructions. Skip ahead if you've already done some of them.
Spend the first ten minutes of the conversation listening, not configuring. The audit answers four questions:
Don't make notes obviously visible during this conversation. Especially: don't write down passwords or account numbers on paper that someone else might see. Use the password manager you're about to install for storage.
For most UK users in 2026, the right starting choice is Bitwarden (free, open-source, audited, available on every platform) or 1Password (paid, polished, slightly easier setup). Both refuse to auto-fill on lookalike domains, which is the single most important behaviour.
If the person already has Apple or Google, the built-in password manager (iCloud Keychain on iPhone, Google Password Manager on Android) is acceptable for one-device users and is automatically synced across that ecosystem. The downside: if they ever switch phones to the other ecosystem, migration is awkward. For most people, choose Bitwarden or 1Password as a future-proofed option.
The master passphrase is the only thing they ever need to remember. From this point on, every other password they create can be a long random string the manager generates and stores. The manager will autofill the passwords on real domains and refuse to autofill on fake ones — which is the entire point of installing it.
Email is the master key. Anyone who controls a person's email can reset the password on every other account that uses that email. Every successful phishing campaign that targets banks, retail accounts, or government services starts by trying to compromise the victim's email first. Locking down the email is the single highest-leverage action.
These often have weaker security options — many don't support proper authenticator-app MFA. The honest advice is to migrate to Gmail or Outlook for the master account if practical. If migration is too disruptive, at minimum: change the password to a Bitwarden-generated random one and turn on whatever MFA the provider offers, even if it's only SMS-based.
UK banks vary substantially in MFA quality. Most have improved markedly since the PSR's October 2024 mandatory reimbursement scheme — banks now bear the cost of fraud, so they invest in detection. Almost every UK bank now supports app-based authentication via their own banking app rather than SMS codes.
Major UK banks (Barclays, HSBC, Lloyds, NatWest, Santander, TSB, Nationwide, Halifax, Monzo, Starling, Revolut) all support these features. The exact menu paths differ but the concepts are universal.
If the person has a Personal Tax Account, Universal Credit, NHS App, or any other GOV.UK service, those typically share a common login (HMRC One Login or the older Government Gateway). These accounts are valuable targets because they're tied to real-world identity.
HMRC scams are among the highest-volume UK scam categories — see the HMRC scam email checker guide — and locking down the genuine account makes the fake ones easier to spot, because the person has a working alternative login they can actually use.
This is the single behaviour change with the highest scam-prevention return. The lesson takes two minutes to teach and lasts forever once it sticks.
The rule: Never log into anything through a link in a message. Open the bank's app, the website typed directly into the address bar, or the printed URL on a real letter. The two-second cost of a fresh tab eliminates an entire class of attack.
Demonstrate it with a concrete example. Open their email, find a recent legitimate notification from their bank or HMRC. Show them: the email may be entirely real, but the safe response to any message that asks them to do something is to put the phone down, open the relevant app or website themselves, and check there. If the message is real, the action will be visible inside the app. If the action isn't visible, the message was fake.
Most older adults respond well to a memorable phrase that captures the rule. "Phone down, app open" works. "Type, don't tap" works. Pick one and use it consistently — consistent phrasing reinforces the habit.
The phone itself is now the most valuable single device. Three settings, configured once, prevent most opportunistic mobile fraud.
Set a six-digit PIN at minimum, or a passphrase. Do not use a four-digit PIN, do not use a birthday, do not use a "swipe pattern" on Android. Enable face or fingerprint unlock as well, but the underlying PIN should be strong because it's the fallback.
SIM swap fraud is when a criminal persuades the mobile carrier to transfer the victim's number to a new SIM in their possession; once they have the number, they can intercept SMS-based MFA codes and reset passwords. UK carriers (EE, O2, Vodafone, Three, Sky Mobile, Virgin Mobile, Tesco Mobile) all offer some form of SIM-swap protection — usually a passphrase or PIN that has to be quoted before any SIM transfer is approved. Set this up by calling the carrier's customer-service line and asking for "additional account security".
iPhone: Settings → [name] → Find My → turn on Find My iPhone, Find My Network, Send Last Location.
Android: Settings → Security & privacy → Find My Device → turn on.
This lets the device be remotely located, locked, or wiped if lost or stolen. The wipe option in particular is critical — if a phone is stolen, remote-wiping it before the thief can extract data should be the immediate response.
Two settings, one for each browser they use most.
