TheftResponse
This app used to be a checklist. This is the original.

Device theft prevention checklist

This is everything I wish I had known about device security before my phone was stolen.

The list is long, and you probably do not have time to read it now, or ever, because you are busy. But knowing and implementing the things in this guide could have saved me thousands of pounds, and more importantly, hundreds of hours of torturous claims, police reports, customer support tickets, and follow-ups.

It could have saved me from losing 4 kg in a month due to stress. It could have saved me from not sleeping, panic attacks, and the constant feeling of despair that no institution was really coming to help. I don't want you to pity my despair, I want you to be better prepared than me.

Ultimately, writing this because I do not want anyone else to go through the same thing.

On 24 February 2026, my partner and I were robbed at gunpoint in São Paulo. Our phones were taken while they were unlocked. More than 90 days later, I am still dealing with the aftermath.

Most phone theft advice assumes this scenario:

A thief steals your locked phone and tries to break in later.

But many serious cases happen differently:

A thief grabs your phone while it is already unlocked, while you are using maps, messages, banking, transport apps, email, or WhatsApp.

That changes everything.

If the phone is stolen while unlocked, the thief may not need your passcode. They may already have access to open apps, saved passwords, email, SMS codes, payment apps, banking apps, and account recovery tools.

The goal of this checklist is simple:

One stolen phone should not be enough to access, reset, approve, and drain your accounts.

And yes, the full list is long. So if you are not going to read the whole thing, at least read points 2, 3, 5, 7, and 9.

First question: was the phone locked or unlocked?

Phone theft risk depends on the state of the phone at the moment it was stolen.

Before you follow any theft checklist, identify the state of the phone when it was stolen. Was it locked, or was it open and in use? If it was unlocked, act as if the thief already has access to your email, SMS, saved passwords, logged-in apps, and financial accounts. Your first job is not to recover the phone. Your first job is to stop account access.

This guide focuses especially on unlocked-phone theft, because that is where many standard phone-security tips are not enough. A strong passcode helps, but it does not protect you if the phone is grabbed while already open.

Scenario A: The phone was stolen locked

This means the thief has the device, but they are not already inside it.

Your main risks are:

  1. They guess or observe your passcode.
  2. They access lock screen notifications.
  3. They use your SIM to receive SMS codes.
  4. They try to reset your Apple ID, Google account, email, or banking apps.
  5. They use stolen personal information to impersonate you.

In this scenario, phone security settings matter a lot.

Your priority is:

  1. Mark the device as lost.
  2. Block the SIM.
  3. Remotely lock or erase the device.
  4. Change your email and Apple ID or Google passwords.
  5. Freeze financial accounts if there is any sign of access.
  6. Watch for phishing, SIM swap, and account recovery attempts.

Scenario B: The phone was stolen unlocked

This is much more urgent.

This means the thief may already have access to open apps, browser autofill, email, SMS, payment apps, banking apps, and account recovery tools.

Your main risks are:

  1. They use apps that are already logged in.
  2. They access email and reset passwords.
  3. They receive SMS verification codes.
  4. They use browser autofill to log into accounts.
  5. They change recovery details.
  6. They transfer money, add payees, withdraw funds, or use saved cards.
  7. They lock you out before you can recover access.

In this scenario, the priority is not just finding the phone. The priority is cutting off account access immediately.

Your priority is:

  1. Lock your primary email.
  2. Lock or freeze the highest-risk financial accounts.
  3. Block the SIM.
  4. Freeze cards and banking apps.
  5. Mark the device as lost.
  6. Remotely lock or erase the device.
  7. Revoke sessions from Apple ID, Google, email, banks, fintech apps, payment apps, shopping apps, and password manager.
  8. File a police report.
  9. Open claims and cases.
  10. Keep a timestamped incident log.

Why this distinction matters

A locked phone theft is mainly a device security problem.

An unlocked phone theft is an account takeover problem.

Priority 1: Stop live sessions becoming the attack path

Why this matters

Many apps keep you logged in for convenience. That convenience becomes dangerous if your phone is stolen while unlocked.
The thief may not need your password if your bank, fintech app, investment app, email, or payment app is already open or already signed in.

What to do

  1. Log out of high-risk apps after using them.
  2. Disable “remember this device” where possible.
  3. Turn on app-specific PINs or biometric checks where available.
  4. Check whether the app asks for fresh authentication before sensitive actions, such as:
    • Sending money
    • Adding a new payee
    • Changing your password
    • Changing recovery details
    • Adding a new device
    • Withdrawing funds
  5. Do not assume Face ID or fingerprint login protects you if the app is already open.

Beginner rule

If an app can move money, reset access, or change security settings, it should not stay casually logged in on your phone.

