Data breaches are becoming alarmingly common, and they affect more than just large corporations and government agencies.
Hackers are targeting personal devices such as your smartphone. Think about it: your phone contains an incredible amount of personal information.
Cyber criminals can find a wealth of information in everything from emails and text messages to banking apps, social media, and even your photos.
The numbers support the growing threat. Last year, the FBI’s Internet Crime Complaint Center received approximately 56,000 reports of personal data breaches.
California, the most populous state, received the most complaints, according to the Identity Theft Resource Center (ITRC). These statistics are not just numbers; they are a wake-up call.
So, what happens if you find your phone has been hacked?
This is a nightmare scenario. Your phone is acting strangely—it’s draining the battery faster than usual, displaying strange pop-ups, displaying apps you didn’t download, or unexpectedly locking you out.
Perhaps your phone is slow, overheating, or making unexpected calls or texts. Your thoughts race: “What did they see?” What might they do with my information? “Can I even fix this?”
Draw a deep breath. Yes, it is unsettling, but you are not powerless. Knowing which steps to take, and in what order, can make a significant difference in regaining control and halting the damage.
Let’s discuss the specific actions to take in the event of a phone hack, enabling you to safeguard yourself and fortify your recovery.
Step 1: Remove malicious software
Even if hackers only had temporary access to your device, assume they saw sensitive data. The first step is to remove any malware or spyware.
1. Use strong antivirus software: The simplest and most effective way to get started is to install and run strong antivirus or antivirus software. Avoid unfamiliar apps, as some appear to be antivirus tools but are actually malware disguised. Get my top picks for the best antivirus protection in 2024 for Windows, Mac, Android, and iOS.
After installation, perform a full device scan. This will look for hidden threats such as spyware, ransomware, or keyloggers that could compromise your data further. Once the scan has identified malicious files, follow the app’s instructions to quarantine or delete them.
Make sure to check the app’s log to ensure that all suspicious activity has been addressed. Most antivirus software provides real-time protection, monitoring for threats as they occur. Enable this feature to reduce the risk of reinfection.
Antivirus programs are only as effective as their most recent updates. Cyber criminals are constantly developing new malware, so keeping your antivirus database up to date ensures that it detects the most recent threats.
2. Factory reset if necessary: If the antivirus software fails to fully restore your phone’s functionality, such as resolving issues like freezing, slowdowns, or unexpected shutdowns, you may need to perform a factory reset on your iPhone or Android device.
A factory reset deletes all data from your phone, restoring it to its original state as it left the factory. Before resetting, make a backup of your important files. However, ensure that the backup itself is malware-free.
Backups should be scanned with antivirus software before they are restored. Most phones have a simple reset option in the settings menu under “System” or “General Management.” For detailed instructions, consult your device’s manual or the manufacturer’s website.
3. Seek professional assistance: If you are unsure about your ability to remove malware or reset your phone, contact a trusted professional. Visit the Apple Store, the Microsoft Store, or your phone’s authorized service provider.
Explain your situation and request a thorough inspection and cleaning for your device. Many retailers provide comprehensive diagnostic and repair services.
4. Give up hardware as a last resort: In some cases, malware can deeply embed itself in a device, making complete removal nearly impossible. If your phone still shows signs of infection after using antivirus tools, factory resets, and professional assistance, you may need to replace it.
Make sure to completely wipe the device before disposing of it to prevent any residual data from falling into the wrong hands. When setting up a new device, take extra precautions to ensure its security, such as enabling two-factor authentication and keeping all software up to date.
Step 2: Don’t reset passwords prematurely
Resist the urge to change a compromised device’s passwords right away. Hackers may still have access and can intercept your new credentials, potentially locking you out again. Instead, take these steps:
Thoroughly clean and secure your device first:
- Complete all steps from Step 1 to remove malware and reset your device if necessary.
- Update your phone’s operating system and all apps to the latest versions.
- Enable two-factor authentication (2FA) on your device and important accounts.
- Review and revoke any suspicious app permissions or account access.
Use a trusted, secure device for password resets:
- Use another device you own or borrow a friend’s or family member’s computer to reset your password.
- If possible, also use a different network than your compromised phone to avoid potential network-level attacks.
Prioritize critical accounts:
- Start with your email, as it’s often used for password resets on other accounts.
- Move on to financial accounts, social media and other sensitive services.
Create strong, unique passwords:
- Use a combination of uppercase and lowercase letters, numbers and symbols.
- Aim for at least 12 characters in length.
- Avoid using personal information or common phrases.
- Consider using a password manager to generate and store complex, unique passwords for each account. They encrypt your password database, adding an extra layer of security.
