Cash outflows: fraudsters began to disguise phishing sites as legal services
Since December, a type of fraud using phishing sites has been spreading in Russia: they are disguised as legal services to help victims of cybercrime. Criminals use fake documents to get a repeat payment or to extort personal data and power of attorney. The peak of scam activity is projected for January 2026, when the number of such sites may increase approximately three times. More information about how fraudsters extort funds from victims can be found in the Izvestia article.
How fraud victims are deceived
A fraud scheme aimed at people who have already been deceived is gaining momentum in Russia, cybersecurity companies told Izvestia.
For example, a person who has become a victim of scams does not get the desired result from law enforcement officers, begins to look for ways to return money on their own, said Konstantin Melnikov, head of the department of special services at Infosecurity (Softline Group).
— He plunges into searching for information on the Web, using queries like "how to get money back after fraud," he said. — Attackers, using this moment of desperation and demand, actively promote specialized resources through advertising and search engine optimization.
These sites are listed in the top search results for the relevant queries. They have messages posted on them: "You were deceived, but no one helps? We are a team of professional lawyers, we will refund your money." The resources are supported by fake successful cases and reviews, offering to submit a request for consultation.
— After contacting the victim, they get in touch, — the expert noted. — Fraudsters present themselves as lawyers, offering various payment schemes: a fixed rate, a percentage of the damage amount, or payment only after the official initiation of a criminal case.
To create the illusion of work, they imitate the official document flow. The victim is provided with fake orders to initiate criminal proceedings, which detail the plot of the case, which the attackers themselves received from a gullible client, with references to banking transactions and fictitious requests.
"It takes about half an hour to create such documents," he pointed out. — Scammers maintain constant contact with the victim, convincing her of full legal support without the need for personal involvement. Sometimes they even request a notarized power of attorney, ostensibly to conduct business.
In addition, they regularly report on non-existent procedural actions.: "the materials were handed over to the Investigative Committee," "the Investigative Committee conducted an inspection," "the case has been initiated." And it is for this first stage that they ask for money — either partial payment or full cost.
Where else can they cheat again
Now such scammers are acting more actively, as evidenced by the increase in the number of registrations of special trap sites, Konstantin Melnikov added.
— The greatest influx of their activity is predicted for the beginning of next year, in January, — he emphasized. — This is due to the traditional increase in the number of deceptions during the New Year period: after the holidays, many people, desperate to return the money, are looking for any ways to solve the problem. This is what criminals use, preparing the infrastructure in advance to process new victims. The number of such sites may increase by about three times.
Most often, scammers request a percentage of the amount of damage incurred, which can reach 30-40%. In absolute terms, this may amount to, for example, 100-150 thousand rubles from a victim who has lost a million.
"For the victim, such a payment seems justified against the background of the expectation of a large sum of money being returned," the expert noted. — Direct financial enrichment due to the victim's contribution is not always the ultimate goal. Sometimes scammers seek to obtain from the victim an official power of attorney, an expanded set of personal data, or access to accounts. This data can later be used for other crimes.
In 2024-2025, up to 30% of phishing attacks were directed at users who had already been affected earlier, the director of communications of the cryptocurrency exchange confirmed. EXMO.me Mikhail Smirnov. A similar scheme for allegedly refunding funds applies when funds are stolen from crypto wallets.
— A typical scenario looks like this: after a high—profile incident, for example, news about a wallet being hacked, websites with the following phrases appear in search and advertising: "Refund of funds," "Legal assistance to victims," "Compensation for stolen cryptocurrencies," he said.
The site visually copies the style of well-known wallets or exchanges, legal landing pages: documents, Terms, Privacy, forms of appeals.
— The user is offered to connect a wallet "to verify transactions", enter the seed phrase "to restore access" or sign a transaction allegedly necessary for a refund, - said Mikhail Smirnov.
In practice, this is either a wallet drainer (a type of malware designed to quickly and automatically empty crypto wallets), or direct key collection.
"Such sites don't last long, but they clone quickly, changing domains and names," the expert added. — There is no real mechanism for returning cryptocurrencies through third-party services in such cases, but scammers use plausible vocabulary to look convincing. Repeated deception is almost always based on psychological pressure.
Which schemes will be activated at the end of the year
In December, corporate mail and messengers become a platform for fraudsters to work: fake greetings, sales, as well as false gifts, compensation and delivery, warned Viktor Ievlev, head of the information security department at Garda.
— The attackers create fake messages from your "boss", "bank manager", "Interior Ministry officer", "son", "courier" or "postal employee", — he said. — Voice deepfakes of colleagues and supervisors are no longer exotic.
According to him, combined with psychological pressure and the context of work processes, such calls become especially dangerous at the end of the year: this year, scammers regularly persuaded people to "urgently pay the bill," "transfer money to the counterparty," "help close the deal," or "resolve the issue by the end of the day."
"In 2026, they will not be forged in advance, but directly in real time, at the time of a call or online dialogue," the expert said.
Another classic pattern for December and January, which evolves every year, is fake notifications from delivery services and logistics partners.
Employees receive emails and messages with links to spoofed domains, QR codes for "tracking," suggestions to install fake apps for Android or iOS, or to continue communicating in the support service chatbot.
"The number of fake marketplaces and B2B stores is also growing rapidly," Viktor Ievlev added. — Modern neural networks allow you to deploy an online store under a well-known brand in just half an hour: the domain looks plausible, product cards are copied, reviews are generated, and the support chat responds. The scheme is already widespread and is likely to be used more actively to attack purchasing departments and accounting departments.
A separate area is "gifts" from companies and partners. Promo codes, loyalty bonuses, New Year's compensation and supposedly personal offers play on the expectation of pleasant surprises at the end of the year.
— In most cases, the purpose of such messages is reduced to phishing, compromising credentials and extorting payment information, — said the expert.
In order not to fall for the bait of scammers, it is necessary to monitor common deception schemes and treat with caution any suspicious offers, especially financial ones.
— If fraud has occurred, the only official and legal way to solve the problem is to contact law enforcement agencies, — Konstantin Melnikov emphasized.
No private lawyers or firms, even those operating legally, have the authority to guarantee a refund, the experts added.
Переведено сервисом «Яндекс Переводчик»
