You Are the Whole Security Department
Freelancers carry business-level risk with no IT team behind them. A single compromised account can drain a payment platform, lock you out of client files mid-project, or hijack the marketplace profile your income depends on. And freelancers are attractive targets: you hold client data, you move money, and you accept files and messages from strangers all day. This checklist is the practical, no-nonsense version, ordered by what protects your income most.
1. Lock Down the Money First
Payment accounts are the crown jewels: theft here is direct and often irreversible.
- 2FA on PayPal, Wise, Payoneer, Stripe, and your bank, using an authenticator app, not SMS (our PayPal guide and the SIM-swap reasoning in our SIM swap explainer).
- Watch for payment change scams: "update your payout bank details" emails are a classic. Never change payout info from an email link.
- Separate business and personal where possible, so one breach doesn't touch everything.
2. Protect Your Marketplace Profiles
Your Upwork, Fiverr, or Freelancer profile is your storefront and reputation, built over years and impossible to quickly replace.
- Enable 2FA on every platform that offers it.
- Unique password per platform (our generator): a leak on one shouldn't expose the others.
- Beware off-platform "client" scams: messages pushing you to a fake "client portal" or a download are phishing aimed at your login or your machine.
3. Secure the Master Key: Your Email
Your email resets every other account. It deserves your strongest protection: authenticator-app or hardware-key 2FA, a unique strong password, and a checked recovery setup (our Gmail guide and recovery email explainer). Consider a separate email for client communication versus account recovery, so a public-facing address isn't the one guarding your logins.
4. Guard Client Access and Files
- When clients grant you access to their systems (WordPress, hosting, ad accounts, social), you become a target as a route into them. 2FA on your accounts protects your clients too: our WordPress and hosting guides apply.
- Use least privilege: ask for only the access you need, and give collaborators only what they need.
- Encrypt sensitive client files and back them up. Losing a client's data is a reputation-ending event.
- Return or delete access when projects end, on both sides.
5. Harden Your Devices
Your laptop is your workplace. One infection (often from a malicious "project file" or fake tool) can steal every saved password and session (our keylogger and session hijacking guides).
- Be cautious with client-sent files and links, especially unexpected ones. Verify before opening.
- Keep the OS and software updated, and keep antivirus on.
- Full-disk encryption (BitLocker/FileVault) so a stolen laptop isn't a data breach.
- Never run cracked software: it's a top malware source, and a hijacked freelancer machine is a client-data disaster.
6. The Password Manager (Non-Negotiable)
You have dozens of accounts across clients and platforms; memory can't do unique passwords at that scale. A password manager gives every account a unique strong password and can store your 2FA codes too (our manager comparison). Protect it with a strong passphrase and its own 2FA. This one tool underpins the whole checklist.
For a freelancer, security isn't overhead, it's business continuity. A locked-out payment account or a hijacked profile isn't an inconvenience; it's lost income and lost trust. An afternoon of setup protects your livelihood.
The 30-Minute Starter Version
- 2FA on email and your main payment account (app-based).
- Save the backup codes for both (our storage guide).
- Install a password manager and change your 3 most important passwords to unique ones.
- Turn on device encryption.
That covers the biggest risks in half an hour. Expand to the full checklist over the following weeks.
Frequently Asked Questions
I use lots of client platforms. Do I really need 2FA on all of them?
Prioritise by damage: money and email first, then anything holding client access or your reputation. Not every trivial account needs it, but every account that could cost you income or a client's trust does. A password manager makes unique passwords easy even where 2FA isn't offered.
A client insists I use their password for shared access. Is that safe?
Shared passwords are risky, but sometimes unavoidable. If you must, store it in your password manager, use it only as needed, and ask the client to enable proper collaborator access with its own login instead. Never reuse that shared password anywhere else.
What's the most common way freelancers get compromised?
Phishing disguised as client messages (fake job files, fake portals) and reused passwords caught in breaches. Both are covered by the basics here: cautious file handling, unique passwords, and 2FA as the safety net. Our phishing guide trains the eye.
Should I get a hardware security key?
For your email and main payment accounts, it's a strong upgrade, phishing-proof and worth the small cost given what's at stake (our hardware key guide). It's optional but recommended once the basics are in place.
How do I handle security when subcontracting to others?
Give subcontractors least-privilege access, unique credentials (never your own logins), and remove access when done. Their security becomes your risk, so treat granting access as carefully as a client treats granting it to you. Document who has access to what.