Back to Insights
Regulation5 min read18 July 2026

Fake Locksmiths Are Buying Their Way to the Top of Google, Then Charging Thousands

UK locksmith scams jumped 147 percent in early 2024. Criminals exploit paid search ads and zero licensing requirements to prey on people in crisis, including a mother locked out with a three-month-old baby who was charged £2,209 to open her front door.

t2s
train2secure NewsdeskSecurity awareness team
A person standing outside a closed residential front door on a grey overcast afternoon, holding a small baby wrapped in

Fraudulent locksmiths operating across the UK exploited paid Google search listings and an unregulated industry to extort thousands of pounds from vulnerable victims during the first quarter of 2024, with reported scams rising 147 percent year-on-year.

A Staged Emergency at the Front Door

Sarah, 30, had gone for a walk and left her keys inside her flat. She had her three-month-old baby with her. The solution seemed simple: search Google for a local locksmith, call the first credible-looking result, wait ten minutes.

The company she found was a paid listing, a sponsored result that sat above the organic search entries because its operator had bought that position. Its website advertised a starting price of £45. It claimed more than 4,500 five-star reviews. Both figures appeared designed to disarm suspicion.

The locksmith who arrived told Sarah the lock had to be drilled. He drilled it. He replaced it. Then he announced that an internal component had been damaged in the process and needed replacing too. By the time Sarah was inside her own home with her baby on a changing mat, the bill had reached £2,209. The card machine was pointed at her face before she fully understood what had happened.

Trading standards officers describe what Sarah experienced as part of a pattern they are now calling an epidemic.

The Structural Problem: No Licence, No Regulator, No Floor

The United Kingdom imposes no licensing requirement on locksmiths. Any individual can legally describe themselves as a locksmith, construct a website, purchase a Google Ads placement, and begin operating the same day. There is no governing body with authority to revoke credentials, because no credentials are required.

This regulatory vacuum is the core failure. Paid search advertising amplifies it by wrapping these operations in a layer of false legitimacy. A sponsored listing at the top of a search page looks authoritative to someone who is cold, rushed, or frightened. A manufactured star rating reinforces that impression. The scam is engineered around the moment when a person is least able to evaluate their options.

Once the locksmith is at the door, the power dynamic shifts decisively in their favour. The victim is at home, in distress, and facing a stranger who either has already opened the door or who is the only person on the scene who can. Refusing to pay means arguing at your own open doorway. Multiple victims report being intimidated into paying rather than escalating to police.

Why Paid Search Is the Attack Vector Here

The mechanism is worth understanding precisely, because it mirrors tactics seen in other fraud categories. Criminals do not need to hack Google. They buy visibility the same way any legitimate business does. The cost of a Google Ads campaign is small relative to a single £2,209 payout. The return on investment for a fraudulent operator is high.

Google's advertising policies prohibit misleading representations, but enforcement depends on complaints and detection after the fact. By the time a fake locksmith accumulates enough reports to trigger a review, the operator can close the account, open a new one under a different business name, and resume. Fake review profiles, another purchased commodity, reset the credibility clock each time.

This is a social-engineering attack at scale. The technical sophistication required is minimal. The psychological sophistication is not.

What the Failure Pattern Tells Defenders

Organisations that study fraud patterns consistently find that the most effective attacks do not require technical skill. They require the ability to appear trustworthy at exactly the moment a target is under stress. The Verizon 2024 Data Breach Investigations Report found that 68 percent of breaches involved a non-malicious human element, including people being deceived or making errors under pressure. Sarah's experience is a civilian version of exactly that pattern.

The control that failed here is not technical. It is the absence of verified identity at the point of contact. A licensed, vetted locksmith with a confirmed trade association membership is the equivalent of multi-factor authentication for a service call. The Master Locksmiths Association (MLA) vets members and maintains a searchable directory. Using it before calling a number from a search result is a simple, high-value verification step that most people in distress skip.

Organisations running security-awareness programmes know that stress and time pressure are the conditions attackers choose deliberately. Training that builds the habit of pausing to verify identity before granting access, whether digital or physical, directly addresses the root cause of scams like this one. The same mental model that teaches an employee to verify an email sender before clicking a link applies when choosing a tradesperson from a search result. Train2Secure's awareness training covers exactly this category of social engineering: attacks that bypass technical controls by targeting people in high-pressure moments.

What You Should Do If You Are Locked Out

Before calling any number from a search result, take two minutes to check the following.

  • Look up locksmiths on the Master Locksmiths Association directory at locksmiths.co.uk. MLA members are vetted and follow a code of conduct.
  • Ask for a written or clearly stated quote before any work begins. Confirm explicitly that the price covers all labour and parts.
  • If the final bill is dramatically higher than the quoted figure, do not pay by cash. Pay by credit card if possible, then contact your card issuer to dispute the charge as a misrepresentation.
  • Report the trader to your local trading standards office via the Citizens Advice consumer helpline on 0808 223 1133.

If you feel physically intimidated into paying, call 999. That is not an overreaction. A stranger who has access to your home and is demanding money is a situation the police treat seriously.

The Regulatory Gap Remains Open

As of mid-2025, no UK legislation requires locksmiths to hold a licence. Several industry bodies have called for mandatory registration for years. The argument against it typically centres on the burden imposed on legitimate sole traders. That argument has so far prevailed, and the cost has been borne by people like Sarah.

Until licensing exists, the burden falls on the consumer to do the verification that a regulator would otherwise perform. That is an unfair situation. Knowing it exists is the first step toward not becoming a statistic in next year's trading standards report.

For organisations building physical-security awareness into their training programmes, this incident is worth including. The same employees who can spot a phishing email may not apply the same scepticism to a phone number at the top of a search result. Broadening the definition of "social engineering" in your security standards curriculum to include in-person and telephone fraud closes that gap.

How recognising social engineering could have helped Sarah

  • Build the habit of verifying identity before granting access, whether to a system or to your front door: treat a search-result phone number like an unsolicited email link and confirm the source independently first.
  • Stress and urgency are the attacker's tools. Training that simulates high-pressure scenarios helps people pause and verify rather than comply automatically.
  • Extend your security-awareness programme beyond phishing email to cover vishing, in-person impersonation, and fraudulent service providers, because criminals target the same cognitive shortcuts regardless of the channel.

Train2Secure's social-engineering modules teach employees to apply the same scepticism to phone calls and in-person requests as they do to suspicious emails, closing the human-layer gaps that technical controls miss.

Start free, no card required

Frequently asked questions

Why are fake locksmiths appearing at the top of Google search results?

They are paying for Google Ads placements, the same mechanism any business can use. Paid listings appear above organic results, which gives them an air of credibility regardless of whether the business is legitimate. The cost of the ad is small compared to a single fraudulent payout.

Is there a way to find a legitimate locksmith in the UK before calling anyone?

Yes. The Master Locksmiths Association maintains a directory of vetted members at locksmiths.co.uk. MLA members must meet competence standards and follow a code of conduct. Always ask for a written quote covering all parts and labour before work begins.

What can I do if a locksmith charges far more than the original quote?

If you paid by credit card, contact your card issuer and request a chargeback on the grounds of misrepresentation. Report the trader to trading standards via Citizens Advice. If you felt physically intimidated, report the incident to the police.

Why does this kind of scam succeed even on people who consider themselves tech-savvy?

The attack is designed for moments of high stress and time pressure, exactly the conditions that degrade good decision-making. Sponsored search results and fake reviews mimic the signals people normally use to assess trust. The locksmith is physically present before the victim has time to research alternatives, which is the same urgency dynamic used in phishing and vishing attacks.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress