Fake Legal Threat Scams
Bogus legal demands — copyright, debt, or lawsuits — pressuring businesses to pay or click.
Last reviewed: 1 June 2026
What this scam is
Fake legal threat scams send intimidating notices — by email, letter, or web form — claiming that a business has committed a legal violation and faces immediate court action unless it pays a 'settlement' quickly. Common pretexts include copyright or image infringement, unpaid contractual debts, data protection violations, trademark disputes, or alleged regulatory non-compliance. The goal is either to extract a direct payment or to induce the recipient to click a malicious attachment or link.
These scams are designed to exploit the natural anxiety that a legal threat creates — particularly in smaller businesses or teams without in-house legal support. The notice is formatted to look official: it bears the name of a law firm or rights-management body, cites specific regulations or case references, and demands a specific settlement amount within a tight deadline. Urgency and authority combine to pressure the recipient into acting before thinking.
In the malware variant, the fraudulent notice includes an attachment described as 'evidence of infringement', 'court documents', or 'notice of proceedings'. Opening it delivers malware rather than documents. The legal framing is purely a social engineering mechanism to make the recipient feel it would be professionally irresponsible not to open the attachment.
How it works
The scammer mass-emails businesses — often targeting those with public-facing websites, social media profiles, or online content — with a notice claiming infringement or debt. The business name, domain, or specific URL is sometimes included to make the notice feel targeted and legitimate.
For copyright and image-rights scams, the notice claims that a photograph, graphic, or piece of content on your website was used without a licence, and demands a settlement fee to avoid litigation. In some cases, the scammer has actually placed an image online for free download and then demanded payment from businesses that used it — a deliberate trap.
For the malware variant, the attachment is the primary payload. It may be formatted as a PDF or compressed file and described as the evidence supporting the claim. The legal framing creates urgency to open it. Even if the recipient is sceptical of the demand, the prospect of court proceedings if they ignore it may be enough to prompt an ill-advised click.
For debt-based variants, the scammer claims to represent a creditor or debt collection agency pursuing an unpaid amount. The demand may reference a real business name or service to create plausibility. Payment is requested by bank transfer or cryptocurrency to avoid tracing.
Why this scam works
Legal threat scams are particularly effective at generating fear-driven responses. The combination of authority (a law firm) and threat (court proceedings, damages, enforcement) bypasses rational evaluation in favour of an anxious desire to 'make it go away'. For businesses without legal support, the prospect of court action is especially alarming.
The fraud is also calibrated to a specific value sweet spot: the settlement amount is set high enough to be worthwhile for the scammer, but low enough that paying feels preferable to the perceived cost and stress of court proceedings — even when the recipient suspects the claim is bogus.
For attachment-based variants, the threat also creates pressure to engage with the 'evidence' — which is exactly what the malware requires. The more convincing the legal framing, the more likely the recipient is to open the file.
A typical pattern
A small business receives an email from a company presenting itself as a rights-management agency, claiming that an image on their website is used without a licence. The notice references a specific URL and demands a settlement of a modest amount within five days to avoid court proceedings. An attachment is described as the licensing records proving ownership. The business owner, anxious and without legal support, is unsure whether to pay. The attachment, if opened, installs malware. The claim itself is fabricated.
Common red flags
- Urgent legal notice demanding fast settlement payment — typically within 24–72 hours
- Attachment or link described as 'court documents' or 'evidence of infringement'
- Law firm or rights body whose name cannot be verified on official regulatory registers
- Vague or generic claim with no specific identifiable content, account, or incident
- Settlement amount specifically calibrated to feel cheaper than the perceived cost of defending
- Payment requested by cryptocurrency, wire transfer, or to an unrecognised bank account
- Notice uses threatening language but provides no details for reaching out to a solicitor on your side
- Sender address does not match a verified law firm domain
- Claim references a regulation or statute but misquotes or applies it incorrectly
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
NOTICE OF INFRINGEMENT: our client holds copyright in an image currently published at [URL]. You are required to pay [amount] within 72 hours or proceedings will be commenced. Full details: [attachment].
LEGAL NOTICE: you are in breach of [regulation]. Failure to settle at [amount] within 5 business days will result in regulatory referral and enforcement proceedings.
On behalf of our client, we write to demand payment of [amount] representing an unpaid contractual obligation. Please settle by [date] or this matter will proceed to court without further notice.
This is formal notice that [company] has used our client's copyrighted images without licence. Settlement of [amount] within 48 hours will resolve the matter. Please find attached supporting documentation.