Setting up passkeys on iPhone and Android
As we’ve seen, traditional passwords pose numerous security risks, including vulnerability to breaches and phishing attacks, as well as the inconvenience of remembering complex combinations. Even with best practices in place, passwords can be stolen or misused.
This is where passkeys come into play. As data breaches become more common, using passkeys can greatly improve your security. Unlike passwords, which require you to remember a string of characters, passkeys use biometric authentication or a PIN to speed up the login process while protecting against unauthorized access.
Benefits of using passkeys
Enhanced security: Passkeys are resistant to phishing attacks and reduce the risk of credential theft since they cannot be easily guessed or stolen like traditional passwords.
Convenience: With biometric authentication, logging into apps and websites becomes faster and easier — eliminating the need to remember complex passwords.
Cross-device functionality: Passkeys work seamlessly across different devices linked to the same account — providing a unified login experience.
Here’s how to set up passkeys on both iPhone and Android devices so that you can secure your personal information.
Setting up a passkey on iPhone
- Check compatibility: Ensure your iPhone is running iOS 16 or later; passkeys are integrated into iCloud Keychain.
- Enable iCloud Keychain: Go to Settings > [Your Name] > iCloud > Under Saved to iCloud, tap Passwords. In iOS 17 or earlier, tap Passwords and Keychain. > Tap Sync this iPhone to turn on iCloud Passwords & Keychain. You might be asked for your passcode or Apple Account password.
- Ensure that two-factor authentication is also enabled for your Apple ID. Open Settings > Tap your name at the top > Select ‘Sign-In & Security’ > Tap ‘Turn On Two-Factor Authentication’ > Follow the on-screen instructions to complete the setup.
- Open the app or website where you want to create a passkey.
- Select the option to sign in or create an account.
- When prompted for a password, choose the option to use a passkey instead.
- Follow the on-screen instructions to authenticate using Face ID, Touch ID, or your device passcode.
- Your passkeys will be stored in iCloud Keychain and automatically sync across all devices signed in with the same Apple ID.
Setting up a passkey on Android
Settings may vary depending on your Android phone’s manufacturer.
- Check compatibility: Ensure your device is running Android 9 (Pie) or later; most modern Android devices support passkeys.
- Set up Google Password Manager: Go to Settings > Tap your Name or initial > Google > Manage Your Google Account > Security. Then, scroll down to find the Passkeys section and tap on it.
How to create a passkey on Android:
Settings may vary depending on your Android phone’s manufacturer.
- When signing into an app or website, select the option for password less login.
- Follow the prompts to create a passkey; this may require biometric verification (fingerprint or facial recognition) or a PIN.
- Once created, your passkeys will be stored in Google Password Manager and synced across all devices linked to your Google account.
Step 3: Secure your assets and prevent identity theft
With your device clean, concentrate on safeguarding your financial and personal data.
Credit reports: Contact Equifax, Experian, and TransUnion to set up a fraud alert and security freeze on your credit reports. Check your credit reports on a regular basis for signs of unauthorized activity. Equifax: 1-800-525-6285; Experian: 1-888-397-3742; TransUnion: 1-800-680-7289.
Financial institutions: Change your passwords and enable two-factor authentication (2FA) on your bank accounts. This improves the security of your financial information. Inform your financial institutions of the breach. Some banks allow you to create verbal passwords to increase security.
Driver’s license: Please submit a Fraud Review of Driver License/Identification form to your local Department of Motor Vehicles (DMV).
Social Security Account: If you do not already have a my Social Security account, create one. Check for any unusual activity. Regularly review your account statements to ensure that no unauthorized changes have been made.
Taxes: Get an Identity Protection (IP) PIN from the IRS to avoid fraudulent tax returns. File your taxes early to beat potential fraudsters. You can obtain an IP PIN by visiting the IRS’ official website.
Identity theft protection: Identity theft companies can track personal information such as your Social Security Number (SSN), phone number, and email address and notify you if it is sold on the dark web or used to open an account. They can also help you freeze your bank and credit card accounts to prevent future unauthorized use by criminals.
One of the benefits of using some services is that they may include identity theft insurance for up to $1 million in losses and legal fees, as well as a white glove fraud resolution team with a U.S.-based case manager to assist you in recovering any losses. See my top tips and recommendations for preventing identity theft.
Kurt’s key takeaways
Having your phone hacked is a sobering reminder of how vulnerable we are nowadays. However, the experience does not have to be disastrous if you act quickly and methodically.
Begin by addressing the immediate threat of malware, then secure your accounts and assets and take proactive steps to prevent future breaches.
Consider these steps to be your digital emergency kit, providing you with the tools you need to regain control when things go wrong. Remember that your digital security is only as strong as the precautions you take now.