5 January 2024

9 min read

Digital forensics: what to do in the event of a mobile phone theft

Cyber security
people holding cellphones

Mobile phones are popular gifts every Christmas and many people will be in possession of an expensive new phone in 2024. But according to a BBC article released this year, London’s Metropolitan Police reported a mobile phone was stolen every six minutes in England’s capital in 2022, indicating 136,520 phones were stolen across the UK in 2022, a 35.9% increase in thefts on the previous year. Phone theft is a crime on the rise and shows no signs of slowing down. In this article digital forensic experts, Jordan Hare and Aaron Brown take a look at the risks associated and how to minimise the impact should the worst happen.

We use our mobile phones for messaging our family and friends, accessing social media, business activities, shopping, banking, as well as storing a plethora of sensitive personal data. The risk associated with the theft of your mobile phone can therefore result in significant financial loss, reputational damage, impersonation, or identity theft. In this article, our digital forensics experts outline the steps you can take to mitigate against these risks if you become victim to mobile phone theft.

At S-RM we support corporates and high-profile individuals with a range of digital forensic services. On a recent case we supported a client who had their phone stolen during what they believed to be a "snatch and grab" theft, and for this reason they took no action for three days following the theft. During those 72 hours, the thief was able to change passwords and recovery methods on numerous accounts, including taking full control of the client’s email accounts, WhatsApp, and various e-commerce sites. The theft led to financial loss through bank transfers and unauthorised online purchases. S-RM provided remediation support and were subsequently able to regain control of the accounts, mitigating against data loss and any further financial loss.

The risks

Several scenarios may occur following the theft of your mobile device; this will depend on the nature of the theft, who has stolen it and why, but also the circumstances and the state the device was in when it was stolen.

Arguably the “best” case scenario after a theft is the device is sold online or through a second-hand retail store/pawn shop. These are typically “snatch and grab” exercises where the SIM card is dumped, and the phone is sold as quickly as possible. The risk in this case is the loss of data which had not been backed up and any financial loss associated with the purchase of a new device.

A more sophisticated attack is targeted phone theft where individuals, often high net worth individuals and public figures, are sought out while they are actively using their devices. It is not uncommon for individuals to be watched as they enter their phone PIN in a social engineering technique known as “shoulder surfing”. Once the PIN to unlock the device is known, or the device is confirmed to be unlocked, the handset will be stolen. With access to the PIN code, the attacker will have access to personal, sensitive and financial information stored on the device, and also has access to any password manager or other saved passwords which may enable them to gain full control over the victim’s accounts.

Finally, there is a risk for some individuals to have their handsets stolen for malware to be placed on the device and later returned. While this is a rare occurrence, it is typically performed as a means of surveillance on the victim and can be difficult to spot.

How do I stop myself from becoming a victim?

Unfortunately, there is no guaranteed way to stop yourself from becoming a victim of theft. However, having a plan in place in case this does happen will minimise the likelihood of data loss and reduce the risk of an attacker gaining access to personal, sensitive and financial information. Based on previous engagements, S-RM has outlined some key steps that will help if you do fall victim.

The golden hour

The likelihood of a phone theft resulting in loss of control of your accounts is determined by the speed in which you react to the device being stolen. It is best to assume that your phone will not be recovered and focus your immediate efforts on limiting the damage that can be done. The below outlines the immediate steps to be taken within the first hour of the theft, and how to mitigate damage caused within the following 24 hours.

The first hour is the “golden” hour. The crucial goal immediately after your phone has been stolen is to lock the device to keep your data secure. Ensuring this is done promptly will reduce the likelihood of the thief gaining access to your information or compromising your online accounts, and limits their ability to cause further damage.

Lock or wipe your stolen device

Android and iOS devices have remote locking capabilities in the event of loss or theft of the device. Remote locking allows you to add a custom message that is displayed on the device; this is a good opportunity to display a contact number you can be reached on if the device is recovered by a good-Samaritan or the police. All data will remain on your phone and its location can still be tracked while connected to the internet.

The second option is to remotely wipe the device which will erase all data, preventing unauthorised access to the data stored on the device. Note, this method is irreversible; if the device was to be returned, you would need to restore the device from your latest backup or set it up as a new device.

In order to remotely lock or wipe the device, you will need to login to the associated Google or iCloud account on another device. Therefore, you will need to know your username and password, and may also require a multi-factor authentication (MFA) code if this is enabled on your account. You can obtain the MFA code if you have access to another trusted device connected to your Google or iCloud account. Without this, you may not be able to authenticate to the account to perform the lock or wipe actions.

