Fake cybersecurity companies are back – and they’re smarter than ever

Published: 12 November 2025
Picture by Cybernews

Businesses are being haunted by a raft of “phantom” firms that are deploying AI to create scamming operations.

After a slew of hacks on high-profile targets, including Marks & Spencer, Jaguar Land Rover, and Japanese brewer Asahi, awareness of cybercrime is at an all-time high, and criminals are only too keen to exploit this.

Fake cybersecurity firms operated by hackers and scammers are making a comeback, an Australian Trustwave researcher has warned, after spotting a new breed of “phantom” firms that are deploying AI to create sophisticated scamming operations.

ADVERTISEMENT

These companies are set up and registered as legitimate entities, but ultimately take the customer’s money without delivering any services or, even worse, installing ransomware in their systems.

“The playbook is to register locally, mimic thought leadership through blogs, build LinkedIn ecosystems of fake professionals, and target organizations with tailored vulnerability discoveries,” security researcher Grant Hutchons told Cybernews.

In a well-known case four years ago, a fake cyber firm called Bastion Secure – run by the Russian-speaking cybercriminal syndicate FIN7 – put together a convincing website, active LinkedIn profiles for its staff, and a social media feed that weighed into the industry chatter.

Multi-stage interviews were held to lure cybersecurity researchers into unwittingly helping penetrate companies’ networks and enable ransomware attacks.

Scammers making a global play

Now that generative AI has lowered the cost of appearing credible online, this type of scam is on the rise, according to Hutchons, who is APAC director for managed security services Engineering at Trustwave.

Australia-based Hutchons says that similar fake firms are surfacing primarily in his home territory – but they are also starting to emerge in the US, UK, and Europe.

“Generative AI tools allow phantom firms to mass-produce plausible-sounding cybersecurity content: reports, blog posts, or LinkedIn updates…that make them seem informed and legitimate,” said Hutchons.

ADVERTISEMENT

He added that AI can now generate fake “expert” bios at scale, complete with profile photos, endorsements, and cross-references, creating the illusion of community validation.

Hackers trying Claude, Gemini, ChatGPT
Gen AI tools allow scammers to mass-produce plausible-sounding cyber security content

“Some even automate comment threads and endorsements to simulate activity,” he added.

Combined with cloned certification logos or AI-generated “technical reports,” these elements made the scams far more convincing than traditional phishing attempts.

“What once required a skilled social engineer can now be done by one operator with an AI toolkit over a weekend,” Hutchons said.

Trustwave first identified the pattern through client reports and channel partner interactions where supposed “security vendors” contacted organizations claiming to have discovered exposed data or critical vulnerabilities.

These firms looked legitimate on the surface – boasting registered entities, slick websites, and active LinkedIn profiles – but according to Hutchons, they fell apart under scrutiny.

“A standout pattern was the use of urgency-driven language and reluctance to provide verifiable technical evidence,” he said.

“Their business models were structured to secure payment before scrutiny, not to deliver ongoing protection.”

Psychological levers

ADVERTISEMENT

According to Hutchons, phantom firms deliberately mimic the language of legitimate breach notifications such as “your data has been exposed,” “competitors have better protection,” and so on, to create doubt and compel rapid action.

“They exploit an organization’s self-awareness that gaps probably exist somewhere. The combination of technical authority and time pressure overrides rational verification processes.”

So how can companies build internal awareness so employees aren’t duped by an “urgent” warning from a fake cyber expert?

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us

According to Trustwave, organizations should embed good cyber posture and relevant runbooks to verify before acting.

Every employee must know who their legitimate security contacts are and confirm any “urgent” cyber warning through official internal channels before responding.

If unsure, they should independently check the sender’s credentials, never use links or numbers provided in the message, and contact their IT or security team directly.

Verification playbook

The cybersecurity researcher added that organizations should also publish a clear list of approved partners and escalation procedures. When something seems suspicious or a threat feels beyond their expertise, staff should contact a trusted authority – whether that’s the NCSC in the UK, Australia’s ACSC, or their own national body.

Staff training is also important – not least because the spread of phantom cyber firms risks undermining the trust in genuine firms and blurring the line between real alerts and manipulative noise, potentially undermining legitimate cyber-awareness efforts.

ADVERTISEMENT
ncsc_0124
If in doubt about a cyber security company's credentials firms are advised to contact a trusted body like the NCSC.

Hutchons advises organizations to reinforce clarity and consistency in how real warnings are issued, using verified communication channels, clear branding, and trusted spokespeople.

Fighting AI with AI?

While the Trustwave security expert believes that AI detection tools can detect obvious synthetic content, he warns SOC teams not to solely rely on detection algorithms because “sophisticated operators already use prompt engineering, paraphrasing, and human editing to bypass filters.

He adds: “What’s more effective today is not automated detection alone but procedural verification, confirming registration dates, accreditation databases, and contractual compliance,” he said.

Australia’s most wanted

Hutchons believes that Australia has become fertile ground for phantom MSSPs, thanks to a combination of regulatory demand and weak market oversight.

He says frameworks such as the SOCI Act, Essential Eight, and [infosec standard] CPS 234 have forced companies to demonstrate continuous monitoring and incident response, without a licensing regime to verify who can deliver these services.

australia-flag-and-computers
A combination of compliance pressure and skills shortages has meant Australia has become a prime target for 'phantom' cyber firms

He claims that this compliance pressure, combined with a chronic skills shortage and the high cost of running a genuine local SOC, has encouraged some providers to white-label offshore services without thorough verification.

ADVERTISEMENT

However, Hutchons warned that while circumstances may vary in other territories, none are immune to this phantom menace – with more region-specific variants expected to emerge as fraudsters localize content to reflect different compliance frameworks or threat trends.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked