Ruthless scammers posing as would-be saviours are tapping into brazen new techniques to drain the banking and cryptocurrency accounts of everyday Australians.
The Joint Policing Cybercrime Coordination Centre (JPC3), which draws on banking industry intelligence, is lifting the lid on the bold tactics used at every step of the scamming playbook.
These range from trying to replicate the hold music used by banks to audacious tag-team conversations that concurrently call banks and victims to bypass security checks.
In an extreme example, one victim lost $350,000 in cryptocurrency in 18 hours, equating to $324 every minute. This occurred after the scammer posed as a representative of a crypto ledger company and told the victim their ledger had been compromised.
And this technique of scammers posing as would-be saviours is increasingly being seen in the policing and banking sectors.
In 2025, Australians reportedly lost $97.6 million to phishing scams, which includes victims of bank impersonation scams. This was up from $84.5 million reportedly lost in 2024.*
Phishing occurs when scammers impersonate trusted people or organisations, such as banks, financial advisors, CEOs or law enforcement, and use phishing tactics to deceive victims into handing over personal information.
AFP Detective Superintendent Marie Andersson said scammers were extremely tech savvy, adaptable and ruthless, particularly when it came to presenting as helpful voices of authority.
"Scammers approach victims armed and ready using secure information such as their name, date of birth, account details, and bank balances, acquired through previous cyber-attacks or data breaches," Det-Supt Andersson said.
"This allows scammers to build trust and legitimacy with their victim and acquire additional information or access to complete their scam.
"We are also seeing scammers acquire this information in real-time by working in pairs. One scammer will contact a bank and pretend to be the victim, while concurrently, another scammer is calling the victim and pretending to be a representative of the banking provider.
"Using information they gain through both conversations, they can then bypass security checks and create 'proof' that seems credible.
"We want to encourage victims to report these scams - remember scams can affect anyone and you should not feel shame or embarrassment about reporting it."
Common narratives used in bank impersonation scams to get victims to act quickly include:
- Pending unauthorised payments which can only be reversed or cancelled once banking details or codes are shared;
- Locked bank accounts that can only be unlocked if you act now;
- New payees added to your bank account; and
- Compromised devices or accounts where money or cryptocurrency needs to be moved to a 'safe account' to be protected.
Once scammers have got your attention, they may:
- Send one-time passwords and ask you to verify the code;
- Request your banking passwords or personal details to verify your identity;
- Request remote access to your computer;
- Ask you to approve transactions in the bank's app;
- Ask you to withdraw cash from the bank and for a courier to collect for safekeeping;
- Ask you to open new accounts, move money to a "safe account" or another bank; and
- Ask you to make payments via a "bank-linked" or socially engineered platform.
Detective Superintendent Andersson said recognising the warning signs early and refusing to act under pressure was the best defence against bank impersonation scams.
"Cold contact from a banking provider via call, text or email, combined with an extreme pressure to act quickly and hand over personal information, should be treated as a potential scam," Det-Supt Andersson said.
"Pause and consider the veracity of the request. If in doubt, hang up and call the banking institution's official phone number, which can be found on their website, your banking card, or app.
"If you believe you have been targeted, contact your bank immediately so they can secure your accounts and change your online banking password.
"Never login via online banking links sent through email or text, or share your passcodes or passwords over email, text or phone.
"We understand that the threat of losing any money is scary, but what is scarier is actually losing money, sometimes even life savings, to a scammer."
Commonwealth Bank Executive General Manager of Group Fraud and Scams, James Roberts, said impersonation scams were becoming more advanced, with criminals using sophisticated techniques to appear legitimate.
"Scammers are getting better at sounding convincing, but there are a few simple things to remember that can help keep you safe," Mr Roberts said.
"Banks won't rush you - and we will never ask you to share passwords, PINs or one-time codes, or move money to a 'safe account'.
"If you bank with us and get a call you're unsure about, stop, hang up and contact your bank using the number on your card or message us securely in the app. Do not call back the number that contacted you or any number from a suspicious SMS or email."
To help Australians spot the warning signs and navigate online banking more safely, the JPC3 has launched 'ClickFit: Impersonation Scams' , a national cybercrime awareness campaign supported by law enforcement across the country.
ClickFit encourages Australians to build simple habits into their online routine to protect their personal information, bank accounts and money from cybercriminals.
Get ClickFit in six simple steps:
- Stop, think before you click
If you get a call, text or email purporting to be from your "bank", pause before you act. Real banks won't rush or pressure you.
- Check with official bank sources
Don't trust unexpected contact. Contact your bank using their official app, website or number on your card.
- Protect your codes and passwords
Your bank will never ask you to disclose an OTP, password, or PIN over the phone.
- Never move money
Banks will never ask you to move money to a "safe account". If asked - stop and contact your bank.
- Secure your accounts
Use strong passphrases and multi-factor authentication (MFA). Keep your devices updated.
- Report immediately to bank
If something feels off - act fast. Report it to your bank immediately. Have you lost money? Report it to police at cyber.gov.au/report.
Case study 1 - moving money to 'safe accounts'
- Victim received an automated call saying their debit card had been charged $3890 for train tickets.
- They had to press 1 to accept or 2 to reject the payment.
- They selected 2 and the line was redirected. The person who answered told the victim to ring the bank's fraud section, and provided a mobile number which the victim called.
- The person who answered said to prevent theft, they would set up special bank accounts to keep the money safe.
- The victim transferred $156,000 into bogus bank accounts.
- The victim also gave the scammer access to her computer after being told they wanted to check if it had a virus.
Case study 2 - fake hold music
- Victim was contacted by a scammer purporting to be from a bank's fraud team.
- Scammer said there was suspicious activity in a business bank account and asked the victim to verify personal and banking details (which they already had) and provide the pin.
- Scammer said the card would have to be cancelled and reissued and the customer registration number (CRN) would need to be changed. They also said that due to malware, the bank's app should be deleted and reinstalled, and that they would text a code to verify the new CRN.
- The victim was placed on hold several times to verify other transactions and became suspicious as the hold music was different to the usual tune they knew.
- The victim hung up and called the bank through their main number, however, by then, $197,000 had already been transferred out of the accounts.
- The victim attended a branch the following day to verify their identity and regain access to the accounts.
- The matter is being investigated by the bank but it's uncertain if the funds will be returned.
Case study 3 - crypto wallet
- Victim received an email saying their email address was exposed in a data breach.
- Later that day, they received two calls from an unknown Australian number from a person with a British accent purporting to be from the crypto company the victim's ledger was from.
Risk Warning: Cryptocurrency is a unregulated virtual notoriously volatile instrument with a high level of risk. Any news, opinions, research, data, or other information contained within this website is provided for news reporting purposes as general market commentary and does not constitute investment or trading advice.