Priority 2: Kill browser autofill as a financial backdoor

Why this matters

Many people save passwords in Safari, Chrome, or another browser. That feels convenient, but it can create a backdoor.
If the phone is stolen while unlocked, the thief may open a website and let the browser fill in the password.
This is especially risky for email, banking, mobile providers, payment apps, and financial accounts.

What to do

  1. Turn off password autofill for critical accounts.
  2. Remove saved passwords for:
    • Primary email
    • Apple ID or Google account
    • Banks
    • Fintech apps
    • Investment platforms
    • Password manager
    • Mobile provider
    • Insurance accounts
    • Any account that can reset other accounts
  3. Remove saved cards from:
    • Safari
    • Chrome
    • Amazon
    • Uber, Bolt, Deliveroo, and similar apps
    • PayPal
    • Booking and travel apps
    • Shopping apps
  4. Check whether your browser can reveal saved passwords after phone unlock only. If yes, treat that as high risk.

Beginner rule

Do not let your browser become a master key to your money.

Priority 3: Separate email, 2FA, and account recovery

Why this matters

Your email is often the key to everything. If a thief can access your email, they may be able to reset passwords for banks, apps, exchanges, shopping accounts, and even your Apple or Google account.
The same problem applies to SMS. If your phone receives the verification code, and the thief has the phone, then the code is not really protecting you.

What to do

  1. Create a separate recovery email.
  2. Do not keep that recovery email logged in on your everyday phone.
  3. Use the recovery email for important accounts, such as:
    • Banking recovery where possible
    • Apple ID or Google recovery
    • Password manager recovery
    • Insurance recovery
    • Mobile provider recovery
    • Investment or fintech recovery
  4. Avoid SMS 2FA for important accounts where better options exist.
  5. Use stronger options where available:
    • Passkeys
    • Hardware security keys
    • Authenticator app on a separate device
    • Authenticator app protected by its own PIN
  6. Set a SIM PIN.
  7. Ask your mobile provider whether they offer SIM-swap protection.

Beginner rule

Your phone should not hold the account, the password reset, and the verification code all in one place.

Priority 4: Lock down the phone, but do not pretend that is enough

Why this matters

A strong phone lock still matters. It helps if the phone locks quickly, restarts, runs out of battery, or is stolen while already locked.
But it does not fully solve open-phone theft. If the phone is grabbed while unlocked, the thief may already be inside.

Important: do not assume Find My iPhone or Android Find Hub will recover the device. If the phone is offline, in airplane mode, or not sharing location (which is the first things that the robber will likely change), it may be useless for recovery. Treat it as a backup tool, not a safety plan.

What to do

  1. Use a long alphanumeric passcode instead of a 4 or 6 digit PIN.
  2. Avoid entering your passcode in public.
  3. Use Face ID, Touch ID, or fingerprint unlock where available.
  4. Set auto-lock to the shortest practical time.
  5. Turn on:
    • Find My iPhone or Find My Device
    • Stolen Device Protection on iPhone
    • Remote lock and erase
    • Lock screen notification privacy
  6. Disable lock screen access to:
    • Control Centre
    • Wallet
    • Notification previews
    • Siri or voice assistant
    • Reply with message
    • USB accessories when locked
  7. Test whether you can remotely locate, lock, or erase your device from another device.

Beginner rule

Phone security helps, but the real question is: what can someone do if they grab your phone while it is already open?

Priority 5: Reduce what is visible when the phone is unlocked

Why this matters

Even without opening every app, a thief can learn a lot from your home screen, notifications, widgets, app switcher, and recent messages.
They may see bank names, verification codes, email previews, balances, payments, or personal details that help them attack your accounts.

What to do

  1. Hide sensitive apps from your home screen.
  2. Remove apps you rarely use.
  3. Do not leave banking, investment, or payment apps open in the app switcher.
  4. Turn off notification previews for:
    • Email
    • SMS
    • WhatsApp
    • Telegram
    • Banking apps
    • Payment apps
    • Authenticator apps
    • Password manager
    • Mobile provider
  5. Remove widgets that show:
    • Account balances
    • Recent transactions
    • Email previews
    • Calendar details
    • Verification codes
    • Crypto balances
    • Investment values

Beginner rule

Do not let your phone display sensitive information before someone even opens an app.

  1. Remove financial apps you do not need daily.
  2. Avoid keeping investment, pension, business banking, or high-value financial apps on your everyday phone unless necessary.

Priority 6: Remove financial apps you do not need daily

Do not keep every bank, crypto exchange, investment app, pension app, and card app on your everyday phone.

For high-risk accounts:

  • Delete the app when not needed.
  • Use a separate device if possible.
  • Keep crypto exchanges off your main phone.
  • Avoid staying logged in.

