MSE News

Got a text, email or letter from the Met Police? Don't ignore it – you may need to act to protect yourself from scams

If you got a text message or email from the Metropolitan Police between 4pm and 6pm on Wednesday 17 April – or you get a letter in the next few days – don't ignore it. You may need to take action to protect yourself from fraud. Below we explain how to know if the message is genuine and what you need to do.

The Metropolitan Police (the Met) is contacting up to 25,000 people across the UK whose personal data may have been harvested by fraudsters using a sophisticated online service to spoof the websites of legitimate companies such as banks, healthcare providers, postal services and more. This service has now been shut down as part of a joint law enforcement operation led by the Met.

If you think you've been a victim of a scam or want to know more on how to avoid one, see below or read our 30+ ways to stop scams guide.

How to tell if the Met Police text, email or letter is genuine

There are four key points:

  1. Texts and emails were ONLY sent between 4pm and 6pm on Wednesday 17 April. If you receive a text or email outside of this window claiming to be from the Met Police, it could be a scam and should be ignored.

  2. Letters were posted first-class on Wednesday 17 April. So you may have received one today (Thursday 18 April) or may get one over the next few days. Again, be very wary of anything you receive outside this window.

  3. The text, email or letter will say which website scammers impersonated to get your details. The fraudulent website may have looked like a company you recognise – such as your bank, mobile phone provider or another trusted organisation – and would have encouraged you to enter personal information, such as your email address, phone number or bank details.

  4. Genuine texts and emails from the Met will NOT contain any links or attachments. If you spot these, don't open them as they could be fraudulent. 

What to do next if you've been contacted

If you get one of the Met Police's messages, it means some of your data was obtained by fraudsters through what's known as a 'phishing' website, designed to trick you into giving up personal information.

The Met Police recommends you take the following steps to protect yourself:

  • Change your online passwords. Do this across all of your most sensitive accounts, such as your email, online banking and mobile phone provider.

    Ensure you use unique and hard to guess passwords – especially for your email – and consider using a password manager. For more help with creating strong passwords, see the Government's Stop! Think Fraud guidance.

  • Check your bank and credit card accounts for any suspicious activity. If in doubt, contact the company involved directly for help and advice.

    It's also worth checking your credit reports, as fraudsters may be able to use details they've stolen from you to apply for credit in your name.

  • Be extremely suspicious about any calls you get purporting to be from your bank or the police. Scammers often use information gathered from phishing websites to gain your trust in follow-up phone calls – and they can fake the caller ID to make it seem like the real thing.

    Remember: genuine service providers, banks and the police will NEVER call asking you to transfer money, share personal financial details or hand over remote control of your computer. If you're suspicious, or feel pressured into anything, just hang up.

For further guidance and support relating to the messages, you can call the Met Police's dedicated phone line on 0207 230 8603. This line will be open from 8am to 8pm daily until Sunday 21 April. Alternatively, you can email CyberProtect at the Met.

How the scammers' online service worked

The website, known as 'LabHost', was set up in 2021 by a criminal cyber network. According to the Met, it was used by more than 2,000 criminals to defraud victims worldwide before it was shut down by law enforcement.

LabHost let scammers create phishing websites designed to trick people into revealing personal information, such as email addresses, passwords, and bank details. Users were able to log on and choose from existing sites or request bespoke pages replicating those of trusted brands and organisations.

Those subscribing to LabHost's 'worldwide membership', meaning they could target victims internationally, paid between £200 and £300 a month. Some of these criminals have now been arrested, while others are the focus of an ongoing investigation, which will continue in the coming weeks and months. 

Detectives found that more than 40,000 fraudulent sites had been created using the service by the beginning of 2024. Globally, the service had enabled fraudsters to steal 480,000 card numbers, 64,000 PINs and over one million passwords used for websites and other online services.

What to do if you think you've been scammed

If you think you are being scammed, hang up the phone immediately and independently search for your bank's contact details to inform them (for example, call the phone number on the back of your card or on your bank statement). Alternatively, call the 159 hotline.

If you have already been scammed and have lost money, contact your bank (again, by independently searching for its contact details). It is helpful to report the scam via Action Fraud to help the police investigate and prevent future scams from taking place.

For more help and advice, visit the Citizens Advice website, or call its consumer helpline on 0808 223 1133. You can also see our 30+ ways to stop scams guide

MSE weekly email

FREE weekly MoneySaving email

For all the latest deals, guides and loopholes simply sign up today – it's spam-free!