Phone theft is turning into a serious cybersecurity risk

Phone theft is a rising issue worldwide, and it’s more than just a property crime. It’s a serious cybersecurity threat. In the UK alone, the Metropolitan Police seizes 1,000 phones each week.

Stolen phones don’t just go to local black markets. They often get funneled into larger criminal operations. For example, stolen phones can be used to bypass security features or be reprogrammed and resold.

In 2024, Europol uncovered a massive phishing network that affected over 480,000 victims worldwide. The criminals used stolen phones and leaked data to steal money and information.

In cities like Shenzhen, known as the “Silicon Valley of China,” stolen phones are trafficked to tech companies or underground operations, where they are either dismantled for parts or resold after being tampered with.

Mobile device security risks

According to Verizon’s 2024 Mobile Security Index, 80% of organizations consider mobile devices critical to their operations.

Many organizations still rely on basic mobile controls or assume that mobile operating systems provide adequate security. That assumption no longer holds. If a stolen device can connect to enterprise systems without additional checks, it can allow an attacker to act as the user and move further into the network.

Most phones aren’t protected well enough. A PIN or fingerprint doesn’t mean much if the phone is misconfigured or unlocked. If an attacker gets in, they can copy data, reset passwords, or even access admin tools.

BYOD (Bring Your Own Device) makes this harder. Some companies don’t even track how many personal phones connect to their network. These phones might be out of date, not encrypted, or jailbroken, and there’s often no easy way to know. Ivanti found that only 63% of organizations can track both BYOD devices and corporate-owned IT assets.

Although procedures for handling stolen laptops are well-established in most companies, protocols for dealing with stolen smartphones are often lacking. This oversight is particularly concerning, as smartphones now store and provide access to a significant amount of corporate data and systems, sometimes even more than laptops. Without a proper plan in place, a stolen phone can pose a serious security threat.

For laptops, the typical steps are reporting the theft, remotely locking or wiping the device, and cutting off access to company systems. These actions help reduce the risk of unauthorized access. But with smartphones, the lack of a process means companies might not act fast enough to stop a breach.

MFA is considered a strong security method, but if the phone used for it is stolen, it becomes a weak point. Losing the phone means losing control over security. Attackers can use it to impersonate the user and access systems undetected.

We can’t eliminate risk entirely, but we can make it harder for criminals to take advantage when a phone is stolen.

What organizations can do to minimize risks

Review mobile security policies

Make sure your company has mobile security policies. Update them regularly. Enforce rules for BYOD. Ensure personal devices connecting to company systems are secure (encrypted, updated OS, etc.). Set guidelines for monitoring, securing, and handling lost or stolen phones.

Enable mobile device management (MDM)

Use MDM to enforce security rules on all devices, both company-owned and personal. MDM should let you wipe, disable, and track devices remotely if they’re stolen. If you don’t have MDM, set it up now.

Limit access and use zero trust

Don’t give mobile devices more access than they need. Apply least privilege access. Consider a zero trust model, where every access request is verified before granting access to internal systems.

Strengthen authentication

Use multi-factor authentication on all systems. Don’t rely on SMS or app-based MFA tied to the stolen phone. Use hardware tokens or biometrics instead. Ensure stolen phones can’t bypass MFA.

Develop a response plan

Create a response plan for phone theft, just like you would for lost laptops or data breaches. The plan should include steps to disable access, revoke credentials, and wipe devices remotely. Train employees on what to do if their phone is lost or stolen.

Audit and monitor devices regularly

Track and monitor mobile device use. Use tools like endpoint detection and response (EDR) to spot suspicious activities or unusual access attempts. Set up alerts for anything that might suggest a device has been compromised.

Educate employees

Train employees on mobile security best practices. This includes using strong PINs, setting up biometrics, and reporting lost or stolen phones quickly. Well-trained employees are your first line of defense.

Review third-party risks

If employees use third-party apps, check if those apps could be exploited if a phone is stolen. Add security measures to reduce the risk of those apps becoming an attack vector.

Enforcing mobile security standards

“Enforcing consistent security policies across all devices and platforms helps mitigate risks by ensuring that all devices follow the same security standard and it reduces exploitable security gaps. It also helps alleviate resourcing issues by streamlining operations, ensuring that IT and security teams can more effectively respond to incidents and adhere to regulatory compliance ,” said Jim Dolce, CEO at Lookout.

Apple and Google have enhanced anti-theft protections in their latest mobile updates. Enterprises should require these features on supported devices and update mobile security policies accordingly.

Unfortunately, the rise of this type of crime shows no signs of slowing down. If we fall victim to it, the best we can do is take immediate action to protect and secure any sensitive information on the device.