I’ve had a similar situation happen 4 years ago in Ibiza.
Someone ‘bumped’ into my friend and I and a few mins later we both realised our phones had been stolen.
We reported to our networks and the local police within 10 mins and logged into ‘Find my’ on another friends phone to mark our devices as lost.
A few days later it appeared in Tangiers, Morocco before going back offline again.
1 week later I received a text claiming to be from ‘Apple’ - and the message displayed itself as coming from Apple too. Thankfully, as you can see in the image, the use of the English language was not very good and the link did not go to a genuine Apple URL. I did click the link (knowing it was fictitious), which took me to a page that looked identical to the iCloud login page at the time. Upon entering a false email and password, a message appeared saying ‘incorrect password’. Had I entered my correct details, the thieves would have been able to remove the iCloud activation from the phone. Notice they also sign off as ‘Apple Inc’. Lots of red flags in the messages. (I checked the links revently
Thankfully no data stolen, and the phone remains on Find my just in case it’s turned back on but I suspect it’s been broken up for parts.
Key things for people to do following an unfortunate incident like this in addition to Apple’s advice here
https://support.apple.com/en-gb/HT201472 :
1. Protect your phone with a secure passcode, no dates of birth, consecutive numbers or 1234. Preferably 6 digits or longer.
2. Protect your iCloud account with 2fa (and all your accounts for that matter).
3. If your device is stolen, alert your network and the authorities immediately, then your insurance company if applicable (if you don’t do certain things within a certain timeframe some insurance providers won’t pay out).
4. Mark the device as lost on ‘Find My’
5. Be prepared to receive texts or emails and if you enter any contact details in the ‘device lost message’ be prepared to be contacted there too.
6. When you receive those messages, DON’T enter any details. Instead, go directly to the iCloud login page and look for your device there.
6b. Inspect the links within the messages, notice they won’t be for
https://iCloud.com - instead, it’ll be something that has the word iCloud or Apple in it (so you think it looks genuine) for example
https://iCloudapple.phonefound.com
Sorry for the long post