How your mobile phone is putting you at risk on holiday

Close-up of a woman with blond hair, wearing a black pullover, using her smartphone while charging it via a white USB cable on a public charging station
Plugging your phone to charge at the airport may now be fraught with risk, says experts - SimonSkafar

There’s no doubt that mobile phones have made trips abroad more convenient. From apps that store boarding passes to mobile banking and online restaurant reservations, they can simplify holiday admin and make it easier to navigate tricky language barriers. But technological advances have benefited thieves and cyber criminals too – and using a phone on holiday could put users at risk of data theft, burglaries and more.

Handsets are prime targets for thieves. Phones are now the most commonly stolen items of personal property in the UK according to the Office for National Statistics. However, even if your mobile is safe, the information it contains might not be. Below, experts reveal how your phone might be putting you at risk on holiday, and what you can do to prevent the worst from happening.

Antisocial network

Arriving at the airport or hotel and switching to free Wi-Fi used to mean breathing a sigh of relief about cheaper mobile phone bills. But beware: those shared networks might not be legitimate.

“Holidaymakers face significant cyber security risks when using public Wi-Fi networks,” says Leon Teale, senior penetration tester at data protection provider IT Governance. “Attackers often set up rogue Wi-Fi networks, such as ‘Airport Wi-Fi’, to trick users into connecting. Once connected, these attackers can intercept and potentially modify all data transmitted, leading to compromised accounts and stolen information”.

Teale also highlights the risk of fake log-in portals, which ask users for payment details to connect. And he cautions holidaymakers not to make payments over shared Wi-Fi networks, even if using a VPN (virtual private network). Instead, stick to 4G or 5G for online banking, and always log out of the apps after use.

Setting up a VPN is a good idea, however. “I would say in 2024, it is a must,” says Ed Williams, vice president of consulting and professional services in EMEA at the cybersecurity firm Trustwave. “Ostensibly, it’s just a secure method of talking to somebody else without making sure that people look at what you’re doing.”

Setting one up should be simple. “It’s super easy nowadays,” says Marijus Briedis, chief technology officer at NordVPN. “You don’t need any kind of configuration manager and you don’t have to be geeky – you just download the app. But don’t use free VPNs. That’s really important, because they sell the data that you are using.”

One benefit of VPNs is that they help users avoid sophisticated phishing schemes, some of which specifically target holidaymakers or business travellers. If, for example, cyber criminals have access to restaurant and hotel bookings through an unsecured network, they can contact targets using insider knowledge, which makes requests for money or personal information appear more legitimate.

“In the age of AI, it’s getting crazy,” says Briedis. “You can even do a voice phishing attack. You basically only need six seconds of the voice of the person and then you can write the text and it will be said in his or her name [on a voicemail or voice note, for example].”

In countries with less robust data protection laws, VPNs can also help prevent personal information being captured and sold. Note that they are illegal or blocked in a handful of destinations though; if in doubt, check before you go.

'Holidaymakers face significant cyber security risks when using public Wi-Fi networks,' says expert Leon Teale
'Holidaymakers face significant cyber security risks when using public Wi-Fi networks,' says expert Leon Teale - getty

Cable guys

There’s another shared resource to be wary of when travelling – USB ports. In 2023, the FBI’s Denver branch warned passengers not to use the ones at airports in a much-publicised tweet, cautioning that “bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices”.

It’s the same story in hotel rooms: “You’re connecting your device physically to the port and this opens up a whole different story of attack vectors because they have the physical access. Just don’t use those USB chargers,” advises Briedis. Instead, he plugs his phone into a normal socket. You can also buy charge-only cables or data blockers (available at Amazon) which prevent data transfer – or carry a battery pack so you don’t have to plug in at all.

Stolen moments

There are less high-tech ways that holidaymakers can find their data stolen too, including losing a phone or falling foul of pickpockets. Tim Riley of independent travel insurer True Traveller says that more than a third of its claims are for phones or money. “By far the most common places where the thefts take place are bus stations, railway stations or airports,” he notes.

Given how much we store on our devices, the aftermath of a phone theft can be a headache. “If a phone is stolen on holiday, take immediate steps to secure personal data,” says Teale. “This includes remotely locking and wiping the device using services such as Find My iPhone or Google Find My Device, changing passwords for critical accounts, and informing the service provider to disable the SIM card.”

In order to do so, you’ll need to have made a note of your phone’s IMEI (international mobile equipment identity) (found by dialling *#06# on your handset). You’ll also need to freeze any bank cards with details saved on your phone and notify the police of the theft in order to make an insurance claim.

With so much personal information held on our handsets, good cyber hygiene should be a regular habit. “Ensure all electronic devices are equipped with the latest security updates and patches,” recommends Anne Cutler of Keeper Security. “Watch for notifications, install updates immediately and turn on automatic updates wherever possible. Not only do software updates enhance existing features, fix bugs and improve performance, they also patch security flaws and add new security measures.”

If you haven’t already, enable Face ID and Find My iPhone (or your phone’s equivalent). Pay attention to passwords too.

These should be “at least 16 characters long, not contain dictionary words, patterns or sequential numbers, and include uppercase and lowercase letters, numbers and special characters,” according to Cutler. “You can further strengthen your account security by enabling two-factor authentication (2FA). It’s an additional layer of protection which ensures that, even if a password is compromised, unauthorised access will be prevented.”

Make things easier by using a password manager app, which can generate and store unique codes for each of your accounts. “Don’t remember your password. Don’t use the same password. You don’t even need to know your password – you have a tool for that,” says Briedis.

No matter how prepared you are, be wary of having your phone on show. “In London (and I am sure many other large cities), there are numerous accounts of devices being pulled from their owners’ hands while they use them, and thus while it’s unlocked, specifically because the device is of more use to the criminal that way,” says Alex Hinchliffe, threat intelligence analyst at Palo Alto Networks’ Unit 42 threat intelligence arm.

In crowded cities, it’s also worth being aware of “shoulder surfing”. This is the practice of people watching your phone over your shoulder in order to see personal information such as online banking log-ins.

Picture this

There’s another trend amongst unscrupulous thieves: targeting those who post pictures of their holidays on social media. Those beautiful snaps of faraway beaches are a clear sign that nobody’s home.

“Broadcasting your location in real-time makes you a target for both cyber attacks and physical crimes,” says Cutler. “In addition to providing your location and personal information, sharing that you’re away alerts thieves that your house is unoccupied”.

It’s a cautionary tale for our times. Save those Instaboasts until you’re back on home soil.