upper waypoint

Hacker Took Control of Your Phone? Here's What to Do

Save ArticleSave Article
Failed to save article

Please try again

The Identity Theft Resource Center recommends replacing your online passwords by setting up passkeys, if they are offered, on your accounts. (Oscar Wong/Getty Images)

The FBI’s Internet Crime Complaint Center received nearly 56,000 reports related to personal data breaches in 2023. And according to the Identity Theft Resource Center in San Diego County, a nonprofit that offers free advice to victims of such data breaches, California, the most populous state, had the most overall complaints in the United States last year.

I wrote earlier about my own experience of having my phone hacked in this KQED story — and how phones have become the newest target of such data breaches. Read more about which settings to enable to reduce your chances of suffering a data breach.

But if this does happen to you, what should you do? I spoke to the head of the Identity Theft Resource Center’s victim services team to find out the steps you should immediately take if your phone is breached by someone you don’t know. (KQED is honoring the organization’s request to keep her name anonymous, as the Center says it’s the frequent target of digital attacks in retaliation for its work.)

Sponsored

Remove the malicious software

Even if the attackers have been inside your phone for a short time, you should assume they have seen a lot of critical information, and you should act accordingly.

First, you should scrub your device or computer of any malware or spyware you might find through scanning and removal tools offered by a legitimate, recognizable company. For Windows computers, Microsoft offers a malicious software removal tool.

If you still see signs of infection, such as slowness, freezing up or unexpected shutdowns, you may have to wipe your entire machine, which resets it to its factory state. Keep in mind that if you reinstall a backup of your data onto a newly scrubbed device or computer — from an external drive, for instance — you have to make sure your backup source doesn’t also include the malware.

If you aren’t comfortable doing this yourself, major tech retail companies like Apple and Microsoft offer services you can use.

Abandoning your hardware altogether isn’t usually required if it has been wiped and reset, the Identity Theft Resource Center says. However, some malware can remain well-hidden, and it’s possible your computer or device might become reinfected. If you know for sure that is the case, or if you are still seeing signs of infection, it might be time to get a new one. (This is what I did with both my computer and phone. I felt so thoroughly spied upon that I thought about getting rid of my TV, my Blu-Ray player and my cats as well.)

Don’t reset passwords too early

If you go online to reset passwords and take other steps to protect yourself but do it with a device that is still compromised, the hackers may see the changes you’ve made, and you’ll be right back where you started.

Keep this in mind as well: If someone has stolen your iCloud or Google credentials — which is what happened to me — getting a new phone, a new cell provider, a new phone number or even all three won’t help.

That’s because it’s the individual Apple/iCloud or Google account itself that the hackers penetrated. If you think that may be the case for your iCloud account, go to an Apple Store and have them walk you through getting a new ID. For Google, you can take the steps listed here.

Secure your assets and prevent ID theft

You will need to take steps to prevent criminals from using any information they obtain to impersonate you.

1. Credit reports

Contact all three credit reporting agencies to place a fraud alert and security freeze on your credit reports. You should also obtain credit reports and review them for any activity you don’t recognize.

Equifax: 1-800-525-6285

Experian: 1-888-397-3742

Transunion: 1-800-680-7289

2. Financial Institutions

Once you know your devices are safe, update all your passwords and add multifactor authentication — a combination of two or more identity verification methods — to your accounts. You may also need to do your banking in person for a while until you are sure all your devices are safe.

Contact your financial institutions to let them know what has occurred and ask them what additional steps you should take. At some, you can register a verbal password, which you will have to give to make any transaction. (Just don’t lose it.)

Consider changing your answers to the security questions that banks and other organizations use — just make them up. Again, make sure you record those fake answers for future use.

3. Driver’s license

You can submit a California DMV Fraud Review of Driver License/Identification form to dlfraud@dmv.ca.gov to request the agency look for any potential fraud using your information. On the form, you can explain how your driver’s license may have been compromised.

4. Social Security account

When your device is safe, create a my Social Security account online, if you don’t already have one, so you can monitor the wages and income being reported and see if anything looks amiss.

5. Taxes

Obtain an identity protection (IP) PIN from the IRS. This six-digit number will help verify your identity when you file, and it will also prevent identity thieves from filing tax returns in your name. Anyone with a Social Security Number or an Individual Taxpayer Identification number can get a PIN.

Another safeguard is to file your taxes as early as possible, beating any potential fraudsters to the punch.

If you think your device has been compromised, see this IRS page on the signs to look for that may indicate tax-related identity theft and what you should do. For California state taxes, see this Franchise Tax Board Identity Theft page.

6. Passkeys

The Identity Theft Resource Center recommends replacing your online passwords by setting up passkeys if they are offered, on your accounts. Passkeys are considered to be more secure than passwords because they generate a random code linked to the biometric identification method (fingerprint or face verification, for instance) you will use each time you log in to your device. The codes are invisible and inaccessible to any user, and because they are not stored by the institutions where you have accounts, they cannot be stolen in a data breach. This is not the case with passwords.

The ITRC says if you use passkeys, it’s critical that you activate the locking feature on your phone so that you have to verify yourself to regain access. That’s because if the device is stolen or your Apple or Google IDs are compromised, the thief may be able to gain easier access to your online accounts than if you still used passwords. You should also use and familiarize yourself with the Find My Device feature for iPhones or Androids, so you can shut the phone off remotely if it is compromised.

7. Identity Theft Protection

You may want to consider signing up with an Identity Theft Protection company, which monitors activity on your credit cards and financial accounts and can search for breaches of your personal information on the dark web.

Sponsored

lower waypoint
next waypoint