How to Protect Your Phone from Being Hacked
Our phones serve as our file cabinets, mailboxes, calendars, and much much more. We load them up with nearly all of our personal data - photos, texts, notes, documents, and emails. Through mobile apps, we access banking, social media, and a wide range of communication tools. Given the ubiquity of smartphones, and the integral role they play in our day to day lives, one of the most pressing concerns we face is how to secure them.
One thing is for sure, hackers are increasingly targeting smartphones. SIM-swapping attacks have become commonplace. Malware-infused texts and emails have proliferated. Attacks have become more sophisticated and complex. No one is immune. If compromised, your phone presents a treasure trove of data. So, what can you do?
We’ve compiled a guide with some quick and simple steps you can take to secure your phone and protect yourself from being hacked. These smartphone security tips will help bolster your digital hygiene and safeguard your devices.
Follow the steps below to get started:
- Protect Against SIM-Swapping
- Set a Strong Passcode for Your Phone
- Use a Dedicated Authentication App for 2FA
- Auto-Update Your OS and Apps
- Use a VPN on Public WiFi Networks
- Avoid Public Chargers
- Turn Off Bluetooth
- Don’t Click on Unknown or Suspicious Links
- Stay Vigilant
Affiliate Disclosure: Bloom receives compensation for purchases made through the links on this page. Opinions expressed here are our own.
Protect Against SIM-Swapping
Phone number hijacking, known as SIM-swapping, has become a common attack used by identity thieves and fraudsters of all types to take control of phone numbers and gain access to accounts that use SMS-based two-factor authentication. SIM-swapping occurs when a fraudster contacts a mobile carrier’s customer support and tricks them into transferring someone else’s phone number to a SIM-card that they control. This allows the attacker to intercept two-factor authentication codes and gain unauthorized access to the victim’s online accounts.
One of the tell-tale signs that you may be the victim of SIM-swapping is service suddenly dropping out on your phone and losing connection to the network. In the time it takes to realize your SIM has been transferred and get it sorted out with customer support, the attacker can wreak havoc on your digital life, posting messages on social media, emptying bank accounts and cryptocurrency wallets, or stealing personal data.
While high-profile figures such as Twitter CEO Jack Dorsey and actress Selena Gomez have made headlines for becoming victims of SIM-swapping scams, it can happen to anyone. Reports of SIM-swapping attacks have become increasingly common, from a string of Instagram account takeovers to a handful of victims who have had their checking accounts drained.
To help prevent SIM-swapping, you should set a Personal Identification Number (PIN) on your account with your mobile carrier. The three major US mobile carriers often don’t require a PIN, sometimes only asking for the last four digits of your Social Security number, or, in some cases, nothing more than your date of birth. If your SSN has been exposed, and chances are that it has, hackers can easily get access to your mobile account by contacting customer support and having your number transferred to a new SIM card.
An account PIN is used to verify your identity when you contact your mobile carrier. It helps ensure that your account remains secure. Without the PIN, your account can not be accessed. This prevents fraudsters from transferring your number to a SIM card that they control.
Hackers have been known to successfully trick customer support representatives into bypassing PINs in some cases, so there is no way to completely prevent SIM-swapping. However, this is still your best line of defense. Always remain vigilant about signs of a SIM hijack. If you abruptly lose service and are unable to reconnect to the mobile network after performing basic troubleshooting, you should contact customer service to make sure that you phone number hasn’t been transferred.
For the best security hygiene, you should also use a dedicated authentication app such as Google Authenticator or Authy for all of your accounts that support it instead of using SMS-based authentication whenever possible.
How to Set an Account PIN on Verizon
You can create or change your account PIN on the web or with Verizon’s mobile app.
Online with My Verizon
- Visit Verizon’s Change Account PIN page
- Sign in to your My Verizon account
- Enter a new account PIN
- Click Submit
My Verizon App
- Open the My Verizon app on your phone
- Open the menu and tap Account
- Tap Account Settings
- Tap Security
- Tap Manage Account PIN
- Enter a new PIN
How to Set an Account PIN on T-Mobile
Online with My T-Mobile
- Visit T-Mobile’s Customer PIN page
- Click Change your PIN or passcode
- Log in to your My T-Mobile account
- Follow the prompts to set a new passcode
Over the Phone
- Dial 611 from your mobile phone
- Request to add "Port Validation" to your account
- Choose a six to 15 digit PIN
How to Set an Account PIN on AT&T
Online with MyAT&T
- Sign-in to your AT&T Profile
- Choose your wireless account from the dropdown menu
- Click Sign-in info
- Click Get a new passcode
- Follow the prompts to set a new passcode
AT&T also allows you to add extra security to your account by requiring your passcode to manage your account in retail stores and when signing-in online. Here is how to turn on extra security for your account:
- Sign-in to your AT&T Profile
- Choose your wireless account from the dropdown menu
- Click Manage extra security in the Wireless passcode section
- Check Extra security and re-enter your passcode when prompted
If you often have trouble remembering your PIN, set up a password manager and add the PIN to the login information for your mobile carrier.
