The Rise of Phantom Cyber Firms: How to Spot Them and What to Verify Before you Engage

It’s bad enough that organizations must worry about threat actors launching phishing attacks, injecting ransomware, or exploiting vulnerabilities; now, there is a new attack variant on the loose. Legal scammers.

These are companies, which seem to be emerging particularly in Australia, are set up and registered as a legal cybersecurity firm, but in the end just take a company’s money without delivering any services.

Over the last few years, I have repeatedly encountered the same playbook being used: a polished cybersecurity business appears out of nowhere.

It has a legitimate Australian Business Number (ABN), a slick website, a handful of convincing LinkedIn profiles, and a stream of topical articles (increasingly AI-assisted) about current breaches.

These are not your run-of-the-mill adversaries, but are highly sophisticated groups that, after a patient period of building credibility, contact organizations claiming to have “found your data on the dark web” or “identified critical vulnerabilities,” and apply pressure to set up an urgent call.

Using Scare Tactics

The scammer’s approach is deliberate. They create the façade of legitimacy, then add an emotional lever —usually fear —which is a very effective mechanism for persuading rushed decision-makers to pay for “help” they have not independently validated.

This is not theoretical. The techniques combine tried-and-tested social engineering practices with modern tools (automated content, purchased domain names, realistic but fake LinkedIn personas).

The aim is not always to deliver genuine technical value; often, it is to create sufficient doubt and urgency that a target pays for remediation, removal, or “safe-keeping” of data.

Defending Against “Helpful” Scammers

The defensive response is simple in concept but must be practiced: pause, verify, demand evidence, and channel the contact through your incident response, legal and procurement processes.

Below I set out the practical checks that every CISO, CIO and procurement lead should require before accepting unsolicited security claims — and a short “how to verify us” checklist at the end so you know exactly where to look if we (or any other provider) reach out.

A 10-Point Practical Vendor Verification Checklist (do these first)

1. Verify the legal entity (ABN/ACN/foreign company registration) — Confirm the ABN/ACN and the exact legal name via ABN Lookup (Australian Business Register).
   
   
2. Do not solely rely on the trading name on a website; the ABN record shows the registered entity and its status. For companies and business names, cross-check ASIC’s registers (company search, business names). ASIC records show lodged documents, business name holders, and foreign company registrations.
   
   
3. Check recognized cybersecurity accreditations and memberships.
   
   
4. For providers offering offensive testing (pen test, red team), look for CREST accreditation or similarly rigorous third-party endorsements and verify certificates via CREST’s verification service. For government or high-assurance work, verify whether the provider has demonstrated channels or relationships with the ACSC/ASD and follow ACSC guidance on incident reporting/assistance.
   
   
5. Verify ISO and other management certifications through the accreditation register — If a vendor claims ISO 27001 (or other ISO standards), verify the certificate on an accreditation-body register such as JAS-ANZ or the certifier’s public register — accredited certification bodies publish searchable registries. A certification logo on a website is not sufficient without registry verification.
   
   
6. Request and validate third-party assurance reports (SOC 2/ISAE 3402/penetration test reports) — SOC 2/ISAE reports are the industry standard for control assurance. A legitimate provider will either share a SOC 2/ISAE executive summary or provide a pathway to view the full report under NDA and will identify the auditing firm. Verify auditor credentials and insist on timeframes for the report.
   
   
7. Validate vendor partner claims (Microsoft, AWS, Google, etc.) — Partner logos are useful but verify them via vendor partner directories (for example, Microsoft’s partner directory/AppSource). Partner listings or solution designations can be confirmed through the cloud vendor’s official partner search pages.
   
   
8. Scrutinize LinkedIn and public personnel traces. Look for depth of history, consistent timelines, verifiable past employers, and corporate email addresses. Recently created profiles, stock photos, or large clusters of newly created “employees” all signal risk. Use profile verification and open-source traces (conference talks, GitHub, published research) to corroborate expertise.
   
   
9. Demand technical artifacts and corroboration. If someone claims your data is “on the dark web” or that they have discovered a vulnerability, you must require specific, verifiable artefacts (for example, hashes, dated screenshots or logs with redactions) and then verify independently through your IR team or a trusted third-party.
   
   
10. Procurement & legal gates are not optional. Insist on a statement of work, defined scope, contract terms, insurance details, and evidence of professional indemnity/cyber insurance. If the provider resists procurement/legal review or pressures for quick payment to “prevent exposure”, treat that as a red flag.

Where to Verify a Vendor’s Qualifications

Here is a short list of authoritative places (and how to use them)

• ABN Lookup/Australian Business Register — Search the ABN or company name to confirm registration, GST status, and entity name. Use ABR’s search to verify a business is active and matches invoices/contracts.
• ASIC registers (Companies & Business Names) — Search for lodged documents, company officers and business name holders to confirm who legally operates the business.
• ACSC/ASD guidance pages — If an unsolicited contact claims to be acting on behalf of national cyber services, instead reach out to ACSC channels for verification and advice. ACSC provides incident-support guidance and reporting processes.
• CREST/CREST verification — For offensive testing accreditations and individual practitioner certificates, use CREST approval lists and certificate verification.
• JAS-ANZ register and certifier registers — To confirm ISO 27001 and other management system certifications, search the JAS-ANZ register or the issuing certification body’s public lists.
• Cloud vendor partner directories — Verify partner status, advanced specializations and partner IDs via Microsoft AppSource/partner directory or the equivalent for AWS/GCP.
• SOC/auditor verification — Request SOC 2 or ISAE summaries, then confirm the auditor (Big 4 or recognized audit house) and that the report’s fieldwork and coverage match the services being offered.