It is important to remember that if the thief quickly disconnects your mobile phone from the internet, you may not be able to remotely implement these measures. In this case, the iCloud or Google account will wait for the next time the device receives an internet connection and will immediately implement the lock or wipe then. You can monitor whether the device has been locked or wiped successfully in your account.

Cancel your stolen SIM card

After securing your device, the next step should be to secure your phone number. Contacting your network provider and explaining your phone and SIM have been stolen will start the recovery process.

You may have online accounts that use SMS as a method of MFA, therefore having control over the phone number can be crucial to you regaining access to any accounts. Blocking the stolen SIM and moving your number over to a new SIM will prevent the thief receiving any MFA codes sent to your stolen SIM via SMS, and will enable you to authenticate to your accounts and change your passwords.

Cancelling the SIM will also prevent the thief signing in to chat applications such as WhatsApp using your phone number, which would facilitate them to perform an account takeover by changing the number associated with the account and locking you out.

Note, your network provider may require you to attend in-store to collect your new SIM card. We recommend you do this as a priority immediately after the device has been stolen.

Secure your primary account

Generally when setting up a mobile phone, an iCloud or Google account is connected to the device during the set up process. The associated email may also be used to automatically sign into other services such as ecommerce, banking, and social media accounts. Therefore, it is critically important to secure this primary account to prevent compromise of other accounts.

Having a second trusted device connected to your Google or iCloud account is crucial to regaining access and securing the account. Use this device to access your account and change the password to a secure alternative. At this stage, it is important not to store this password in the Google Password Manager or iCloud Keychain until you have confidence the thief no longer has access to the account.

If MFA is not set up on the account, this should be enabled and connected to an authenticator application on your second device. If configuring MFA via SMS is your only option, ensure you have control of your phone number first, or use a second alternative number if you have one available to you.

Inform law enforcement

Once you have performed the immediate response measures detailed above, you should then consider reporting the theft to your local law enforcement agency using the non-emergency number (UK 101), online, or visiting a local police station. If your handset is insured, you may need a crime reference number to submit a claim to your insurance company.

The first 24 hours

After you have implemented the initial steps to secure your mobile device, phone number and connected cloud account, you should turn your attention to other accounts that the thief may be able to compromise. You might not know if you are a victim of shoulder surfing or if the thief correctly guessed your passcode, therefore it is important to identify any accounts that are accessible from the handset and secure them by changing the password to a secure alternative and enabling MFA (if not already enabled).

This will vary on a case-by-case basis however the types of accounts you may want to consider including are:

  • Financial services – applications such as e-commerce, online banking, trading and investment, cryptocurrency wallets, and other applications which facilitate financial transactions can result in financial loss if the thief gains access.
  • Social media and chat platforms – thieves may target these applications to impersonate you to trusted family members or friends, or post public content which could harm your reputation.
  • Cloud storage repositories – sensitive information stored in these repositories may be stolen and leveraged in attempts to steal your identity or used in blackmail and extortion attempts.

Once you have secured the accounts you deem to be priorities, it is best practice to reset the credentials to all of your online accounts. Where possible, ensure that all the accounts are secured with MFA and a unique, secure password. Saving these passwords in your preferred password manager is recommended, but only once you are confident that the thief does not have access to your password manager, therefore securing this in the first instance is key.

Prevention is better than cure

No one expects to be a victim of theft, and although people are aware of the risks and how to mitigate against them they are rarely ever implemented in a way that would protect them in this situation. Preparation is the only protection in these scenarios. We have put together some recommendations which significantly increases the chance of successfully recovering access to accounts without the thief gaining access.

Use a secure device passcode
  • Ensure your handset is protected with an uncommon PIN or password. Guessable PINs such as 0000, 1234, 2580, and those obtainable through open-source research, such as your date of birth, should be avoided.
  • Use biometric authentication (i.e. Face ID or fingerprint scanners) which mitigate the chances of a shoulder surfing attack being successful.
Secure accounts with MFA
  • Where possible, do not use SMS for MFA as it creates a single point of failure. This also prevents the attacker from controlling the only form of MFA to your accounts. Using an authenticator application is recommended.
  • Ensure MFA is accessible on more than one device.
Use a password manager
  • Using a password manager gives you the ability to sync your credentials to the cloud and access your passwords from any compatible device. This enables you to use strong unique passwords without needing to remember them.
  • Using a different password for each account reduces the risk of multi-account compromise.
Maintain current backups
  • Maintaining robust backups can greatly reduce the risk of data loss when a device is stolen and also gives you confidence in wiping the phone in the golden hour.

Subscribe to our insights

Get industry news and expert insights straight to your inbox.