There's no doubt that mobile phones have made travelling abroad easier. From apps that store boarding passes to mobile banking and online restaurant reservations, they can simplify holiday administration and make it easier to bypass tricky language barriers. But technological advances have also helped thieves and cybercriminals - and using a phone on holiday can expose users to the risk of data theft, break-ins and more.
Mobile phones are prime targets for thieves. According to the Office for National Statistics, phones are now the most stolen personal property in the UK. But even if your mobile is secure, the information it contains may not be. Here, experts reveal how your phone could be putting you at risk on holiday and what you can do to prevent the worst from happening.
Antisocial network
Arriving at the airport or hotel and switching to free Wi-Fi used to mean breathing a sigh of relief about cheaper mobile phone bills. But beware: those shared networks may not be legitimate.
"Holidaymakers face significant cybersecurity risks when using public Wi-Fi networks," said Leon Teale, senior penetration tester at data protection provider IT Governance. "Attackers often set up rogue Wi-Fi networks, such as 'Airport Wi-Fi', to trick users into connecting. Once connected, these attackers can intercept and potentially modify any data being transmitted, leading to compromised accounts and stolen information."
Teale also highlights the risk of fake login portals, which ask users for payment details to connect. And he warns holidaymakers not to make payments over shared Wi-Fi networks, even if they're using a VPN (virtual private network). Instead, stick to 4G or 5G for online banking and always log out of apps after use.
Setting up a VPN is a good idea, though. "I would say by 2024 it's a must," says Ed Williams, vice president of consulting and professional services in EMEA at cybersecurity firm Trustwave. "Ostensibly, it's just a secure way to talk to someone else without people looking at what you're doing."
Setting it up should be easy. "Nowadays it's super easy," says Marijus Briedis, Chief Technology Officer at NordVPN. "You don't need a configuration manager and you don't have to be a nerd - you just download the app. But don't use free VPNs. That's really important, because they sell the data you use."
One benefit of VPNs is that they help users avoid sophisticated phishing schemes, some of which specifically target leisure or business travelers. For example, if cybercriminals can access restaurant and hotel bookings over an unsecured network, they can contact targets using insider knowledge, making requests for money or personal information seem more legitimate.
"In the age of AI, it's going to be crazy," Briedis says. "You can even do a voice phishing attack. You basically only need six seconds of the person's voice and then you can write the text and it will be spoken in their name. [on a voicemail or voice note, for example]."
In countries with less robust data protection laws, VPNs can also help prevent personal information from being recorded and sold. Be aware that they are illegal or blocked in a handful of destinations; if in doubt, check before you go.
Cable boys
There's another shared resource to watch out for when you're traveling: USB ports. In 2023, the FBI's Denver office warned passengers not to use airport gates in a much-discussed tweet , warning that "bad actors have found ways to use public USB ports to introduce malware and monitoring software onto devices."
It's a similar story in hotel rooms: "You're physically connecting your device to the port, and that opens up a whole other story of attack vectors because they have the physical access. Just don't use those USB chargers," Briedis advises. Instead, he plugs his phone into a regular wall outlet. You can also buy charge-only cables or data blockers (available from Amazon) that prevent data transfers - or bring a battery pack so you don't have to plug in at all.
Stolen moments
There are also less high-tech ways holidaymakers can have their data stolen, such as losing a phone or being pickpocketed. Tim Riley of independent travel insurer True Traveller says that more than a third of claims involve phones or cash. "By far the most common places for thefts to occur are at bus stations, train stations or airports," he notes.
Considering how much we store on our devices, the aftermath of a phone theft can be a headache. "If a phone is stolen while on vacation, take immediate steps to protect personal data," says Teale. "This includes remotely locking and wiping the device using services like Find My iPhone or Google Find My Device, changing passwords for critical accounts, and notifying your service provider to disable the SIM card."
To do this, you will need to make a note of your phone's IMEI (international mobile equipment identity) (you can find this by dialing *#06# on your device). You will also need to block any bank cards with details stored on your phone and notify the police of the theft in order to make an insurance claim.
With so much personal information on our handsets, good cyber hygiene should be a regular habit. "Ensure all electronic devices are equipped with the latest security updates and patches," advises Anne Cutler of Keeper Security. "Look out for notifications, install updates promptly, and enable automatic updates where possible. Software updates not only improve existing features, fix bugs, and improve performance, they also patch security holes and add new protections."
If you haven't already, turn on Face ID and Find My iPhone (or your phone's equivalent). Also, keep an eye on your passwords.
These must be "at least 16 characters long, not contain dictionary words, patterns, or sequential numbers, and contain upper and lower case letters, numbers, and special characters," Cutler said. "You can further strengthen the security of your account by enabling two-factor authentication (2FA). It's an extra layer of protection that ensures that even if a password is compromised, unauthorized access is prevented."
Make it easier on yourself by using a password manager app, which can generate and store unique codes for each of your accounts. "Don't remember your password. Don't use the same password. You don't even need to know your password - there's a tool for that," Briedis says.
No matter how prepared you are, be careful about showing your phone. "In London (and I'm sure many other major cities) there have been numerous cases of devices being snatched from their owners while they're in use, and therefore unlocked, mainly because the device is more useful to the criminal that way," says Alex Hinchliffe, threat intelligence analyst with Palo Alto Networks' Unit 42 threat intelligence practice.
In busy cities, it's also worth being aware of 'shoulder surfing', the practice of people looking over your shoulder at your phone to see personal information, such as online banking logins.
Picture this
There is another trend among unscrupulous thieves: they target people who post pictures of their vacation on social media. Those beautiful snapshots of distant beaches are a clear sign that no one is home.
"Broadcasting your location in real time makes you a target for both cyberattacks and physical crimes," Cutler says. "In addition to providing your location and personal information, sharing your absence alerts thieves that your home is unoccupied."
It's a cautionary tale for our times. Save those Instaboasts until you're back on home soil.