Set a Strong, Unique Passcode for Your Phone
Setting a strong, unique passcode for your phone prevents others from physically accessing the contents of your phone in case you inadvertently leave it unattended or it is ever lost or stolen. Avoid at all costs easy to guess passcodes, such as birthdays, kids names, pet names, or commonly used passcodes such as 0000 or 1234. You should also avoid PINs that you have previously used for debit or credit cards. Passcodes should always be unique and never reused.
Depending on the level of security you need and how much convenience you are willing to sacrifice, changing the authentication method on your phone is one of the best things you can do. If security is your primary concern, ditch the numeric passcode or biometric authentication for a complex alphanumeric passcode consisting of random numbers and letters. If you would rather use biometric authentication, such as your face or fingerprint, you should still set a strong passcode to fall back onto if biometric authentication fails.
How to Change Your Passcode on iOS
- Open the Settings app
- Tap Touch ID & Passcode
- Enter your existing passcode
- Tap Change Passcode
- Tap Passcode Options
- Choose Alphanumeric Code
- Enter your new passcode
How to Change Your Passcode on Android
- Open the Settings app
- Tap Security or Security and Screen Lock
- Tap Screen Lock
- Choose Password
- Enter your new passcode
You should avoid setting a four digit PIN as your primary authentication method. At the very least set a six digit or longer PIN if you would rather not use an alphanumeric passcode. The most convenient, yet not perfectly secure method, is to use biometric authentication such as your fingerprint or face scan. Biometric authentication can be thwarted though, so it’s important you understand the risks.
Use a Dedicated Authentication App for 2FA
Two-factor authentication (2FA) is an extra layer of security used to make sure that the person who is trying to get access to an account is who they say they are. Along with a traditional password, two-factor authentication requires you to enter an additional piece of information to authenticate your identity, usually a unique one-time passcode sent via SMS or a software token generated by an authentication app.
Two-factor authentication makes it far more difficult for hackers and identity thieves to gain unauthorized access to your online accounts. Even if a password to one of your accounts is stolen or leak, thieves won’t be able to gain access to it without a second authentication code.
While SMS-based 2FA is still far more secure than simply using a password, and can be safely used for low-risk accounts that don’t contain sensitive information, SMS codes are vulnerable to interception. This is especially true if your fall prey to a SIM-swapping attack. Using a dedicated authentication app will help prevent hackers from gaining access to your accounts if you do become the victim of a SIM-swap scam.
If you want to start using a dedicated authentication app, we recommend Google Authenticator or Authy. Both are free and available on iOS and Android. Make sure to go through all of your online accounts and enable two-factor authentication using your authentication app for accounts that support it. For help finding which sites and apps support 2FA, check out TwoFactorAuth.org. If you want to take your security to the next level, you can opt for a physical authentication method such as YubiKey.
Auto-Update Your OS and Apps
Phone operating systems are generally quite secure. However, as with any operating system (OS), any bugs and vulnerabilities that crop up are frequently fixed with software updates. These updates often contain security fixes that help keep your phone secure. One of the easiest and most effective ways to protect your phone is to set up auto-updates for both the OS and installed apps.
Automatic Updates on iOS
To turn on automatic software updates:
- Open the Settings app on your iPhone
- Tap General
- Tap Software Update
- Tap Automatic Updates
- Toggle Automatic Updates to on (green)
Now, your phone will automatically install software updates overnight when charging and connected to WiFi.
To turn on automatic updates for apps:
- Open the Settings app on your iPhone
- Tap iTunes & App Store
- Toggle App Updates to on (green)
Automatic Updates on Android
To turn on automatic OS updates:
- Swipe down from the top of the screen to access Quick Settings
- Tap the gear icon
- Tap Software Update
- Select Download updates automatically
To turn on automatic updates for apps:
- Open the Google Play Store app
- Tap Menu
- Tap Settings
- Tap Auto-Update Apps
- Select either Over WiFi only or Over any network
Use a VPN on Public WiFi Networks
When using public or unprotected WiFi networks, you should use a Virtual Private Network (VPN) to connect to the internet. Unprotected WiFi networks at coffee shops, airports, or other venues that offer free public WiFi can be used be hackers to siphon off data and load malware onto connected devices.
Much of the web traffic on these networks is transmitted in plain text, making it easy for thieves to intercept browsing activity, emails, login credentials, and credit card information. In some cases, hackers have even set-up fake wireless access points at busy public locations, so-called “WiFi honeypots”, with the sole intention of intercepting data or installing malware on connected devices.
VPNs help protect your privacy by sending information over the network in an encrypted manner, using a kind of virtual tunnel, making it nearly impossible for hackers to intercept or snoop on your activity and making it difficult to track your activity based on your IP address. There are all kinds of VPN services, some paid and some that you can set up yourself.
We recommend NordVPN for its ease of use and robust privacy features. NordVPN is based in Panama, which has no data retention laws, and adheres to a strict no logs policy, so that your activity is never monitored or recorded. You can download NordVPN for iOS or Android here.