Do not save recovery phrases, seed phrases, API keys, or backup codes on the phone.

Priority 7: Map your accounts and insurance before anything happens

Why this matters

During a theft, people panic. They waste time trying to remember which accounts they have, who to call, what is insured, and what needs freezing first.
You cannot protect accounts you have not mapped.
This section is preparation. It does not need to be perfect. Even a simple list is better than nothing. This is a great opportunity to think about if you really need each account,if you don't need 15 credit cards and 5 digital banking apps, get rid of them(unless you are trying to build your credit score). Simplifying your financial life is a good thing.

What to do

Create a basic account and insurance audit.

1. List your financial accounts

Include:

  1. Banks
  2. Fintech apps
  3. Credit cards
  4. Savings accounts
  5. Investment platforms
  6. Pensions
  7. PayPal, Wise, Revolut, Monzo, Starling
  8. Buy now, pay later apps
  9. Shopping apps with saved cards
  10. Travel money cards
  11. Business accounts

For each account, record:

  1. Account name
  2. App or website
  3. Emergency phone number
  4. Account freeze link
  5. Whether the app is installed on your phone
  6. Whether you stay logged in
  7. Whether Face ID, PIN, or passkey is enabled
  8. Whether transfers need extra approval
  9. Whether cards can be frozen instantly
  10. Whether support is available 24/7
  11. What evidence they require after theft

2. List your insurance cover

Check:

  1. Phone insurance
  2. Home contents insurance
  3. Travel insurance
  4. Bank account packaged insurance
  5. Credit card purchase protection
  6. Cyber insurance, if any
  7. Business insurance, if relevant

For each policy, record:

  1. Provider
  2. Policy number
  3. Emergency claim phone number
  4. Claim URL
  5. Time limit to report theft
  6. Police report requirement
  7. Excess amount
  8. Maximum payout
  9. Whether unauthorised transactions are covered
  10. Whether fintech losses are covered
  11. Whether theft abroad is covered
  12. Whether unlocked-device theft is excluded

3. Score each account

Use a simple risk score:

  1. High risk: money can move quickly, the app is installed, the session stays logged in, or recovery is linked to your phone or email.
  2. Medium risk: money can move, but extra approval or delays exist.
  3. Low risk: no money movement, no saved payment method, or strong external approval is required.

Beginner rule

The audit tells you what to protect first and who to contact first if something happens.

Priority 8: Prepare your emergency response

Why this matters

The first hour after a theft matters. You do not want to be searching Google, guessing passwords, trying to remember account names, or looking for phone numbers while the attacker is moving faster than you.
Prepare the emergency plan before you need it.

What to do

Create an emergency freeze sheet outside your phone.
Include:

  1. Bank emergency numbers
  2. Card freeze links
  3. Fintech support links
  4. Mobile provider fraud number
  5. Apple ID or Google recovery links
  6. Insurance claim numbers
  7. Policy numbers
  8. IMEI and serial number
  9. Police report instructions
  10. Priority order for accounts to lock

Do not include:

  1. Passwords
  2. Seed phrases
  3. Backup codes
  4. Full card numbers
  5. Anything that would help a thief if the sheet was found

Beginner rule

Your emergency plan should help you act quickly without giving anyone the keys to your accounts.

Priority 9: Know what to do if the phone is stolen unlocked

Why this matters

Many people’s first instinct is to find the phone. That is understandable, but it may not be the most important action.
If the phone was stolen unlocked, the first priority is stopping access to money, email, identity, and recovery channels.

Suggested order

  1. Lock your primary email.
  2. Lock or freeze the highest-risk financial accounts.
  3. Block your SIM.
  4. Freeze cards and banking apps.
  5. Mark the device as lost.
  6. Try to locate, remotely lock, or erase the device.
  7. Revoke sessions from:
    • Apple ID
    • Google account
    • Email
    • Banks
    • Fintech apps
    • Payment apps
    • Shopping accounts
    • Mobile provider
    • Password manager
  8. File a police report.
  9. Open claims with:
    • Banks
    • Fintech providers
    • Mobile provider
    • Insurers
    • Any affected account provider
  10. Keep a timestamped incident log.

Record:

  1. Date and time of theft
  2. When each account was locked
  3. Who you spoke to
  4. Case numbers
  5. Screenshots
  6. Emails received
  7. Transactions reported
  8. Police reference number
  9. Insurance claim number

Beginner rule

Do not spend the first hour only chasing the phone. Spend it cutting off access.

Extra protections for crypto users

This section only applies if you use crypto exchanges, wallets, DeFi apps, or hold meaningful funds in digital assets.

Understand what is and is not protected in the UK

Many UK users assume that if a crypto company is well known, FCA-registered, or has a UK app, their money is protected like money in a bank.

