The rate of phone theft is escalating quickly. Criminals know that smartphones are portals to vast amounts of personal and financial data.
They employ extreme measures to steal unlocked phones, using tactics such as “shoulder surfing” and secretly recording targets to capture passcodes before swiping the phones, knowing these can give them access to apps and other sensitive services.
Disabling a phone’s location signal and locking us out grants thieves additional time to raid our digital wallets, access financial apps, steal digital assets like cryptocurrency, and obtain personal details and photos. Alarmingly, these could be exploited to defraud us in the future or target our friends and family.
I experienced the loss of a phone and several days dealing with the financial repercussions, and I was fortunate to not suffer greater losses. From this, I have acquired important insights into what drives this surge in crime and how we can all enhance our protection.
People casually holding their phones, often unlocked and visible
As you observe the streets of London, you’ll notice many people casually holding their phones, often unlocked and visible, as they wear headphones and remain oblivious to their surroundings. Criminals, however, are acutely aware and observant.
“This is predatory behaviour,” Sales comments. “They are like lions hunting their prey, with women often seen as easier targets. Men are perceived to have more strength to resist an attack.” The quicker and cleaner the theft, the less likely the phone will lock.
According to data from the ONS crime survey and police records, women are slightly more likely to be victims of phone theft, but these statistics don’t detail the various methods used by criminals, and many incidents remain unreported.
Reporting my phone theft to the Metropolitan Police took 20 minutes online, and four hours later, I was informed by email that my case was closed with no further investigation. However, I was left wanting to understand the underlying causes of this increasing crime.
Sales notes significant rises over the past year as criminal gangs recognize the profitability of phone theft. “It’s seen as a lucrative enterprise, requiring less risk and violence than drug trafficking, with fewer chances of arrest and lesser penalties, yet the potential gains are much greater,” he explains, especially if they manage to break into your digital life.
Tech executive James O’Sullivan was socializing in a Dublin bar last autumn when he discovered his phone had been stolen. He initially thought the face recognition feature would keep his device secure, his main concern being his inability to call an Uber. Only a day later did he realize he had lost tens of thousands of pounds. How?
“I believe a spotter watched me input my phone’s PIN earlier that evening,” he recounts, highlighting how criminals employ tactics like shoulder surfing, covert filming, or even tapping into CCTV to then steal phones to order.
Criminals quickly exploited the multiple bank and credit cards in his smartphone’s digital wallet, buying high-value electronics and staying just under £10,000 per credit card to avoid daily spending limits.
Even though marking a phone as “lost” online through another device disables its digital wallet, O’Sullivan couldn’t do this as the criminals had already reset his password.
“The protection for crypto and banking apps is strong against external threats, but once someone has your phone, all two-factor security codes and password reset notifications are sent to that same device,” he points out.
His banks quickly reimbursed the stolen money, yet this level of consumer protection does not cover stolen cryptocurrency, which criminals can easily transfer to another wallet they control.
Sales emphasizes that criminals often target crypto apps first, as many users keep their assets on exchanges. Unlike these vulnerable holdings, “cold wallets,” which store assets offline, offer greater security. For instance, Coinbase provides a free “vault” service that stores digital currencies offline and delays withdrawals by 48 hours.
When it comes to transferring funds from bank accounts, criminals employ networks of money mules to quickly distribute the stolen money across various accounts. They also exploit overdraft facilities and can even secure personal loans through banking apps, with funds appearing in compromised accounts within minutes.
Drawing on his personal ordeal, O’Sullivan has developed a new security app, Nuke from Orbit, currently in beta testing. This app functions as a digital emergency button, enabling users to simultaneously disable their SIM card and various online accounts. Major tech companies like Apple, Google, and Samsung are also developing advanced security features to enhance protection, which are effective if activated and known to the user.
According to UK Finance, a banking industry group, losses from mobile banking fraud surged by 17% to £18.7 million in the first half of 2023, marking the highest amount recorded, with a 32% increase in incidents. The average loss per customer was reported at £2,314.
Dianne Doodnath, a lead figure in economic crime at UK Finance, notes that 98% of unauthorized fraud is reimbursed within 24 hours after banks are notified by customers.
“The challenge is maintaining accessibility for millions who legitimately manage transactions and loans via online banking, while balancing security,” she states. Recent feedback indicates a consumer preference for increased security measures, even if this means more steps during transactions, as it enhances their sense of safety.
Enhancing “cyber hygiene” is crucial, as research by Nuke from Orbit reveals that nearly half of all users employ the same PIN across their phone and various apps, services, and bank cards, thereby simplifying the task for thieves. Keeping multiple bank cards and your driving license in your phone case only further aids criminals.
Just days after my phone was stolen
I managed to replace it and restore my service. However, the troubles didn’t stop there; phishing attempts soon followed.
I received a text claiming to be from Apple’s “Find My” service, stating they had located my lost iPhone and providing a link. The FT’s cybersecurity team discovered the link directed to a sophisticated fake Apple website designed to harvest my passcode.
The following day, another message arrived, this time with a threatening tone: “Your iCloud photos are being shared with another user,” accompanied by the same suspicious link.
I also received calls, both automated and from live callers, claiming to represent organizations I deal with, all asking to “reset my security details.” I avoided falling for these scams, but each attempt still caused considerable anxiety.
Once a criminal accesses your phone data, the potential for exploitation is vast. They could reach out to your contacts asking for money or even use personal photos to extort funds. Sales mentioned that seemingly harmless photos could be utilized in romance scams.
Experiment with your partner or a family member to see how far they can get into your phone using just the passcode. Many apps, if unable to authenticate via Face ID, will revert to the passcode or use two-factor authentication, which involves codes sent via SMS or email—accessible from the device itself.
Regarding the phone, once it’s reported stolen and the SIM is locked, it can’t be used on UK networks and will be flagged if anyone attempts to sell it to a reputable dealer. However, it’s not entirely useless; as UK phones are compatible with the GSM standard, they can be used abroad with a new SIM card.
Hamish MacLeod, CEO of Mobile UK, notes a significant “intelligence gap” in understanding what happens to stolen phones, suspecting organized crime’s involvement in collecting and shipping these phones globally.
