Check links and attachments of emails
Often, viruses infiltrate smartphones or PCs through infected email attachments or links. These spoofing emails are very well-engineered: They adapt to the user and claim to be an institution or person, the user often is in contact with.
Do not open attachments whose sender you do not know. If you are unsure about an email, you can do a quick Google search containing the subject line of the email. If it is an infected spam mail, usually the first search results already indicate this.
Use official app stores
If you do not download apps from the official app stores of Google or Apple, you risk to infect your device with viruses. Especially with very popular apps, there is a risk that contaminated download links from these versions are in circulation.
You should therefore download apps exclusively from the Apple App Store or Google Play Store. All apps that are listed there are checked by the respective platform before. In general, they can be downloaded without hesitation.
Authentication with 2 devices
In a secure TAN process, two independent devices are usually used for two-factor authentication. However, in the photoTAN process, the TAN is not generated on a second device. Attackers thus have an easy game: They nestle over a security flaw in the smartphone and manipulate the TAN generation so that the money is directed to another account.
For this reason, always use two different devices for TAN procedures. In a money transfer for example, it makes sense to receive a mobile TAN for the transaction on the smartphone and perform the procedure on the Mac or PC.
Avoid websites without a lock
Any website that requests or stores user data should have a safety certificate. This verifies that the data streams are encrypted. If there is no certificate, the data may be freely visible and provide an easy target for attackers.
Therefore, always check before registering on a website if there is a small padlock icon in the URL bar. If so, a basic security is given.