That is usually not true.

Cryptoassets are generally not protected by the FSCS. The FSCS itself says cryptoassets generally are not protected by organisations like the FCA or FSCS. Coinbase’s own UK user agreement also says that digital assets and e-money are not subject to FSCS protection.

What to know

  1. Crypto held on an exchange is not FSCS protected.
  2. E-money balances are not necessarily FSCS protected either.
  3. FCA registration does not mean your crypto losses are covered.
  4. Coinbase UK offers a separate Instant Access Savings product with FSCS protection on eligible GBP deposits, powered by ClearBank. This protection applies to eligible cash savings deposits, not to cryptoassets held on Coinbase.
  5. Do not confuse “cash savings protection” with “crypto protection.” They are different products with different risk profiles.

My experience

Coinbase reimbursed my girlfriend for the unauthorised crypto withdrawal from her account. That matters because it shows that another major exchange looked at a similar stolen-phone incident and reached a different outcome.

Binance, by contrast, has not covered my loss or accepted responsibility (and the rage keeps me awake at night) even though I had a police report, a trace of the assets and spent more hours than I can count complaining to their help desk.

Of all the companies and institutions I had to deal with after the robbery, Binance has been the worst by far. Staying away from them will add years to your life expectancy.

Beginner rule

If you live in the UK, do not assume crypto held on any exchange is FSCS protected. At most, Coinbase offers an FSCS-protected cash savings product for eligible GBP deposits, but that does not protect your crypto.

Crypto priority 1: Use withdrawal allowlisting

Why this matters

Withdrawal allowlisting means crypto can only be sent to wallet addresses you have already approved.
Without it, a thief who accesses your exchange account may be able to add their own wallet address and withdraw funds.

What to do

  1. Turn on withdrawal address allowlisting wherever available.
  2. Add only your trusted wallet addresses.
  3. Enable a delay before new addresses can be used.
  4. Require extra verification for address changes.
  5. Remove old wallet addresses you no longer use.

Beginner rule

A stolen phone should not be enough to add a new wallet address and withdraw funds immediately.

Crypto priority 2: Require withdrawal approval outside the stolen phone

Why this matters

If the same phone can log in, receive the code, approve the withdrawal, and access email, then the phone is the whole security system.
That is dangerous.
Large withdrawals should require something the thief does not have.

What to do

Use at least one approval method outside your everyday phone:

  1. Hardware security key
  2. Second device kept at home
  3. Separate recovery email not logged in on the phone
  4. Desktop-only approval flow
  5. Trusted contact or business approval workflow
  6. Time delay for large withdrawals

Beginner rule

The same stolen phone should never be enough to log in, approve, and withdraw.

Crypto priority 3: Do not keep large balances on exchange apps

Why this matters

Crypto transactions are often fast, irreversible, and harder to recover than bank payments.
Keeping large balances in an exchange account that is accessible from your everyday phone creates unnecessary risk.

What to do

  1. Keep only operational amounts on mobile-accessible accounts.
  2. Move long-term holdings to stronger storage, such as:
    • Cold storage
    • Multisig
    • Hardware wallet
    • Custody setup with stronger withdrawal controls
    • Account with no mobile app installed
  3. Remove exchange apps from your everyday phone if you do not need them.
  4. Do not store seed phrases, private keys, recovery codes, or wallet backups on your phone.

Beginner rule

For crypto users, convenience is often the risk. If everything can be accessed from your everyday phone, the phone becomes the vault.

Conclusion

I know this checklist is long. I also know most people will not do all of it.

But please do not wait until after something happens to realise that your phone is not just a phone. It is your bank branch, your ID, your email, your password reset tool, your 2FA device, your wallet, your insurance portal, your travel app, your work access, and sometimes your entire financial life.

That is the problem.

Device theft is no longer just about losing a handset. If your phone is stolen while unlocked, it can become an account takeover, a financial attack, an identity issue, an insurance nightmare, and a months-long administrative collapse.

The painful lesson I learned is this:

Security is not about having one strong setting. It is about making sure one failure does not collapse everything else.

You do not need to become paranoid. You do not need to become a cybersecurity expert. But you do need to make your phone less powerful.

Remove what does not need to be there. Log out of what matters. Separate your email from your recovery methods. Turn off risky autofill. Know which accounts you have. Know who to call. Know what is covered. Know what is not.

Because if something happens, you will not be calm. You will not think clearly. You will not remember every app, every account, every card, every insurance policy, every support link, and every recovery step.

Prepare while you are calm, so you are not trying to build a security system while panicking.

That alone will put you ahead of most people.

I hope you never need this checklist. But if you do, I hope it saves you money, time and sleep.

Good luck out there.