The “False Lawyer” Scam Is Exploding Across Brazil. Here's What Law Firms Should Actually Be Doing About It.

Over 2,600 cases by August 2025. A 408% increase in cybercrimes since 2018. Organised criminal groups running the operation across state lines.

The golpe do falso advogado (false lawyer scam) is no longer an emerging threat in Brazil. It's an epidemic. And while Congress scrambles to legislate and the OAB publishes awareness cartilhas, the real question remains unanswered: what are law firms doing to protect their own infrastructure from being weaponised against their clients?

How the Scam Actually Works

The mechanics are straightforward and devastating.

Criminal groups scrape Brazil's public electronic court systems (PJe) to harvest real case data: client names, case numbers, claim values, and the names of representing lawyers. Armed with this information, they contact victims, usually via WhatsApp, posing as the victim's lawyer or a member of their legal team.

The impersonation is convincing. Scammers use real profile photos pulled from OAB registrations and social media. They reference accurate case details. They send forged documents complete with Republic crests, court letterheads, and fabricated judicial orders. Some operations have been found using AI-generated audio and deepfake video to mimic lawyers' voices and appearances.

The hook is always the same: “Your case has been decided in your favour. Funds are ready for release. You just need to pay a fee to unlock them.”

The fee is requested via PIX, Brazil's instant payment system. The transfer is irreversible. The money is immediately scattered across mule accounts and disappears.

Victims are disproportionately elderly and vulnerable. But the scam doesn't only harm them. It directly damages the credibility and reputation of the lawyers and firms being impersonated.

The Legislative Response

In March 2026, Brazil's Câmara dos Deputados approved Bill 4709/2025, which makes the false lawyer scam a standalone criminal offence under the Penal Code. The bill, developed with technical input from the OAB, introduces three new criminal provisions:

Fraudulent electronic impersonation of a legal professional carries 4 to 8 years' imprisonment plus fines, with aggravating factors for interstate operations or multiple victims.

Illegal practice of law with fraudulent intent adds a separate offence for those impersonating lawyers without OAB registration.

Unauthorised use of court system credentials criminalises the misuse of electronic access to judicial systems.

The bill also mandates measures to restrict mass scraping of court data and establishes fast-track procedures for blocking PIX transfers when a scam is identified. A National Registry of Electronic Fraud Convictions is also part of the package.

The bill still requires Senate approval. But the direction is clear: compliance expectations for firms handling judicial data are about to increase significantly.

Why This Is a Cybersecurity Problem, Not Just a Fraud Problem

The conversation around the golpe do falso advogado has focused almost entirely on consumer awareness: “Don't trust unexpected WhatsApp messages. Call your lawyer directly. Never pay via PIX without verification.”

That advice is correct. It's also insufficient.

The root of this scam is a data security problem. Criminals are accessing, aggregating, and weaponising information that originates from or passes through law firm systems. Public court records provide the initial data, but the level of sophistication in many operations — including the use of accurate internal case details, forged documents matching real firm letterheads, and cloned communication styles — suggests that data leakage from firm systems may be contributing to the problem.

Law firms in Brazil, particularly in Brasília where government relations and regulatory work generates highly sensitive client data, face a compound risk:

Client data exposure. If a firm's email, case management system, or document storage is compromised, criminals gain access to far more detailed information than public court records alone provide. The more accurate the scam, the higher the conversion rate.

Credential theft. Infostealer malware (RedLine, Meta Stealer, Lumma) is rampant in Brazil. Stolen session tokens and credentials can give attackers direct access to court filing systems (PJe) using legitimate lawyer credentials — a vector that Bill 4709/2025 now specifically criminalises.

Domain and identity spoofing. Without proper email authentication (DMARC, DKIM, SPF), criminals can send emails that appear to originate from the firm's domain. WhatsApp impersonation is harder to prevent technically, but firms can establish verified communication channels and educate clients proactively.

Reputational cascading. When a client is scammed using a firm's name and case data, the firm's reputation suffers regardless of whether the firm was technically breached. The perception of negligence is enough to erode trust.

What Law Firms Should Actually Implement

Consumer-facing advice tells victims to verify. Firm-facing security tells lawyers to prevent. Here's what that looks like in practice:

Endpoint detection and response. Every device that accesses court systems or client data needs monitored endpoint protection. Not just antivirus. Managed detection and response that catches credential theft, lateral movement, and data exfiltration before it results in downstream fraud.

Email authentication and impersonation protection. DMARC enforcement at p=reject, SPF, and DKIM properly configured across all firm domains. This doesn't stop WhatsApp impersonation, but it closes the email vector entirely and protects the firm's domain reputation.

Security awareness training. Staff need to recognise phishing, social engineering, and credential harvesting attempts. Partners and associates with PJe credentials are high-value targets. Training should be continuous, not annual.

Multi-factor authentication on everything. Court system access, email, case management, document storage, and financial systems. Hardware tokens or authenticator apps, not SMS. Session token theft is a known vector in Brazilian credential-stealing campaigns.

Dark web and credential monitoring. Proactive monitoring for firm email addresses, lawyer credentials, and OAB registration numbers appearing in leaked databases and dark web marketplaces.

Client communication protocols. Establish and publicise verified communication channels. Tell clients explicitly: “We will never request payment via WhatsApp or PIX. If you receive such a request, contact us at [verified number].” Put it on your website, in your engagement letters, and in your email signatures.

Incident response planning. When (not if) your firm's identity is used in a scam, you need a documented process: client notification, OAB reporting, law enforcement engagement, and evidence preservation. Having this plan ready is the difference between a controlled response and a reputational crisis.

The LGPD Dimension

Brazil's General Data Protection Law (LGPD) adds a regulatory overlay to this entire problem. The ANPD was elevated to full regulatory agency status in 2025, and its enforcement posture has shifted from advisory to punitive. Firms that fail to implement adequate technical and administrative measures to protect personal data face fines of up to 2% of revenue (capped at R$50 million per violation), public disclosure of infractions, and potential suspension of data processing activities.

A law firm that is found to have inadequate security controls, resulting in client data being used in fraud operations, faces both LGPD exposure and civil liability under Brazil's consumer protection framework.

The forthcoming Cybersecurity Legal Framework (Bill 4752/2025) will add further obligations, including mandatory cybersecurity compliance for entities participating in public procurement — a space where Brasília law firms are deeply embedded.

The Uncomfortable Reality

Most mid-market law firms in Brazil do not have a dedicated cybersecurity function. Many rely on general IT support providers who manage infrastructure but do not actively monitor for threats, conduct security assessments, or maintain incident response capabilities.

The golpe do falso advogado is a symptom. The underlying condition is that law firms hold some of the most sensitive data in any professional services sector, and the security posture of most firms does not reflect that responsibility.

The firms that address this now — before a breach or a regulatory enforcement action forces their hand — will be the ones that maintain client trust and competitive advantage as Brazil's regulatory environment continues to tighten.