Security experts have warned consumers for years that their smartphones could be an easy gateway to their identities.

Think of it this way: a thief grabs your phone or someone picks it up in a coffee shop where you’ve left it. If you haven’t passcode protected it or it was still unlocked, they now have access to your email, your Amazon app, your PayPal app, your social media apps, your mobile wallet, and more, all with a few simple password changes.

Clicking “forgot my password” provides them with a link that’s sent to your email or phone number, which they now have access to. A quick browse through your social media might even provide them with the answers to your security questions, such as your mother’s maiden name and the town where you were born. They change all of your passwords and go on a spending spree, all while locking you out.

But experts are now warning about an entirely new threat involving your phone. Phone hijacking, as it’s been called, is technically a form of account takeover. A thief walks into a mobile carrier store and pretends to be you. With a few simple steps, they upgrade your account and walk out with a couple of brand-new iPhones. You only discover the problem when your real phone stops working because the number has been transferred to those new phones…or when the bill for those phones arrives.

This might sound like a random crime of opportunity, but the reality is smartphone hijacking doubled in 2016, and the damage from all forms of account takeover reached well over $2 billion that year.

How are thieves pulling this off? First, there’s a lot of information about consumers floating around “out there.” Seemingly harmless information like your email address and cell phone number aren’t so harmless when a criminal gets just a couple more pieces of information. If you’ve used your email address as your cellular account username, it only takes buying your data off the internet to see if you’ve reused an old password.

Stealing or buying other pieces of data like your medical account information can also help a thief hijack your phone. After all, these records often include a Social Security number, your date of birth, address, email address, and other pertinent details, which could be enough to recreate a driver’s license and convince a cellular employee to upgrade your phone.

To fight back against this kind of crime, consumers have to be prepared to adopt some proactive habits. First, this is precisely why you never reuse a password. In data breaches like the MySpace breach or the Yahoo breach that compromised a database of years’-old information, those old passwords can come back to haunt you if you’re still using them.

Next, it’s absolutely vital that you take action the second you spot something out of the ordinary. Some victims of phone hijacking have reported that they received “changed password” emails from their providers, or that their phones quit working right. Those are giant red flags that must be addressed immediately.

Finally, do not make the mistake of thinking, “Well, it’s just a phone. We’ll figure it out later.” As mentioned above, your phone contains a lot of access to the rest of your identity. Don’t dismiss these warning signs without following through.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.