How attackers compromise Windows and Mac computers — and how to defend yours.
Laptops and PCs hold more of most people's digital lives than any other device — work accounts, personal accounts, saved passwords, financial documents, photos, browser history with years of accumulated sessions. A compromised laptop is functionally a compromise of essentially every online account that device has logged into, plus any local data. The stakes are high and the defender-awareness bar is often low.
The realistic threat profile for typical users is dominated by malware delivered through a few consistent vectors: phishing links leading to credential-harvesting or malware installation, drive-by downloads on compromised or malicious websites, pirated software bundles, malicious browser extensions, and USB/removable-media attacks. Physical-access attacks matter (laptop theft, "evil maid" attacks on unattended devices) but are less common than remote attacks for most users. State-grade targeted attacks apply only to high-profile individuals.
The defensive baseline has shifted substantially since 2020. Modern Windows (11 with TPM, Credential Guard, Core Isolation) and modern Mac (Apple Silicon with Secure Enclave, System Integrity Protection, Lockdown Mode for high-risk users) ship with meaningfully better default security than earlier generations. Users on outdated operating systems (Windows 10 approaching end-of-support, older macOS versions) are disproportionately represented in compromise statistics. Keeping current matters more than elaborate configuration.
Conceptual attack categories, not exploitation procedures. Understanding these patterns is what lets you recognise and defend against them.
Dominant infection vector for typical users. Attacker sends a convincing email with a malicious attachment (macro-enabled Office document, ISO file containing an executable, HTML phishing page) or a link to a malicious site. User opens the attachment or clicks through to malware. Credential stealers, banking trojans, and ransomware all distribute primarily this way.
Downloaded executables from untrusted sources frequently bundle malware. "Cracked" commercial software, game cheats, free versions of paid software, "free VPNs" — all are high-risk distribution channels for credential stealers and remote-access trojans. The pattern is so consistent that "downloaded cracked software" is a near-universal finding in incident investigations involving personal devices.
Extensions with broad permissions can read any web page, steal session cookies, capture form input, and exfiltrate credentials. Chrome Web Store and Mozilla Add-ons have malicious-extension removal processes but extensions sometimes remain live for weeks or months with large user bases before detection. "Productivity enhancer" and "screenshot tool" categories are frequently abused.
Compromised legitimate websites and malicious advertising networks occasionally deliver malware through browser vulnerabilities or convincing fake-update prompts. Browsers (Chrome, Firefox, Edge, Safari) are increasingly resistant to these; outdated browsers remain vulnerable. "Update your Flash Player" or "Your browser is out of date" pop-ups on random websites are essentially always malicious.
Malicious USB drives (the classic "dropped in the parking lot" scenario is real, not just a movie trope), USB-based attacks via HID devices (Rubber Ducky and similar tools), and infected external drives from compromised friends or workstations. Corporate environments especially susceptible; also hits individuals sharing files via USB with less-secure contacts.
Users running outdated Windows or macOS versions, or using unpatched versions of major applications (browsers, Office, Adobe products), accumulate known-exploitable vulnerabilities. Modern exploitation chains routinely target these. "But it still works" is not a security argument; unsupported software is in the process of becoming a compromise vector.
"Evil maid" attacks — brief physical access to an unlocked or weakly-protected device — can install persistent compromise. Laptop theft is the higher-probability physical attack for most users; device recovery is sometimes possible but data recovery without disk encryption is essentially impossible. Full-disk encryption (BitLocker on Windows, FileVault on Mac) is mandatory for any laptop that leaves your home.
Attackers convince users to install legitimate remote-access tools (AnyDesk, TeamViewer) under pretexts ("Microsoft Support calling about your computer", "IT needs to fix a problem"). Grant attacker full control. Tech-support scams targeting older users are the canonical example; corporate help-desk social engineering also occurs.
Signs that your laptops & pcs may have been compromised:
Cryptomining malware, background data exfiltration, and spyware all consume CPU/GPU resources. Sustained unexplained resource use — especially when the device is idle — warrants investigation. Task Manager (Windows) / Activity Monitor (Mac) shows per-process resource use.
Browser hijacker malware modifies these settings. If your homepage or default search engine changed without your action, or unfamiliar extensions appeared, investigate. Reset browser settings as a starting recovery step.
Antivirus flagging something = investigate, do not dismiss. Even if the specific alert seems minor, treat as a signal to scan the full system and review recent activity. Dismissing AV alerts is one of the most common ways early-stage malware becomes long-dwell-time compromise.
Regular review of installed applications (Settings → Apps on Windows, Applications folder on Mac) surfaces unfamiliar entries. Anything you did not install is suspicious.
If your email, social media, or banking accounts show sessions from IPs you do not recognise, the machine holding those session tokens may be compromised, not just the accounts themselves.
Advertisements appearing on the desktop outside any open browser, or new browser windows opening unprompted — both strong indicators of adware or more serious infection.
Some malware disables the built-in security software to prevent detection. Windows Security or macOS XProtect showing disabled when you did not disable it = immediate-action signal. Re-enable and run a full scan before any further use of the device.
Concrete actions ranked by impact. Items marked critical are the highest-leverage protections; do those first.
Enable auto-update for the operating system and for every application that supports it. Replace Windows 10 machines before October 2025 end-of-support if possible. Replace Macs that no longer receive updates. This single practice eliminates most realistic remote-exploitation paths.
BitLocker (Windows) or FileVault (Mac) — enable them. Both are free, built-in, and essentially transparent in daily use. Without them, laptop theft becomes data compromise; with them, a stolen laptop is just a stolen laptop. Required baseline for any portable device.
Lock on sleep; auto-lock after 5-10 minutes of inactivity; strong password or biometric. Windows Hello / Touch ID make short timeouts painless. Protects against brief unattended-access scenarios (coffee shops, shared offices).
Bitwarden, 1Password, KeePassXC — pick one and use it. Do not save passwords in the browser as the only copy; password managers are purpose-built for this and survive browser compromises better.
Windows: Microsoft Store, official vendor sites, reputable software distributors. Mac: Mac App Store or official vendor sites. Avoid pirated software, "cracked" versions, and downloads from random sites. This single practice eliminates the largest malware vector for typical users.
Remove extensions you do not actively use. Review permissions on remaining extensions — anything requesting "read all site data" warrants scrutiny. Malicious extensions often acquire their user base over years; periodic audit catches the ones that went bad.
Windows Defender (built-in) is solid for most users. Supplement with Malwarebytes periodic scans if you want defence-in-depth. Mac users: XProtect (built-in) plus Malwarebytes periodic scans. Free AV is generally adequate for typical users; paid AV adds modest value for most.
On Windows, create a standard user account for daily use and use the admin account only for software installation. Reduces blast radius of most malware by running daily activities without admin privileges. Mac does this partially by default but the same principle applies.
Ransomware specifically targets connected backups (cloud drives, network shares). Offline backups — external drives disconnected when not actively backing up — survive ransomware attacks that encrypt connected storage. 3-2-1 backup rule: 3 copies, 2 different media, 1 offsite/offline.
Apple's Lockdown Mode (Settings → Privacy & Security) disables certain features that have been exploit vectors — link previews, some attachment types, JIT-compiled JavaScript. Some compatibility tradeoffs. Worth enabling for journalists, activists, executives, anyone receiving Apple's state-sponsored-attack warning.