The surveillance a clean phone can't stop
These sit outside the phone, so a clean device and tidy settings never reveal them — and you usually can’t prove any of them. Understanding how each one actually works makes it clear why the fixes that follow are the ones that count.
Network monitoring
Everything your phone does online travels as packets of data across whatever network you’re on. Whoever controls that network — a home or office router, a partner’s hotspot, a rogue Wi-Fi point — can quietly record those packets as they pass; this is packet sniffing. A more active version, a man-in-the-middle attack, slips the attacker in between you and the sites you visit, so your traffic flows through them on the way to its destination. Most apps now encrypt the contents of a connection, but the network can still see who you connect to and when — the apps you open, the sites you load, your rough location, the rhythm of your day. Stitched together over time, that metadata is enough to track your activity and movements without anyone ever reading a single message.
SIM swapping
A SIM swap moves your phone number onto a SIM someone else controls, so your calls and texts — including one-time security codes — start arriving on their device instead of yours. It can be done by impersonating you to the carrier, but the easier route is often your carrier account itself: the online account that controls your number is secured by an email login, and if that email is weak, reused, or one an ex still has access to, an attacker can reset the carrier password, sign in, and order the swap themselves. Once they hold your number, the security codes and password-reset links for everything else follow — which is why the email attached to your carrier account is as important to lock down as the number it protects.
Your device account
Your Apple Account or Google account is the most important account you own — the master key to the phone itself. Anyone signed into it can read your messages, open your photos and follow your location from their own device through iCloud or Google sync, with nothing installed on the phone at all. And it’s only ever as secure as the email address it’s built on, because that inbox receives every sign-in alert, verification prompt and password reset. Most people leave this account anchored to an old, everyday email guarded by a reused password — so their single most valuable account sits on one of their weakest. The most important step you can take is to make sure your device account runs on a strong, private email no one else can reach.
The common thread
Notice the thread: a SIM swap and a hijacked device account both trace back to one weak point — the email your accounts trust. And none of this leaves proof you can point to. So the goal isn’t to keep hunting for evidence; it’s to close every door at once, starting with that email.
Close every door at once
Each fix below closes one of those doors. None of them depends on proving anything — done together, they leave a monitor with nothing to see, whether or not anyone was ever there.
Encrypt your connection
A VPN wraps everything leaving your phone in an encrypted tunnel to the VPN’s server. Whoever controls your network can still capture the packets — that part doesn’t change — but all they collect is scrambled, unreadable data. They can’t tell which sites you open, read what you send, or even see who you’re talking to; a man-in-the-middle has nothing to intercept or alter, because the tunnel is sealed before your traffic ever reaches them. The network sees just one thing — a single encrypted connection to the VPN — with your real destinations hidden behind it. So it stops mattering whether anyone is listening on your Wi-Fi or router: the activity and metadata that used to track you simply can’t be read. Proton VPN is the direct fix — switch it on and every connection from the phone runs through that sealed tunnel by default. It’s the one answer to network-level monitoring, and the only one you can’t achieve any other way.
Secure your carrier account
Your number is only as safe as the carrier account that controls it, so treat that account like the high-value target it is. Put it on the same strong, private email you set up above, give it a unique password in Proton Pass, and switch on the carrier’s own two-factor and login alerts — that alone shuts the easy door, where an attacker resets the account online and ports your number themselves. Then add the carrier’s port-out PIN or transfer passcode so no swap can go through without it, and move your two-factor codes off SMS onto an authenticator such as Proton Authenticator or a hardware key, so even a stolen number no longer unlocks your accounts. A sudden, unexplained loss of signal can be the first sign of a swap in progress.
Take your accounts back — on an email they don't control
It starts with the email. Set up a clean, private inbox no one else has ever touched — a fresh Proton Mail address is built for exactly this — and make it the recovery email on your Apple Account or Google account, so the master key to your phone finally sits on something strong. With that foundation in place you can take the rest back: work through your important accounts, switch each one over to the new email, and rebuild every password as you go in Proton Pass so each is unique and none can be guessed from an old breach. Turn on two-factor authentication with an authenticator like Proton Authenticator instead of SMS, and while you’re in your inbox, remove any forwarding rule you didn’t set up — one quietly copying your mail to someone else is easy to miss. Once it’s done, every way back in — the email, the passwords, the codes — runs through accounts only you control.
Once all three are shut
With your connection encrypted, your carrier account locked and your accounts rebuilt on an email no one else holds, there’s nothing left for a monitor to reach — whether or not anyone ever was. You’ll have noticed the same few tools did most of the work; that’s no accident, and it’s where the next part comes in.