A thief stole my iPhone and spent £20,000 of my savings

The crook also took out a £15,000 Halifax loan at 5am

These days, losing your phone is more than just an inconvenience. And as Andrew Merritt, a member of the Be Clever With Your Cash Facebook community, discovered – it can be financially devastating.

Some articles on the site contain affiliate links, which provide a small commission to help fund our work. However, they won’t affect the price you pay or our editorial independence. Read more here.

Pickpocketed in London

In late April, Andrew, 28, was on his way home after a friend’s gig when he realised his phone was missing from his pocket. 

He turned around but couldn’t see anyone making a quick getaway into the crowd at Piccadilly Circus, central London. Andrew, a deputy financial controller, said his initial thought was trying to get home as he was relying on Apple Pay. 

It took two hours to get home (a policeman put him on a bus for free). By then the crook had already changed the password on his iPad and had started making applications and accessing Andrew’s accounts.

By 5am a £15,000 Halifax loan was approved in Andrew’s name as were several credit cards. As the hours wore on, Andrew also got notifications from his own providers, Chase and Wise, saying his cards and accounts had been frozen following suspicious activity.

Andrew said he didn’t know what to do. He said: ‘I felt completely helpless. I couldn’t contact anyone and I just had to sit there and watch as the thief did more and more damage.’

A prolific thief

Within two hours of stealing Andy’s phone, the pickpocket had accessed his banking apps and began moving his money. 

Andy’s apps required further authentication to access his accounts, but as the thief had his email and phone number, he was able to reset many of them. He was also able to reset Andrew’s Apple ID password and add his payment cards to Apple Pay, to allow him to spend contactless from Andrew’s phone.

If the criminal had simply stolen the money from Andrew’s account, the unauthorised transactions would’ve been refunded by the next working day.

But as Andrew is an avid Be Clever With Your Cash reader, and has multiple savings and current accounts, it got complicated. 

The crook clearly understood the banking system and knew to move multiple sums from Andrews savings accounts to his current accounts, to avoid detection and to ensure he could transfer the money out. 

Movements between different current accounts suggest he knew which accounts he could easily withdraw money from.

Over the next 24 hours, these are some of the transactions the criminal made between Andrew’s accounts:

Starting accountMoney movedEnd account
NatWest savings account£5,000NatWest current account
Lloyds Help to Buy ISA£11,130Lloyds current account
Lloyds savings account£2,000Lloyds current account
Lloyds current account£8,000Chase current account
RBS savings account£5,000RBS current account
Nationwide savings account£1,2000Nationwide current account
RBS current account£200Wise account
Tesco credit card£430Wise account
Multiple current accounts£9,400Wise account

Credit applications

The crook was also able to take out a £15,000 loan with Halifax at almost 5am that morning. Out of this loan, he moved almost £5,000 to Wise straight away. 

Andrew also received a flurry of emails from credit card providers as the criminal continued to apply for credit in his name, although many were unsuccessful. 

£20,000 gone in 16 hours

Andrew had an old phone which he used to start calling his providers, meanwhile the crook was going on a spending spree.

In total, he managed to move around £30,000 of Andrew’s savings between his accounts and then spend around £20,000 in 16 hours in Wood Green, north London. This included £3,000 spent in JD Sports and £5,000 in Kodak. 

The thief had also made purchases from Footlocker and bought a £530 playstation from CEX. He visited the barber several times and had meals in an East African restaurant. He spent £1,000 on online marketplace Onbuy and made large cash withdrawals from cash machines. Another £1,200 of purchases was declined in Argos.

Andrew says he can’t believe his banks didn’t do more to stop the transactions. He says: “I’ve never moved money out of my savings accounts and I’ve had them for years. 

“So why didn’t my banks question why I was suddenly emptying them in the early hours of the morning? And surely someone taking out a £15,000 loan at 5am should trigger further checks or even a phone call?”

Andrew has also never used his Wise account for purchases and yet the thief was able to transfer £10,555 to Wise and spend all but £119. Over £5,000 was spent after Wise emailed Andrew saying his account had been frozen. Wise says it believes the crook was able to unfreeze the account as he had access to Andrew’s email and carry on spending.

How did the crook access Andrew’s money?

We don’t know for sure but it’s possible the crook targeted Andrew, looking over his shoulder until he saw him entering his passcode, before stealing his phone from his pocket. And from there, he reset Andrew’s passwords, intercepting the instructions via email or text message.

BBC Rip Off Britain’s resident technology expert, David McClelland, told us: “Password resets are a vulnerability criminals repeatedly exploit in order to gain unauthorised access to potential victims’ online accounts. 

