When it comes to Internet security, what you think you know can hurt you.

A lot of what passes for common sense about this subject is just plain wrong—and often risky. Here’s a list of some mistaken beliefs that can get you ripped off or hacked, or your computer infected with something nasty.

Which of these apply to you?

1. I don’t worry because I’ve got security software on my computer.

Don’t drop your guard. Security software is essential, but it won’t protect you from every threat out there. Even the best security suite may fail to stop a new piece of malicious software that has been in circulation for too short a time to be easily recognized. If you’re still running the trial version of the security software that came with your new computer a couple of years ago without having paid for updates, that software has probably gone stale. Security software needs to be updated frequently. Free antivirus programs like Avast, Avira, and AVG may perform decently. But if you’re willing to pay $40 to $80 for more versatile products that include technical support, check out the free ratings of security suites at Top Ten Reviews, which are based on performance tests conducted by an independent lab.

2. No need to worry when I use my smartphone or tablet, because security risks are only for desktop and laptop computers.

It’s partly true: Malicious software is rare on Apple mobile devices and just a small threat on Android devices if you stick with apps from the Google Play Store or Amazon App Store for Android. But phones and tablets have other risks, namely that a stolen or lost device will be hacked into by a criminal, or that someone will tap into your communications when you use the device at an unprotected Wi-Fi hot spot in, say, a coffee shop or airport. To minimize the threats from a lost phone use the device’s built-in security features. To thwart Wi-Fi eavesdroppers, use your carrier’s 3G/4G connection or install a free VPN (virtual private network) like HotSpot Shield.

3. I can safely read any e-mail as long as I don’t open any attachments.

This is mostly true, but be aware: Researchers have discovered some HTML-enabled e-mails that delivered malicious software even if you don’t open an attachment. Don’t forget that just by opening a piece of spam e-mail you confirm to the spammer that your address is legit—and encourage more spam.

4. I’m safe visiting nearly any web site, because a site can’t infect my computer unless I knowingly download something from it.

Not true. Web sites can trick you into downloading malicious software via a technique known as a drive-by download. Not all security software is equally effective at blocking these downloads. In fact, I had a computer infected and crippled this way even though my antivirus was running at the time. This risk is a good reason to make sure you back up important files on your computer on a regular basis.

5. I’m sure my computer isn’t infected by malware, because the symptoms would be obvious.

Not all malicious software leaves tell-tale signs such as slowing down your computer or displaying annoying popups. If you have reason to suspect an infection, scan the computer using good security software. That’s not a sure thing either, but it’s the best you can do without bringing the computer to a professional.

6. My computer is safe because I only visit well-known sites and avoid the shady ones.

High-profile sites are not immune to malicious software. Last fall, via a criminal practice known as malvertising, banner ads on 22 popular sites–including Yahoo Finance, AOL, The Atlantic, and Match.com–infected users’ computers with CryptoWall, a malicious ransomware program, according to security firm Proofpoint.

7. I’m sure no one would attack my computer. There’s nothing on it worth stealing.

If only that were true. Criminals are scouring the Internet around the clock for vulnerable computers. Yours probably contains something useful to a criminal, such as passwords and account information, your address and contacts, or other sensitive material such as tax or medical records. Or a hacker may want to hijack your computer to use it to attack web sites or to store illicit material on it, such as pornography or stolen intellectual property.

8. I change my passwords often to be more secure. 

Changing passwords often does not improve your security. In fact, if you change them so often that you’re tempted to come up with quick-and-dirty passwords just so a web site will accept them, it can actually lower your security.

9. I’m safe because my home router has a firewall that keeps out the bad guys.

Your router is probably more vulnerable than you think, even if you avoid the common mistake of not changing its factory-set administrator name, password, and SSID. Last summer, hackers in a security contest called SOHOpelessly Broken found numerous vulnerabilities in small office/home office routers from major brands like Linksys, Netgear, D-Link, and Belkin.

10. Social networks are safe because I only interact with friends. And besides, there are no computer viruses on them.

It’s precisely because people lower their guard when using services like Facebook, Twitter, and LinkedIn, that social networks have become a breeding ground for criminals, according to security firm Zerofox. Forged Facebook pages, links to malicious sites, and even some apps on Facebook have led unwitting users to download malicious software and fall into the hands of hackers.

11. Whenever I see the little padlock symbol in my browser, it means that the web site I’m visiting is safe.

Actually, that little padlock tells you nothing about how secure the site itself is from hackers or data breaches. All it means is that the site uses encryption to secure the data that’s exchanged between the site and your computer.

12. It’s safe to read an e-mail if it comes from someone I know.

Don’t fall for this trick, which criminals have used for years to get trusting users to open malicious e-mail. If the Subject for an e-mail from a friend appears even slightly suspicious, check with the friend directly before opening it. The chances are that your friend’s computer has been infected with malicious software that sent infectious e-mails to the contacts in their address book—including you.

13. I’m not at risk because I use an Apple computer.

While malicious software for Macs is rare, don’t become overconfident. As a Mac user, you’re still vulnerable to phishing and other e-mail scams, as well as criminal web sites that try to trick you into divulging sensitive information.

14. A scam or phishing e-mail is easy to recognize because it’s so poorly written.

Don’t kid yourself. While some scams may be easy to spot, criminals have created some very slick e-mails and bogus sites that even an expert would have a hard time identifying.

–Jeff Fox