[the8472]

In my experience people don't outright lie about these things, they sell a piggy bank as fort knox.

E.g. someone running an automated vulnerability scanner that may not even be entirely appropriate for the application being scanned could be considered a pen test or perhaps OWASP mitigation.

TOTP software authenticator on the same machine as the password safe? Totally 2FA.

Security training for employees? Some mind-numbing videos of a consultant reading the OWASP list from 2011 over some powerpoint slides and mentioning some buzzwords, employees self-certify having watched these videos.