(CNN) -- By now most personal-computer users know not to post their Social Security numbers on the Internet or respond to Nigerian e-mails seeking help with suspicious bank-account transfers.
The shadowy world of the Internet can be a haven for scammers and identity thieves, Jeff Fox says.
But many people still make mistakes that compromise their computer's security or invite identity thieves.
"You can't be too safe," said Jeff Fox, technology editor at Consumer Reports. People are more savvy today about online security, says Fox, "but a lot more education is needed. You need to be street-smart, the way you are in the real world."
In an interview with CNN, Fox listed seven common online blunders that make people vulnerable to viruses and theft, and offered tips on how to avoid them: Watch Jeff Fox interview »
1. Assuming your security software is protecting you
People often believe that installing anti-virus software once will keep their computers safe forever. But new viruses come out all the time, so software must be activated properly and updated regularly to be effective against new threats.
Fox suggests you make sure your security software is active when you're online. He also recommends enabling your computer's automatic updating feature, which will keep it loaded with new security software.
"You need to do something on a regular basis if you want to be protected," he said. "You'd be surprised how many people don't realize that."
2. Accessing an account through an e-mail link
In short, don't do it. If you get an email from your bank asking you to update financial or personal information, there's a good chance it's actually from a "cybercrook" seeking to empty your account. Such "phishing" scams allow criminals to steal your logins, account numbers and other sensitive data.
These e-mails are especially insidious because they come adorned with genuine corporate logos and look legitimate.
"This stuff has gotten so sophisticated that it's pretty much impossible for people to know ... if the e-mail is real or not," Fox said.
Because of this, most banks have stopped sending out e-mails asking for updated customer information, said Fox, who thinks the ones that still do should stop. People who must access an online account should do so by typing the institution's address in their browser, he said.
3. Using a single password for all online accounts
Nobody wants to try to remember a dozen different passwords. But using just one, especially if it's simple, can tempt fate. Some cybercriminals use code-cracking software, which uncovers passwords by trolling through millions of common number-letter combinations.
"If somebody manages to get hold of your password ... they basically have entree to all your accounts," Fox said. "You're making it easier for them to impersonate you."
Fox suggests using variations on the same password to make them easier to recall. He also recommends a complex password with at least eight characters, including numerals or punctuation symbols, to thwart thieves' computers.
4. Downloading free software
"We're not saying, 'Don't do it.' We're saying, 'Just do it from places you know are safe,' " Fox said.
Some "free" software comes loaded with spyware, which clogs your computer with ads or employs a keystroke-capture program to steal your personal information. Fox recommends downloading only from such reputable sites as Download.com or SnapFiles.com, or, if you have a PC, scanning it with Windows Defender software.
5. Thinking your Mac shields you from all risks
Yes, Macs are much less susceptible to viruses and spyware than PCs. But surveys show that may breed a false sense of security among Mac owners, who still fall prey to phishing scams at about the same rate as Windows users.
Until Apple beefs up Safari, Fox recommends using another browser with phishing protection, such as the latest version of Firefox.
6. Clicking on a pop-up ad that says your PC is not secure
It's easy to click inside the ad by mistake and be redirected to a spyware site or have malicious software downloaded to your computer. In a recent Consumer Reports survey, 13 percent of respondents said they did just that.
Instead, Fox recommends clicking on the tiny "close" button in the ad's upper left or right corner. Or better yet, enable your browser's pop-up blocker or use a free one from Google Toolbar.
7. Shopping online the same way you do in stores
On the Internet, you can't always be sure who you're doing business with. When entering your address and credit card information, make sure the site's URL says "https," which offers greater security than "http." Don't shop online with debit cards, which, if stolen, offer no liability protection, Fox said.
Fox suggests using one credit card for most of your business transactions and a separate card for your online purchases. That way if a hacker steals your credit card number and you must replace the card, it won't disrupt your gym memberships or other accounts.
Finally, some banks (Citibank is one) will even issue you a temporary, one-time credit card number for specific transactions, Fox said. If stolen, it's completely worthless.