“If a hacker has visibility of a potential victim’s email accounts and their SMS – e.g. with access to their smartphone – they would be able to action password resets across various online services, enabling them to take over those accounts.”

What did the banks do?

Many banks refunded Andrew swiftly, in line with the rules. However, it got more complicated with Halifax, Lloyds and Wise. 

Lloyds and Halifax said as the money had been moved to another account in Andrew’s name, he should speak to the receiving providers – Wise and Chase. And Halifax refused to clear the loan unless Andrew repaid the £4,800 that the fraudster had already spent.

But Richard Emery, fraud expert at 4Keys International, says this was wrong. He told us: “If Andrew did not authorise the transfer of money from his Halifax account to his Wise account (or indeed to anywhere else), Halifax must refund him. The fact that the money went to another account in his name is completely irrelevant.”

Wise initially refused to refund unless further evidence was provided. 

Resolving the matter

I’m pleased to say that after speaking to Lloyds Banking Group and Wise, Andrew’s case has almost been resolved. 

Wise has now reimbursed all but £250 (which it is planning to return). Lloyds has fully refunded Andrew, has promised to unwind the loan and will return his savings accounts to their original position. 

A spokesman says: “This is a complex case involving payments made to genuine accounts our customer held at other banks. Protecting our customers from fraud is our priority and we have a great deal of sympathy for Mr Merritt as the victim of a scam. We review each claim in line with the relevant regulations when deciding if we’re able to provide a refund.” 

A Wise spokesman says: “We are deeply sorry for the experience faced by Mr Merritt. It demonstrates the lengths criminals will go to to separate people from their money.

“Sadly on 27th April, Mr. Merritt fell victim to a sophisticated account takeover scam. Following an investigation and working closely with Mr. Merritt, we will be fully returning the funds associated with the fraudulent activity to him.” 

What can a criminal do with your phone?

David says: “An unlocked phone snatched from a victim’s hand is a treasured prize for criminals who know how to extract value quickly from the device. 

“This might include access to apps, email, contacts, passwords stored in notes, files in Dropbox and personal information that could be used in identity theft and apply for credit or accounts. Usually, none of this will require any further authentication.”

As a test, I swiped down to search on my iPhone and typed in ‘passport’. And there, found in my messages were photos I had sent of my passport to friends and family when they needed my ID information. I could also find my banking apps by typing them into the search bar, which is useful for thieves trying to steal my identity.

If the phone is locked, criminals can take the Sim and put it in another device allowing them to receive messages, including two-factor authentication codes and password resets, send messages and make calls posing as the phone owner.

David also says you could be a target without knowing. This isn’t to make you paranoid – but be vigilant. 

A friend’s boyfriend recently had his phone whipped out of his hand by someone whizzing by on a moped. And this is common, especially in London. David says criminals often work in gangs to identify ‘marks’ and steal their devices, by foot, bicycle or scooter. 

Pickpockets often operate in busy areas, like tube stations or bus stops. Not only are there lots of victims but one of the first things people do when they hop off public transport is check their phone for messages or directions. This gives criminals the opportunity to peer over their shoulder at their passcode before swiping their phone. 

Or, if they’re lucky, they may be able to grab your phone before it’s locked, for example if you’re already using your phone or on a phone call.

How Andrew now protects his iPhone

Andrew’s introduced a number of security measures on his smartphone so if he’s ever pickpocketed again, his money and accounts are protected. These include:

  • Never using a phone case that can hold cards. Andrew kept his driving licence in his phone case which may have aided the criminals in applying for loans
  • Only keeping one banking app on his phone now. The rest are on his iPad/laptop
  • Storing no passwords in Apple’s keychain. If the fraudster manages to get your phone passcode, then they will be able to access your passwords. He now uses Microsoft authenticator
  • Using an app called ‘Cape.’ This hides Chase from his phone when he goes 100 metres from his house. He can temporarily unhide it but he’s set up a shortcut to remind him to hide it again once he closes the app.
  • He’s added his partner as a recovery person on iCloud
  • Turning off message preview notifications

39 thoughts on “A thief stole my iPhone and spent £20,000 of my savings

  1. Oddly there was another “Andrew” featured on You and Yours a week or two ago who had had the same thing happen to him, although this seemed to be someone he’d picked up in a club and was returning to his flat with in an Uber. Instead he lifted the phone, made his excuses and left with it.

  2. Glad he got his money bag as that is a PAINFUL lesson.

    I’ll be honest and state I think I have been very slack with my phone which has access to a lot of money at some scum bag thieves finger tips if snathched. Ive only recently been made aware of the dangers, which was incredibly reckless when I think about it.

