Warning to South Africans whose phones have been stolen

Experts urged South Africans to be careful with their phones, since fraudsters who steal them can quickly break into password-protected devices, gain access to the victim’s bank account and finances, and even scam their family and friends.

Kevin Hogan, head of fraud risk at Investec and Anna Collard, cybersecurity expert, explained the dangers of having one’s phone stolen on Investec’s Everything Counts podcast.

Hogan explained that a person’s phone is the key to their bank account. Often, criminals target phones specifically to gain access to these accounts.

“People are under the impression that the security on the phone is bulletproof,” Hogan said. They believe that because they have a password or facial recognition on their phone, it is impenetrable.

Even those who have had their phone stolen while it was unlocked, while they were waiting for an Uber, for example, may believe that all of their accounts are safe, since they are password-protected.

“This is simply not true. The reality is this – most people have very weak passwords on their phones. For most people, it’s four, six, or eight numbers,” Hogan said.

While most phones may default to these shorter passwords, he said people can, and should, opt for longer passwords.

The truth is that technology exists which can crack these 4- to 8-digit passwords in under 10 minutes. In some cases, fraudsters have access to this technology.

“The assumption that you’re making that your phone cannot be accessed because it’s locked is unfortunately unfounded,” Hogan warned.

“One of the best things that you can possibly do to protect your phone is to have a very long password on it.”

This does not mean users will have to type in a 20-digit code every time they want to use their phone. Hogan recommended that everyone use facial recognition on their phones, which is much more secure.

“99.99% of the intrusions into stolen cell phones that we have seen have been the username and password, because the frauds just can’t bypass facial recognition,” he said.

What to do if your phone is stolen

Even the most careful South Africans are still at risk of having their phones stolen. Collard explained that if this happens, it “can be a complete crisis”.

“If we think about what we store in our phones, they are the keys to our bank account, to our digital wallets, to our email, social media accounts, and passwords. Our whole lives are on these devices,” she said.

In the event that someone’s phone is lost or stolen, she stressed the importance of staying calm and acting quickly. Before doing anything else, the person should call their bank and have their phone delinked from their bank account.

“The first target is the bank accounts,” Hogan said. He explained that many people don’t realise that the physical handset, their cellphone, is registered on the bank system.

Every bank account is linked to a specific phone, which means that is the only device which can receive communications like one time pins (OTPs) and in-app messages.

“That’s why they need that physical handset. Obviously, when the fraudsters are in that phone and they’re now using it, it appears to the bank as if it’s you,” Hogan explained.

Because the registered device is being used, the bank will allow transactions and purchases to go through, since they believe the account holder is responsible.

For that reason, having the phone delinked from the bank as soon as possible is essential. Users should also contact their cellphone provider and have their phone and SIM card blacklisted to ensure it cannot be used.

Delinking every other account, changing passwords and removing the phone from a user’s Apple ID or Android ecosystem should also be done quickly.

Collard explained that if the fraudsters manage to gain access to the phone, which is possible even for those who have long passwords, they can trick the victim through social engineering.

Given how stressful it can be to have one’s phone stolen, fraudsters sometimes take advantage of this panic by sending the victim an email pretending to be from companies like Apple, WhatsApp, Meta or Google.

They will claim that they have detected suspicious activity on the victims’ accounts and direct them to verify their details.

While the victim may do so believing they are securing their accounts, they are actually providing the fraudster with even more details, Collard explained.

As a result, the criminal can steal even more money from the victim. For example, if they gain access to the victim’s iTunes account, they can potentially link an Apple watch and purchase items using the victim’s money.

If they gain access to a WhatsApp account, the fraudster could pretend to be the rightful owner and contact their friends and family and say that they need money.

“The number one priority is your money, your bank accounts. But also think about all the other accounts that they can get access to through your phone, like your email, your WhatsApps, your social media accounts,” Collard said.