Full Report
It’s bad enough that organizations must worry about threat actors launching phishing attacks, injecting ransomware, or exploiting vulnerabilities; now, there is a new attack variant on the loose. Legal scammers. These are companies, which seem to be emerging particularly in Australia, are set up and registered as legal cybersecurity firms, but in the end just take a company’s money without delivering any services. Over the last few years, I have repeatedly encountered the same playbook being used: a polished cybersecurity business appears out of nowhere. It has a legitimate Australian Business Number (ABN), a slick website, a handful of convincing LinkedIn profiles, and a stream of topical articles (increasingly AI-assisted) about current breaches. These are not your run-of-the-mill adversaries, but are highly sophisticated groups that, after a patient period of building credibility, contact organizations claiming to have “found your data on the dark web” or “identified critical vulnerabilities,” and apply pressure to set up an urgent call. Using Scare Tactics The scammer’s approach is deliberate. They create the façade of legitimacy, then add an emotional lever —usually fear —which is a very effective mechanism for persuading rushed decision-makers to pay for “help” they have not independently validated. This is not theoretical. The techniques combine tried-and-tested social engineering practices with modern tools (automated content, purchased domain names, realistic but fake LinkedIn personas). The aim is not always to deliver genuine technical value; often, it is to create sufficient doubt and urgency that a target pays for remediation, removal, or “safe-keeping” of data. Defending Against “Helpful” Scammers The defensive response is simple in concept but must be practiced: pause, verify, demand evidence, and channel the contact through your incident response, legal and procurement processes. Below I set out the practical checks that every CISO, CIO, and procurement lead should require before accepting unsolicited security claims — and a short “how to verify us” checklist at the end so you know exactly where to look if we (or any other provider) reach out. A 10-Point Practical Vendor Verification Checklist (do these first) Verify the legal entity (ABN / ACN / foreign company registration) — Confirm the ABN/ACN and the exact legal name via ABN Lookup (Australian Business Register). Do not soley rely on the trading name on a website; the ABN record shows the registered entity and its status. For companies and business names, cross-check ASIC’s registers (company search, business names). ASIC records show lodged documents, business name holders, and foreign company registrations. Check recognized cybersecurity accreditations and memberships. For providers offering offensive testing (pen test, red team), look for CREST accreditation or similarly rigorous third-party endorsements and verify certificates via CREST’s verification service. For government or high-assurance work, verify whether the provider has demonstrated channels or relationships with the ACSC / ASD and follow ACSC guidance on incident reporting/assistance. Verify ISO and other management certifications through the accreditation register — If a vendor claims ISO 27001 (or other ISO standards), verify the certificate on an accreditation-body register such as JAS-ANZ or the certifier’s public register — accredited certification bodies publish searchable registries. A certification logo on a website is not sufficient without registry verification. Request and validate third-party assurance reports (SOC 2/ISAE 3402/penetration test reports) — SOC 2/ISAE reports are the industry standard for control assurance. A legitimate provider will either share a SOC 2/ISAE executive summary or provide a pathway to view the full report under NDA and will identify the auditing firm. Verify auditor credentials and insist on timeframes for the report. Validate vendor partner claims (Microsoft, AWS, Google, etc.) — Partner logos are useful but verify them via vendor partner directories (for example, Microsoft’s partner directory / AppSource). Partner listings or solution designations can be confirmed through the cloud vendor’s official partner search pages. Scrutinize LinkedIn and public personnel traces. Look for depth of history, consistent timelines, verifiable past employers, and corporate email addresses. Recently created profiles, stock photos, or large clusters of newly created “employees” all signal risk. Use profile verification and open-source traces (conference talks, GitHub, published research) to corroborate expertise. Demand technical artifacts and corroboration. If someone claims your data is “on the dark web” or that they have