Your company is in violation of GDPR Article [number]. A penalty of [amount] will be assessed unless you respond with remediation evidence within 72 hours. Full breach report is attached.
COURT PROCEEDINGS PENDING: [company] is named as defendant in a claim for [amount]. Review the attached notice of proceedings and contact our office immediately to discuss settlement options.
Common variations
- Copyright or image-rights infringement demands with settlement requests
- Debt collection notices impersonating legitimate collection agencies
- Data protection or GDPR violation threat letters demanding immediate payment
- Trademark infringement notices targeting businesses in relevant industries
- Employment tribunal threat letters targeting employers
- Regulatory non-compliance notices demanding immediate settlement
How to verify before you act
Before paying anything or opening any attachment in response to an unsolicited legal notice:
- Do not open attachments under pressure: any file sent under urgent legal framing should be treated as a potential malware delivery vehicle until it can be independently verified. - Verify the law firm or body: search for the firm name online and check whether it is a registered, regulated entity (in the UK, check the SRA register; for US attorneys, check state bar registries). Many fake law firm names are unregistered or belong to legitimate firms whose names have been misused. - Consult your own legal advisor: forward the notice (not the attachment) to your own solicitor or a trusted legal contact for an independent assessment before responding or paying. - Examine the specific claim: any genuine copyright or IP claim should identify the specific content, the rights holder, and the basis for the claim in detail. Vague claims with no identifiable specific infringement are a warning sign. - Check your actual website and content: if you believe a genuine claim is possible, have your team check whether the specific content is present and licensed. - Never pay by cryptocurrency or to an unrecognised bank account in response to a legal threat: legitimate settlement payments are processed through verifiable legal channels.
Payment methods used
- Settlement payments
- Bank transfer
- Crypto
Who is usually targeted
- Businesses with websites
- Content publishers
- SMEs
What to do immediately
- Do not open any attachments in the notice — treat them as potential malware
- Do not pay any settlement under deadline pressure before verification
- Search for the law firm or body name on official regulatory registers to confirm whether it exists
- Forward the notice text (not the attachment) to your own legal advisor or a solicitor for assessment
- Report the email to your national cybercrime or phishing reporting service
- If an attachment was opened, immediately isolate the device and contact your IT team
How to prevent it
- Establish a policy that all legal correspondence — real or claimed — is routed to a designated person before any action is taken
- Train staff never to open attachments in unsolicited legal-threat emails without IT review
- Maintain a relationship with a commercial solicitor or legal helpline so you have a trusted source of advice for genuine queries
- Ensure all images and content on your website are properly licensed and documented
- Verify any law firm or body issuing a threat against official regulatory registers before responding
- Report phishing-style legal threat emails to your national cybercrime authority
- Do not let urgency framing override the time needed to verify a claim properly
Evidence to preserve
- The original email with full headers
- The notice document itself (do not open any attachments — preserve the file safely)
- Any payment records if a settlement was made
- Your own records showing the content referenced was properly licensed or does not exist on your site
- Screenshots of the sender's claimed law firm website if accessible
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How should we handle a legal threat email?
Do not pay or open attachments under pressure. Verify the claimant against official legal registers. Forward the notice text to your own legal advisor. Genuine legal matters can be verified independently — threats demanding fast crypto or transfer payments with attachments to 'view the claim' are scams.
Could there be a real copyright infringement behind the notice?
Genuine copyright infringement claims do occur and should be taken seriously. However, legitimate claimants typically provide specific detail about the infringing content, do not demand payment by cryptocurrency within 72 hours, and do not send executable attachments. Have your own legal advisor assess whether the claim has any merit.
What should we do if we opened the attachment?
Immediately disconnect the device from your network and contact your IT security team or a cybersecurity professional. Report the incident to your national cybercrime authority. Have the device scanned for malware before it is reconnected or used again.
Is the settlement amount legally binding if we don't pay?
A demand for settlement has no legal binding force on its own. A genuine legal claim requires a court to adjudicate it. You are not obligated to pay a settlement amount stated in an unsolicited notice, and not paying does not automatically result in legal action.
Can a genuine law firm's name be misused in a scam?
Yes. Scammers sometimes use the names of legitimate law firms in fraudulent correspondence to add credibility. If a notice claims to be from a real firm, contact that firm directly through their publicly listed phone number to confirm whether the notice was genuinely sent by them.
We received a notice by post. Is it more likely to be genuine?
Post-based notices are used by both genuine claimants and scammers. A physical letter does not confirm legitimacy. Apply the same verification steps: check the firm's regulatory registration and consult your own legal advisor before paying.