    I’ve removed unecessary apps, have the usual pins, face id etc but don’t know how to lock the SIM without what looks like a palava. I have Find My Device set up and strived for unique unsaved passwords to key accounts.

    Any other tips welcomed…the things we have to do to counter these scrags of the world !

  3. Just listened to podcast. I’ve got a very cheap Alcatel mobile for emergency. Cost me about £10 a few years ago. Obviously not possible to download banking apps onto it. I think when I visit London in future, I’ll carry that instead of my android, albeit a bit inconvenient.. Security pockets on clothing and chain on wallet also big help.

  4. So surely all you have to do is enable face ID or fingerprint ID. Then the thief can not possibly unlock the phone even if they are watching over your shoulder. And if he snatches it while unlocked, you can’t any change security settings without the face ID/fingerprint ID or at least the PIN/passcode. And all of my banking apps and password manager are also biometric locked.
    Once I enabled fingerprint ID, everything else was as above by default – so I am not sure why this is an issue if you avoid a PIN/passcode?

  5. Think I’ve got it now The article implies that he stored all his passwords and numbers to access his bank accounts in Apple Keychain, whatever that is. Once the phone is accessed, this keychain is as well and the thief is very quickly into the accounts.

  6. I notice that Andrew had money stolen from a Nationwide account. In place of a user name, Nationwide issue a very long random number to access the website, which would be impossible to guess. Without this a reminder of the pin could not given or the pin changed, so the app could not be accessed without the account number and sort code. For this a bank card would need to be stolen, but Andrew says only his driving licence was taken. Explanation please, Amelia.

  7. It’s terrifying how quickly and how much money he lost. I think a lot of people assume you’re safe from all that if you have a locked phone but clearly not. Glad he’s managed to get his money back though, and hopefully without denting his credit score.

  8. I am sorry for the guy but if you have these apps and facilities on your phone then you do need to be very aware of how you manage security. Too much of modern life is centred on a portable devi Frankly. i never use my phone with any banking set up which a lot of people of my generation see as a risk too far

    1. It’s good advice not use mobile phones for banking but the problem is that it’s impossible to interact with many banks unless you use their dedicated mobile app, no website access with many accounts now.

  9. Or use a virtual sim… I’ve had my phone stolen in London twice. Once in Hampstead by two guys on a moped and once whilst standing at a bus stop at Warren Street by a guy cycling the wrong way down the street, all dressed in black and black balaclava. It happens so fast you barely have time to register what’s going on. These were late at night but I’ve seen other people lose their phones in broad daylight to these scum. Both times it’s happened to me, I had to ask a stranger quickly to help me log into the Find My web app on iCloud.com and remotely brick my iPhone and delete all its data. It’s a horrible experience and leaves you feeling extremely vulnerable. I’m extremely lucky, however, that I’ve never had money or ID stolen like this poor guy. So deeply sorry and horrified to hear of this, and I’m glad it’s been almost fully resolved for him. Hopefully the scum will get caught doing something else as typically happens.

  10. If you go to Settings>Screen Time>Access & Privacy Restrictions you can set a PIN to lock changes to your Apple ID, Face ID etc.

    SIM card PIN lock also very important.

  11. Ultimate nightmare, poor geezer

    1. I use eset anti virus on my android that comes with app lock fingerprint access to open any app you set it to work on, and payment protection – this will scan apps for anything dodgy.

  12. The only app called ‘Cape’ in the Google Play Store is a corporate finance app. I like the concept of hiding banking apps when away from home, but where’s this mystery app?

    1. On android, check out “app lock” in settings, it’s built in and you can select apps to require a passcode or fingerprint for. You can also hide apps from here

  13. You can also change passcode to more complex one. I just set it up to 12 characters number code. Settings -> Face Id & Passcode -> Change Passcode -> Passcode Options -> Custom Numeric Code

  14. Lock your sim with pin different from your phone unlock pin so that if sim is put in a different phone it will ask for pin. On iPhone – Settings -> Mobile Services -> SIM PIN.

  15. Of course, if you us the same pin to access both mobile and banking app, then indeed it’s very easy for the thief.

  16. To sum up, to gain access to a banking app password or number, the thief has to either know or work out your user name or know your bank account number, sort code and date of birth.