Avoid Public Chargers
"Juice jacking" at airport charging stations, on trains, and at hotels has started to become a more commonly used method by hackers to target unsuspecting travelers who are just looking for some juice. The scam involves hackers infecting devices with malware through rigged USB ports or cables and then siphoning off personal data.
Juice jacking exploits the data transfer capability of USB, so instead of just simply charging your phone, the USB connection is used to transfer malicious software onto your device. In some cases, a modified USB cable is all it takes for a hacker to infect a device and remotely gain access to it.
Cybersecurity experts suggest only charging your device directly from an electrical outlet and avoiding public charging stations altogether. Bring your own charging cables and wall plugs with you when you travel. If you find you are running out of juice often, look into getting a portable battery pack that you can use to charge your phone when you are in places that lack easy access to power outlets.
Turn Off Bluetooth
Bluetooth has had some serious security vulnerabilities over the years, resulting in millions of devices being put at risk at one point or another. One such risk was an attack named BlueBorne, which hackers used to gain control of devices and access data using a handful of critical Bluetooth vulnerabilities. BlueBorne is just one in a series of attacks that have been carried out by exploiting Bluetooth vulnerabilities.
Beyond the security risk, there are also some very real privacy concerns when it comes to Bluetooth. As a New York Times Privacy Project headline put it, "In Stores, Secret Bluetooth Surveillance Tracks Your Every Move." When you're not using Bluetooth, turn it off, especially if you rarely use it.
How to Turn Off Bluetooth on iOS
With iOS 11, Apple changed the default Bluetooth toggle in the Control Center to only disconnect from non-Apple devices. Not only does the toggle no longer fully turn off Bluetooth, it will also automatically reenable Bluetooth connections the next day. To truly turn off Bluetooth, you will need to head into the settings.
- Open the Settings app on your iPhone
- Tap Bluetooth
- Toggle Bluetooth to off (gray)
When you need to use Bluetooth again, you can do so by simply toggling it back on from the Control Center.
How to Turn Off Bluetooth on Android
Unlike iOS, toggling Bluetooth off on Android devices completely disables it. Bluetooth settings can vary between devices, but in general here is how you can turn off Bluetooth on Android.
- Open the Settings app on your Android phone
- Tap Connected Devices
- Tap Connection Preferences
- Tap Bluetooth
- Toggle Bluetooth to off
Don’t Click on Unknown or Suspicious Links
Google researchers recently discovered a highly sophisticated iOS attack that was used to hack thousands of iPhones simply by getting users to visit a website. Once the hackers gained access to the phones, they were able to monitor live location data, steal passwords, and even read encrypted messages. Apple later patched the vulnerabilities that the attack exploited with a software update (which is why you should always turn auto-update on) but it showcased just how effective phishing scams can be.
Phishing, whereby hackers attempt to get someone to visit a malicious link in an email or text message, is one of the most insidious ways identity theft occurs. The malicious link or attachment in a phishing scam then sends the target either to a fraudulent website that is setup to look legit in attempt to get the person to enter personal information or installs malware in the background that allows the perpetrator to siphon off personal information from the device.
More sophisticated phishing attacks use information stolen in data breaches or leaks to personalize the attack to the target, using private information that only a trustworthy friend or company would know in order to lure the victim into clicking on the malicious communication.
To avoid failing prey to a phishing scam, don't click on unknown or suspicious links. Be weary of messages asking for your password or personal information such as your Social Security, almost no company or organization will ask for this kind of information directly.
Many phishing messages look like they come from a company you know or trust, so make sure that you verify that the sender of an email or text message is who they say they are. The best way to protect yourself is to remain vigilant and cautious. And if you've followed the other steps in this guide, such as enabling two-factor authentication for your accounts and keeping your software up-to-date, you'll be much safer in the event that you accidentally click on a phishing link.
For more information on how to recognize and avoid phishing scams, check out this handy guide from the FTC.
Stay Vigilant
As always, be vigilant. Don't leave your phone unattended in public. Don't give out your passcode to others. Make sure no one is peering over your shoulder when you enter your passcode. If your phone ever abruptly loses service somewhere it shouldn't, check to make sure that your phone number hasn't been transferred.
You will never be able to completely eliminate the possibility of your phone being hacked but you can make it harder for would be hackers. Good digital hygiene comes down to understanding what the risks are, taking the most reasonable steps you can to protect yourself, and always being on the lookout for suspicious activity so that you can act quickly if you find yourself the target or victim of an attack.
Want to Learn More?
For more information on what you can do to safeguard your data and protect yourself online, check out more of our in-depth security and privacy guides:
Bloom: Take Back Control of Your Data & Identity
At Bloom, we are giving you the tools to take back control of your data. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology.
With Bloom:
- You own your data
- You control access to your data
- You decide when you share your data and who you share it with
It’s time to take back control of your data and unlock the power of a secure, reusable identity today. Download the Bloom mobile app to build a cryptographically secure identity and get free data breach alerts with Radar!