discovered a vulnerability, you must require specific, verifiable artefacts (for example, hashes, dated screenshots or logs with redactions) and then verify independently through your IR team or a trusted third-party. Procurement and legal gates are not optional. Insist on a statement of work, defined scope, contract terms, insurance details, and evidence of professional indemnity / cyber insurance. If the provider resists procurement/legal review or pressures for quick payment to “prevent exposure”, treat that as a red flag. Where to Verify a Vendor’s Qualifications Here is a short list of authoritative places (and how to use them) ABN Lookup / Australian Business Register — Search the ABN or company name to confirm registration, GST status, and entity name. Use ABR’s search to verify a business is active and matches invoices/contracts. ASIC registers (Companies and Business Names) — Search for lodged documents, company officers and business name holders to confirm who legally operates the business. ACSC/ASD guidance pages — If an unsolicited contact claims to be acting on behalf of national cyber services, instead reach out to ACSC channels for verification and advice. ACSC provides incident-support guidance and reporting processes. CREST/CREST verification — For offensive testing accreditations and individual practitioner certificates, use CREST approval lists and certificate verification. JAS-ANZ register and certifier registers — To confirm ISO 27001 and other management system certifications, search the JAS-ANZ register or the issuing certification body’s public lists. Cloud vendor partner directories — Verify partner status, advanced specializations and partner IDs via Microsoft AppSource / partner directory or the equivalent for AWS/GCP. SOC / auditor verification — Request SOC 2 or ISAE summaries, then confirm the auditor (Big 4 or recognized audit house) and that the report’s fieldwork and coverage match the services being offered.
Analysis Summary
This summary extracts and organizes security best practices focused on mitigating risks associated with sophisticated, fraudulent cybersecurity vendors, often referred to as "legal scammers."
# Best Practices: Verifying Unsolicited Cybersecurity Vendors
## Overview
These practices outline a mandatory, proactive vendor verification process designed to defend against sophisticated social engineering attacks where fraudulent or non-performing entities pose as legitimate cybersecurity firms to extract payment using fear tactics (e.g., claims of discovered data exposure or critical vulnerabilities). The core defense strategy is to **Pause, Verify, Demand Evidence, and Channel through Procurement.**
## Key Recommendations
### Immediate Actions (When Receiving Unsolicited Security Claims)
1. **PAUSE the Engagement:** Immediately halt any discussion that demands urgent commitment or payment based on an unvalidated claim (e.g., "your data is on the dark web").
2. **Activate Standard Procedures:** Insist that all contact and negotiation be channeled exclusively through your established Incident Response (IR), Legal, and Procurement workflows.
3. **Demand Verifiable Artifacts:** If a technical claim is made (e.g., vulnerability discovery), require specific, verifiable evidence (e.g., dated screenshots, validated hashes, or logs with appropriate redactions).
4. **Treat Pressure as a Red Flag:** Immediately reject any vendor who resists standard procurement/legal review or pressures for quick payment to "prevent exposure."
### Short-term Improvements (1-3 months)
1. **Establish Mandatory Verification Checklists:** Implement and mandate the 10-point vendor verification checklist for all unsolicited security service inquiries before allowing any engagement.
2. **Verify Legal Entity Registration:** Cross-reference the provided business number (ABN/ACN) with the official national business register to confirm the exact legal entity name and active status, ensuring it matches the desired trading name.
3. **Validate Third-Party Certifications:** For claimed ISO 27001 (or other ISO standards) certifications, demand the certificate number validation via public registers such as JAS-ANZ or the issuing body’s registry. Do not accept logo presence alone.
4. **Scrutinize Personnel Online Presence:** Review vendor personnel profiles on LinkedIn for depth of history, consistent employment timelines, corroborating corporate email addresses, and evidence of published work beyond recent, generic articles.
### Long-term Strategy (3+ months)
1. **Mandate Assurance Report Review:** Require legitimate assurance reports, such as SOC 2 Type II or ISAE 3402, for providers offering control assurance. Establish a process to review executive summaries or full reports under an NDA.