Auto-update everything. Phone OS, browser, and apps. Most modern phones default to this; verify it's actually on. Settings → App Store / Play Store → Automatic Updates.
Browser pop-up and notification blocking. Many tech-support scams arrive through fake browser notifications ("Your computer has 5 viruses, click here"). In any browser:
Optionally install a content-blocking extension (uBlock Origin on desktop). This isn't a substitute for the other steps but it reduces malicious-ad exposure significantly, particularly on news sites and streaming aggregators.
The single most effective intervention for someone in the moment of an active scam attempt isn't a complicated procedure — it's a clear, prominent reference card that tells them exactly what to do. Print this, in large text, and put it next to the home phone, on the fridge, or wherever they're most likely to be when a suspicious call arrives.
If you think a call, text, or email might be a scam:
Bank fraud line: [bank name and number]
Report a scam to: 0300 123 2040 (Report Fraud)
Suspicious texts: forward to 7726 (free)
Suspicious emails: forward to report@phishing.gov.uk
Fill in the bracketed fields with the actual person's bank, your phone number, and so on, before printing. The point of the card is that in a moment of pressure — the very moment scams are designed to engineer — the right action is one glance away rather than something they have to remember.
Set a recurring calendar reminder for every six months. The maintenance routine is short:
This is genuinely 15 minutes of work twice a year. It's the difference between a security setup that decays into uselessness over a year and one that stays current.
Most situations covered above are doable at home. A handful of situations warrant getting professional help:
Because it's the master key. The "Forgot password?" flow on every other website — bank, government login, retail account, social media — sends a reset link to the email address. If a criminal controls the email, they control everything that uses it. That's why this guide spends a disproportionate amount of effort on the email step. Locking down the email locks down everything downstream.
SMS codes can be intercepted by SIM-swap fraud, which is a real and growing UK scam. An authenticator app generates the codes locally on the device, so even if the SIM is hijacked the codes don't transfer. Most modern banks, Google, and Microsoft all support authenticator apps. Where only SMS is available, SMS is still much better than nothing — but use the authenticator option if it's offered.
Apple's iCloud Keychain (on iPhone) and Google Password Manager (on Android) are simpler alternatives that are built into the OS and require no additional app. They lack some features (cross-platform sync, shared vaults) but they auto-fill, refuse to fill on fake domains, and work with face/fingerprint unlock. If Bitwarden feels like too much, switch to the built-in option rather than skipping the step entirely.
The fallback is a small physical notebook kept somewhere safe at home (not in a bag or wallet). Write down each account, the username, and the password in a way only they can read (e.g. dropping every third letter and adding a personal codeword). This is far inferior to a password manager but vastly better than reusing the same password everywhere. The single most important pattern is: every account should have a different password.
With them participating, every time. The point isn't to have correctly-configured accounts; it's to give them ownership of a system they understand and can maintain. If you set everything up while they watch passively, six months from now they won't remember how to use the password manager and will revert to old habits. Walk through each step together, let them tap the buttons, write the master passphrase in their handwriting. They'll trust the system more if it feels like theirs.
It happens. The setup above reduces risk substantially but doesn't eliminate it. The recovery steps in the pillar guide's Recovery Playbook apply: stop talking to the scammer, screenshot everything, call the bank's fraud line, escalate to the Financial Ombudsman if the bank refuses. The setup makes recovery faster too — if the bank can see strong MFA, transaction limits, and prompt reporting, the case for reimbursement is materially stronger.
Setting up someone you love to be safer online is awkward. The conversation can feel patronising; the technical steps can feel tedious; the maintenance schedule can feel like an imposition. But the data is unambiguous about who's getting hurt: it's the people without these defences. Half of UK adults experienced a scam attempt in 2025; over £1.17 billion was confirmed lost in 2024 across UK Finance member banks alone. Each successful scam leaves the victim more findable, more targeted, and more vulnerable to the next attempt because their details are now on lists that get re-used.
The 30 minutes invested in this setup, once, is the highest-leverage gift you can give someone you care about. They won't have to handle a major fraud loss in their seventies; their email won't be the entry point for a chain of compromises across every other account they own; and the panic card on the fridge means that on the day a suspicious call arrives — and statistically it will, sooner or later — they'll have a clear next step instead of a panicked decision under time pressure.
If you have one person in mind right now, send them a quick message asking when's a good time to come over. Bring this guide on your phone, and a printer if they don't have one. Half an hour from now, they'll be substantially harder to scam, and you'll know they are.