Cyber Security Awareness Month 2025: Understanding the Basics
Cyber Security Awareness Month (CSAM) is an initiative held every October to promote awareness about the importance of cyber security and encourage safe online practices.
Launched in the United States in 2004, it has grown into a global campaign supported by governments, organisations, and communities. In 2025, the theme is “Stay Safe Online”, focusing on simple, practical actions and knowledge that make a real difference.
This year’s campaign highlights the Core 4: four easy steps that form the foundation of good cyber security.
1. Use strong passwords and a password manager
Passwords are the first line of defence for your accounts. Weak or reused passwords are easy for criminals to exploit, often with automated tools. Strong, unique passwords reduce that risk significantly. A password manager helps you generate and store them securely, removing the need to remember dozens of logins.
Read our full password guidance here: The Importance of Passwords
2. Turn on multifactor authentication (MFA)
MFA, also known as Two-Factor Authentication (2FA), provides an extra layer of protection by requiring a second step to log in, such as a code sent to your phone, an app prompt, or biometrics, such as a fingerprint. Even if an attacker steals a password, MFA makes it much harder for them to gain access.
Read our full two-factor authentication guidance here: Boost Your Online Security – Use Two-Factor Authentication
3. Recognise and report scams
Scams come in many forms, ranging from fake banking alerts and delivery texts to investment or romance scams, and more. While the details differ, many of these scams rely on the same tactic: phishing.
Phishing is when a criminal sends a message that looks genuine but is designed to trick you into clicking a link, opening an attachment, or sharing sensitive information. It can appear as an email, text, phone call, or even a social media message.
Recognising the signs of phishing can help you avoid being caught out and stop scammers in their tracks.
Common warning signs of phishing include:
Email addresses, phone numbers, or domains that don’t look genuine: Misspellings, unusual domains, or unfamiliar senders are a red flag.
Messages creating a sense of urgency or pressure to act: This is a classic tactic to make you act quickly without thinking.
Unexpected links or attachments: Clicking may download malware or take you to a spoofed website designed to steal your details.
Requests for personal, financial, or login information: Genuine organisations will not ask for these by text or email.
Generic greetings or unusual wording: For example, “Dear Customer” instead of your name, or language that doesn’t feel professional.
How to report scams:
Forward suspicious emails to report@phishing.gov.uk.
Forward suspicious texts to 7726 (free).
If it occurs on a work device, alert your organisation’s IT or security team.
Contact the Cyber and Fraud Hub Incident Response line on 0808 281 3580 or via our website, for expert guidance and support.
If you’re unsure about a message or email, you can take a screenshot and send it to the Ask Silver Scam Checker at ask-silver.com via WhatsApp.
If you become a victim of a scam you can report it to Police Scotland on 101 (non-emergency line).
By learning to recognise phishing attempts and reporting them, you help protect yourself, and prevent others from being targeted by the same scams.
4. Update your software
Software updates don’t just add new features, they often fix security vulnerabilities that attackers are actively looking to exploit. Enabling automatic updates on devices and applications is one of the simplest ways to reduce your risk.
Read more in the National Cyber Security Centre’s (NCSC) guidance: Keeping devices and software up to date
Why It Matters
Cyber Security Awareness Month is a reminder that cyber security isn’t only a technical challenge, it’s about everyday habits. Even as large-scale cyber attacks and data breaches make headlines, the reality is that most incidents start with the basics: a stolen password, an unpatched device, or a convincing phishing message. By following the Core 4, individuals and organisations can prevent many common attacks and strengthen their resilience.