In April 2024, the Metropolitan Police, National Crime Agency, City of London Police and Europol finally closed in on LabHost. 

LabHost was a site on the dark web responsible for scamming tens of thousands of individuals and businesses. The crime-fighting organisations had been working together for two years, following a tip-off from the non-profit Cyber Defence Alliance. 

LabHost, best described as a cyber fraud superstore, had made a small fortune selling phishing subscriptions for up to $3,000 a month since becoming active in 2021. Subscriptions included highly customisable smishing (text message) and phishing templates for mimicking the communications of bona fide companies, plus multi-factor authentication bypass facilities and the ability to harvest PINs, personal information and security question answers. 

By the time the site was taken down, resulting in the arrest of 37 suspects, the police had identified 70,000 victims of the phishing scam in the UK alone. Globally, it’s estimated the platform was responsible for the theft of 480,000 card numbers, 64,000 PIN numbers and over 1m passwords. 

Lower barriers to entry

LabHost is just one prominent example of how phishing-as-a-service (PhaaS) has become a lucrative, global business for cybercriminals. While cybercrime once required a level of technical skill that many simply didn’t have, PhaaS has dramatically lowered the barriers to entry. 

"Technology is enabling crime to be delivered at scale in an almost industrial fashion,” National Economic Crime Centre Director Adrian Searle recently told the BBC. LabHost, he claimed, had given criminals without technical skills the opportunity to “buy them off the shelf online and use them against victims in the UK and elsewhere”. 

LabHost’s disappearance has hardly spelled the end of commoditised cybercrime. IT support company OryxAlign’s Customer Experience Manager Nathan Charles, who works with many small businesses in the financial service sector, says: “You don’t have to be clever to carry out cybercrime anymore. You can go on the dark web and purchase everything you need for a phishing attack for less than £100.”

It’s no wonder that, according to the government’s latest 2023 Cybersecurity Breaches Survey, 56% of businesses and 62% of charities reported data breaches in the last 12 months. A massive four in five (79%) respondents reported experiencing a phishing attack (up from 72% in 2017). ProofPoint’s State of the Phish report reveals an even higher percentage, with nine in 10 (91%) of UK companies stating they had experienced at least one successful email-based phishing attack in 2022. More than a quarter of those (26%) reported direct financial losses as a result.

Specific to the profession, approximately 100 UK-based accountants report data breaches attributed to cyber attacks each quarter, according to data from the Information commissioner’s office (ICO)

New types of phishing-related scams 

Education is a critical mechanism to protect businesses from being the victim of a phishing attack. “Without any training and leaving people to their own devices, our research shows that 34% of end users are prone to clicking on a phishing link,” says Charles. “After a year of regular training sessions that drops down to 4%.” 

In addition to mitigating cyber-security risks by using multi-factor authentication (MFA) and using secure passwords, employees also need to take more care by carefully checking the email address or website URL that communications are coming from. 

One of the latest scams, known as ‘quishing’, involves cybercriminals using QR codes to direct users to a fake website where they are tricked into entering personal data, including payment details. For example, in recent months several councils have reported that QR codes have been stuck to their parking signs that direct users to a fake website address where payment is taken. 

Businesses have also been targeted with this new type of scam. Last year, Microsoft 365 experienced a quishing attack that began with an email asking users to reactivate their MFA. It used the Microsoft Authenticator logo and asked users to scan an embedded QR code. Those who did so were then sent to a web page that infected their device with malware. 

Tackling rise of deepfakes

AI is making things even easier for scammers to create convincing emails, websites and even voices. 

Phishing emails were once littered with grammar mistakes and poor spelling. The latest scams are much more sophisticated and accurate thanks to AI technology. “Gen-AI, in particular, has made scams much more realistic,” says Oliver Devane, Principal Engineer and Senior Security Researcher at cyber-security company McAfee. “It’s much harder for the average person to spot a scam.” 

Nor is it just phishing emails that users should look out for. “Gen AI tools like voice cloning and deep fake videos make scams much more believable,” says Devane. 

Bani Lamba, Data Analytics and Tech Manager at ICAEW, adds: “The scary thing is that there are a lot of self-service tools to create deep fakes online relatively cheaply.”

One recent example of a deepfake scam saw a finance worker at a multinational firm in Hong Kong pay out $25m to fraudsters who were using deep fake technology to pose as C-Suite executives on a video call. “[In the] multi-person video conference, it turns out that everyone [he saw] was fake,” senior superintendent Baron Chan Shun-ching told the city’s public broadcaster RTHK.

In a similar example from 2022, Brazilian crypto exchange BlueBenx was conned by criminals who used  AI to impersonate Binance COO Patrick Hillmann. They were scammed into sending $200,000 and 25m BNX tokens, all because of a convincing Zoom call. 

Helping to spot the danger

According to Nathan Charles, any communications requesting a change of bank details or requiring something to be done urgently and unexpectedly should be an instant red flag, for example if a director asks someone in the finance function to change the bank details of a supplier right away. “You need to confirm with that person on the phone, not via email, whether they’ve sent the email or not.” 

He also warns that people who have just reported a change of job on platforms such as LinkedIn are particularly vulnerable to scammers, who use social media to pretend to work for the new company, knowing their victim isn’t yet familiar with their new work colleagues. Social media is also increasingly being used to create deepfakes, with voice and video reproduced from authentic sources on YouTube and Instagram. 

Unfortunately, it seems that social engineering attacks, including phishing, show no signs of slowing down. In its most recent Active Cyber Defence report published in July 2023, the UK’s National Cyber Security Centre reported that 7.1m suspicious emails and websites were reported to UK authorities in 2022 – the equivalent of one every five seconds. 

With phishing-as-a-service commoditising cybercrime and AI providing greater levels of sophistication, it’s becoming more difficult for small- to medium-sized businesses to counter the threat without advanced cyber-security tools and regular training in place. 

According to Arne Helgesen, a cyber-security expert at tech firm Sharecat: “Phishing attacks often exploit human vulnerability and educating your workforce on how to identify and report suspicious emails, links and attachments is a powerful line of defence. Regular training sessions, simulated phishing campaigns and ongoing reinforcement can foster a security-conscious culture within your organisation.”