How to find out if you're a LabHost scam victim and what to do

Original source (on modern site)

A UK website designed to give fraudsters easy ways to scam people online on an industrial scale has been infiltrated by the police with scores arrested around the world.

LabHost led to as many as 70,000 British victims being tricked by the site's scams, which obtained 480,000 card numbers and 64,000 Pins globally. Law enforcement agencies have arrested 37 suspects across the UK and around the world, including at Manchester and Luton airports, as well as in Essex and London.

Rather than operating as a fraud platform itself, LabHost offered a service to other criminals where they would create a website that imitated a legitimate business and hand it off to others who would then try and scam people with it.

What is LabHost?

Phones, laptops and tablets seized by the police as part of the investigation. (Metropolitan Police/PA)

LabHost is a scammer site set up in 2021 by a criminal network that enabled users to set up phishing websites designed to trick victims into revealing personal information such as email addresses, passwords, and bank details.

Phishing is a form of scam where attackers deceive people into revealing sensitive information by pretending to be a legitimate person or business.

Criminal subscribers were able to log on and choose from existing sites or request bespoke pages replicating those of trusted brands including banks, healthcare agencies and postal services. LabHost even provided templates and an easy-to-follow tutorial allowing would-be fraudsters with limited IT knowledge to use the service. At the end of the tutorial, a robotic voice told fraudsters: "Stay safe and good spamming."

We've worked with law enforcement and partners in the private sector to infiltrate a fraud platform used by thousands of criminals worldwide.

LabHost provided users with sophisticated website templates of prominent banks and recognisable organisations. These were used to trick… pic.twitter.com/ilK60IbYCp

— Metropolitan Police (@metpoliceuk) April 18, 2024

By the beginning of 2024, more than 40,000 fraudulent sites had been created and 2,000 users were registered and paying a monthly subscription fee. LabHost provided its subscribers with fake profiles for 170 companies to trick victims, including 47 based in the UK. Those subscribing to the "worldwide membership", meaning they could target victims internationally, paid between £200 and £300 a month.

The impact of LabHost's activities can be felt nationwide.

It is estimated that just under 70k people in the UK have been targeted by fraudsters using LabHost.

After infiltrating the criminal website, our officers have taken steps to protect victims' assets and target those… pic.twitter.com/RwGp6dW6Fv

— Metropolitan Police (@metpoliceuk) April 18, 2024

Since its creation, the site has received just under £1m in payments from criminal users. Shortly after the platform was seized and disrupted, 800 users received a message telling them that police "know who they are and what they've been doing".

Police hope they can dissuade former LabHost subscribers from further offending by creating the same level of fear about their information as their victims.

Fraudsters could get access to the LabHost services for $300 a month. (Metropolitan Police/PA)

How to tell if you're a LabHost victim

The police are attempting to contact every victim and explain how they have been impacted.

As part of the police's investigation, they have gained access to a full list of the data that had been entered into LabHost. They are now using this information - whether that is an email address, home address or phone number - to try and contact the victims. They will also tell you what phishing website you fell for.

The LabHost logo. (Metropolitan Police/PA)

The police warned they have been careful to not include any links to other sites in their communications, so if you receive an email or text pointing you somewhere else then that is fraudulent.

If you have been contacted you do not need to report a crime to the police as they have already done it on your behalf.

LabHost went as far as offering tutorials on how to scam people. (Metropolitan Police/PA)

If you think you have been a victim of LabHost fraud but have not been contacted by the police then you can contact Action Fraud to report it.

What to do if you're a victim of a LabHost scam?

What appears when visiting a LabHost website seized by police. (Metropolitan Police/PA)

As explained above, the criminal aspect is now in the hands of the police, so the best thing to do for them is to follow their advice and cooperate whenever they contact.

The next thing to do is protect yourself against similar crimes to how LabHost operated. According to the police phishing emails and websites often share characteristics. These are:

• Use familiar logos and branding to legitimate businesses but they often look sloppy or out of place.

• Promise more details or access to exclusive things on another website rather than in the email.

• The address the email comes from is not at all connected to the company it is pretending to be from.

• Pressure people with time penalties or limited rewards.

• Try and manipulate with fear and appeal to emotions by making fake warnings about potential loss of money or status.

• Exploit current events like tax deadlines to make the phishing seem more credible.

• Links in the email not take you to the company's actual website but some third-party imitation.

Read more:

• How Chinese takeaway worker led police to Bitcoin worth £3bn in Britain's biggest ever cryptocurrency seizure (Sky News)

• Gang jailed for £240,000 dating scam which saw them clean out victims' savings (Yahoo News)

• Criminals ramp up social engineering and AI tactics to steal consumer details (PA)