2. **Confirm Technical Accreditation:** For specialized services like penetration testing or red teaming, mandate verification of industry-recognized accreditation (e.g., CREST) through the body’s official verification services.
3. **Audit Partner Claims:** Validate all listed technology partnerships (Microsoft, AWS, Google) by checking those vendors' official partner directories to confirm current status and specializations.
4. **Formalize Insurance Verification:** Integrate professional indemnity and cyber insurance validation as a mandatory step within the procurement process before contract finalization.
## Implementation Guidance
### For Small Organizations
- **Focus on Public Registers:** Prioritize simple checks: verifying ABN/ACN legitimacy and ensuring at least one key employee has a traceable history outside of the current firm.
- **Rely on Known Channels:** Only engage with cybersecurity firms sourced through trusted peer recommendations or official national security body guidance (e.g., ACSC advisories).
### For Medium Organizations
- **Implement Procurement Gates:** Formalize the requirement for Legal/Procurement review for any external security service quote exceeding a minimal threshold.
- **Standardize Assurance Demands:** Require SOC 2 Type I (at minimum) or equivalent audit summaries for any vendor managing sensitive data or controls.
### For Large Enterprises
- **Integrate Verification into Procurement Systems:** Automate checks against national business registers and major certification bodies where possible, flagging vendors needing manual review.
- **Maintain a Trusted Vendor List:** Develop an internal registry of pre-vetted, high-trust suppliers for rapid response scenarios, minimizing reliance on completely unsolicited outreach.
- **Review Incident Response Overlap:** Ensure that any vendor claiming to assist with a "live incident" has clearly defined communication paths that align with pre-established IR playbooks, instead of bypassing them.
## Configuration Examples
*While the source material does not provide technical configurations, the recommended action relates to document/process configuration:*
**Procurement/Contract Language Requirement:**
"All third-party security service providers must submit proof of current Professional Indemnity and Cyber Liability Insurance policies, alongside evidence of all claimed certifications (e.g., CREST, ISO 27001) verifiable via public accreditation body registers, prior to engagement or payment processing."
## Compliance Alignment
- **ISO 27001 Annex A.15 (Supplier Relationships):** Directly supports verifying the security and due diligence of external providers who may impact the security of information managed by the organization.
- **NIST SP 800-161 (Supply Chain Risk Management):** Aligns with the need to conduct rigorous vetting and continuous monitoring of technology and service providers to mitigate threats introduced via the supply chain.
## Common Pitfalls to Avoid
- **Relying Solely on Appearance:** Do not trust slick websites, polished documents, or AI-generated topical articles as proof of legitimacy.
- **Ignoring Legal/Procurement:** Bypassing established contract review processes due to perceived urgency is the primary mechanism scammers exploit.
- **Accepting Logo Credibility:** Never accept the display of certification or partner logos without independently verifying those credentials on the relevant external registrar’s public site.
- **Succumbing to Fear-Based Sales:** Any claim demanding immediate payment based on unverified "dark web findings" or "critical vulnerabilities" without prior documented relationship must be treated with extreme skepticism.
## Resources
*The following authoritative verification sources are recommended for implementing the checks:*
* **Australian Business Register (ABR) Lookup:** Search by ABN or company name to confirm legal entity status.
* **ASIC Registers (Australia):** Search company and business name records to verify officers and official registration details.
* **CREST Verification Service:** Use for validating accreditations for offensive security testing providers.
* **JAS-ANZ Register and Certifier Public Registers:** Utilize to confirm the validity of ISO management system certifications.
* **Cloud Vendor Partner Directories (e.g., Microsoft AppSource):** Use to cross-check vendor partnership claims with cloud providers.
* **National Cyber Security Center Guidance (e.g., ACSC):** Consult official national channels for advice if a vendor claims affiliation or mandate from government security bodies.