  17. Here’s a way I can think of, but it’s full of difficulty for the thief. He looks over my shoulder to get the code as I’m logging into the phone. I use the same code to log into my O2 app and the thief guesses this. This gives him my name. For my banking user name, I use elements of my fore and sur names and 2 numbers from my date of birth. I possibly have my date of birth stored on my phone, though I don’t think so, but maybe the thief finds it. He the has to play around with letters from my name and numbers from my date of birth. Maybe he runs them through a computer.
    I’ll leave you to work out how likely this is, especially for multipul accounts and the time it would take. I suspect a lot longer than the 2 hours mentioned in the story.

  18. To retrieve passwords and numbers you’ll also need your date of birth and postcode. These could be stored on the phone, in which cash it might be a good idea to remove them. If you can’t easily find them, probably the thief won’t either.

    1. You missed the point that driving licence was stolen as well…

      1. JD – Missed the point. Yes, that would give name and date of birth. It wouldn’t give password or number, user name for banking apps or bank account numbers.. One or more of these would be needed to access the banking apps.

      2. I would think that unlike me me you don’t have to use elements of user name and date of birth. Even so they’re only elements, with all sorts of possible combinations and add ons.

  19. Tried Nationwide. To reset entry number by phone, you’ll recently a new code by post in about 5 days. You can receive the code via the website immediately, but you’d need a user name and password to get on to the website and an account number and sort code if you say you’ve forgotten those.
    I really would like a better explanation than you’ve given of how Andrew’s apps were compromised.

    1. If the banking apps were unlocked by Face ID or biometrics the pickpocketer could have access if using the victims known passcode they added their own face to FaceID

      1. Anna – But how would they know the password or number?

  20. After reading this, I went to the Halifax app on my phone. I indicated that I had forgotten my password. I then indicated that I had forgotten my user name. At that point, I was asked for my bank details, including the sort code and account details of my current account. How would a thief get round this obstacle, unless he had also stolen my debit card? You say Andrew only had his driving licence stolen. Please explain.

    1. Lot of the banking apps use biometric. With a phone passcode it’s easy to setup a new fingerprint or face unlock that can be used. It’s also possible to search emails or Cloud server and find sort codes and account number

  21. While the thief is absolute scum, I have very little sympathy for this individual. Walking around with an unlocked iPhone in a pocket that could be picked without him noticing?

    Too much money. Not enough sense.

    1. Cmon at least respect the fact that he has come out to share his experience and stop trying to speculate any mistakes he could have made.

      Importantly just notice how things can get worse if someone can access your phone and learn what can be done. Even if you have the best security, thieves find ways to unlock it once stolen

    2. If you’d read the article you’d know that the phone was not unlocked. Hope that your phone never gets whipped out of your hand while you’re walking down the street, but I’m sure you have too much sense for that?

    3. What a miserable comment. Talk about victim blaming. You sound almost happy he lost so much money. What’s it like to be as perfect as you, as you’ve clearly never made a mistake or done anything you regret in your life?

      1. It seams that some people can only learn from their own experience…

        She was raped because she went through the park alone at night.
        He got robbed because he got his walled in a back pocket.
        They got burgled because they left front window open.
        All victims are to be blamed, right? Wrong! All those things have happened because criminals performed criminal acts…

        1. “he realised his phone was missing from his pocket”.

          Would you go out and knowingly leave a front window open and expect much sympathy when you were burgled? It’s going to happen.

          I’m amazed at the number of people who have expensive phones poking out of a back pocket who would have absolutely no idea if it was lifted.

          You can learn from experience, or perhaps just have the sense to take more care of your valuables in the first place. It’s not as if they don’t warn everyone about pickpockets all the time.

          As someone has noted in these comments, there seems to be a question of just what was taken to allow all this money to be stolen.

          And why would someone go to a barber three times anyway?

        2. And I think to compare this with a rape is unbelievably crass.

  22. A few more security measures…
    Set up pass code for your sim card that’s separate from your phone pass code, that way if they remove your sim card it is locked.
    Set up fingerprint or faceID to unlock your phone rather than passcode. Make your passcode 8 or 10 digits that way
    its much more difficult for someone to memorise when looking over your shoulder.
    Make sure your notifications for sensitive apps is set to off on lock screen
    Set up 2 step verification and fingerprint / faceid access to all financial apps.
    Make a list of all the fraud dept contact numbers for all your banks so you can quickly notify them
    Make sure you have find your phone set up so you can quickly remotely erase your phone data via the internet there and then.
    Have a cheap spare phone at home with a PAYG sim ready to use

    1. Good tips – yes I always only use Faceid in public and in London very conscious of taking my phone out of my pocket. Prey is another app which is excellent and can also track and build evidence for the police.

  23. Another useful tip is add a passcode to the SIM.

Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.