Top Scams of 2025 Australians Are Still Falling For – Full Guide & Prevention Tips

Introduction — Why the con is still working

Australia is in a strange moment: public awareness of scams has never been higher, yet criminals keep finding ways to squeeze more out of fewer attempts. The headlines this year tell a mixed story. Reported losses fell sharply in 2024 after the National Anti-Scam Centre (NASC) ramped up coordination — but early 2025 data shows scammers extracting moreper successful hit, even as total reports decline. National Anti-ScamCentre, Scamwatch, and Australian Broker News

And the playbook is evolving. Fraudsters now lean on AI to imitate voices, generate convincing emails, and run sophisticated “customer service” funnels that look like real companies. On the policy side, Australia passed a Scams Prevention Framework (SPF) in February 2025, imposing enforceable obligations on banks, telcos, and platforms to detect, disrupt, and report scams — a structural shift designed to push responsibility onto the services scammers abuse. Gilbert + Tobin, Australian Parliament House

This report cuts through the noise. We map the 10 scam categories still catching Australians in 2025, show how each con works, what’s changed, real-world patterns authorities are seeing, and practical steps you (and your family or business) can take today.

Australia’s 2025 snapshot — the numbers that matter

• Losses fell in 2024: Combined data across Scamwatch, ReportCyber, the Australian Financial Crimes Exchange, IDCARE and ASIC shows reported losses dropped ~25.9% to about $2.0–2.03 billion and total reports fell 17.8% to ~494,732. That’s a big win for public-private disruption efforts. National Anti-Scam Centre, Scamwatch, and Accounting Times

• But early 2025 is worrying: From January–April 2025, Australians lost nearly $119 million while reports fell ~24%, implying higher dollars per successful scam. Phishing losses are up sharply year-on-year. Australian Broker, NewsGadgetGuy, and Starts at 60

• Demographic shifts: Older Australians still account for large losses; some communities (including First Nations) have seen rising harm, underlining the need for tailored education and controls. (See NASC’s Targeting Scams 2024report for breakdowns.) National Anti-Scam Centre

What this means for you: Scam tactics are fewer but smarter. Expect more impersonation, better scripts, and slicker payment flows. The best defence is layered: technical hygiene + friction (MFA, allow-listing), verification habits, and a slow-down mindset.

1) Investment & “wealth” scams — still the biggest dollar losses

How the con plays out in 2025

Investment fraud continues to dominate total losses. The 2025 flavour combines glossy websites, “portfolio dashboards” that fake growth, and high-status imposters (bankers, fund managers, “ASIC-licensed” brokers) on WhatsApp/Telegram. Crypto and “green energy” pitches are persistent; so are “bond” and “term deposit” offers using cloned bank pages.

What’s new this year

• Deep impersonation: SEO-poisoned ads that look like big-name banks; cloned landing pages; staff IDs; and even AI voice calls to “welcome” you after you register interest.

• Phased deposits: small wins first (“withdrawals” paid from new deposits) to prime a larger transfer.

• Regulatory camouflage: fake ASIC licences and sham AFSL numbers.

Red flags

• Guaranteed returns; pressure to move funds quickly; requests to install remote-control software “for onboarding”; being moved off email to encrypted chat.

How to protect

• Verify licences via ASIC Connect; cross-check bank offers on the official domain you type yourself.

• Treat any “exclusive” offer as a red flag. If it’s real, it won’t vanish in an hour.

• Keep large investments in accounts with out-of-band authorisation and a mandatory callback step to an independently sourced number.

2) Romance & “pig-butchering” hybrids — emotions + crypto funnels

The 2025 pattern

The relationship is the hook; the “investment opportunity” is the endgame. In February, the AFP publicised real romance-scam scripts on Valentine’s Day and highlighted a cross-border crackdown with Philippine authorities after syndicates targeted thousands of Australians — a reminder these aren’t lone wolves but industrial-scale operations. Australian Federal Police, AP News

Tactics to watch

• AI-assisted profiles, “live video” that feels real, and convincingly routine schedules (“I’m on shift”, “bad Wi-Fi”).

• Gradual money asks around an emergency, then a transition to “investment coaching” with a fake trading app.

Self-protection

• Reverse-image search profile photos; insist on a real-time video call with specific gestures; never send money or crypto to someone you haven’t met.

• If you’re being coached on a trading app, assume it’s a scam until your bank independently verifies the platform.

3) Phishing 2.0 — AI-written, QR-laced, and brand-perfect

What’s changed

The old giveaways (typos, clunky grammar) are disappearing. AI now creates on-brand, context-aware messages that mention your bank’s latest feature or a recent tax deadline. We’re seeing QR codes inside emails to dodge link filters; the QR takes you to a credential-harvesting page.

Common 2025 lures

• “ATO refund / urgent tax notice”

• “Australia Post — redelivery fee”

• “Medicare card update”

• “Account security — confirm device”

Minimise risk

• Never scan a QR from an unexpected email or letter.

• Type the service’s name yourself into the browser; use password managers (they won’t auto-fill on fake domains); enable MFA on everything.

4) Delivery & parcel scams — smaller fees, bigger payoffs

Why they persist

A $3.95 “redelivery” looks harmless. But the page collects card details and identity info; some campaigns then use that data to open accounts or pivot to “account compromised” calls.

2025 twist
Robocalls pretending to be couriers prompt you to “press 1” to schedule delivery — handing you to a live operator who harvests personal and payment data.

Play defence

• Track parcels via the courier’s official site/app only.

• Don’t pay fees from links; if a courier does charge, you’ll see it in your official account.

5) Job & recruitment scams — the remote-work mirage

The setup

You’re offered easy remote work, often “rate and review” tasks or “payment processing”, with upfront fees for “training” or “equipment”. The more polished version uses a real company’s name with a fake recruiter domain.

Guardrails

• No legitimate employer asks for upfront money for training or software.

• Verify job emails and domains; search “[Company] scam”, and phone the company’s switchboard.

6) Government & law-enforcement impersonation — now with cloned voices

The pressure cooker

ATO or AFP “officers” claim you owe money or your identity is linked to crime. AI voice cloning makes these calls sound terrifyingly real; the goal is to force instant payment or get remote access to your phone.

Break the script

• Hang up. Call the agency using a number you look up yourself.

• Government will not ask for crypto, gift cards, or remote-access installs.

7) Tech-support shakedowns — remote access and “refund” traps

The flow

A pop-up or phone call claims your device is infected; you’re guided to install remote-access software. Sometimes they “accidentally” send an over-refund and demand you return the difference.

Countermeasures

• Close the browser; do not call pop-up numbers.

• If you installed remote access, disconnect from the internet, uninstall the tool, change passwords on a clean device, and run a trusted AV scan.

8) Marketplace fraud — the buy/sell minefield

2025 patterns

• Seller scams: deposits to “secure” an item; fake courier pickups; disappearing profiles.

• Buyer scams: doctored payment confirmations; chargebacks after pickup; “overpayment” ploys.

• Rental & ticket fraud: listings with stolen photos and impossible prices.

Safer trading

• Meet in public safe-trade zones; use escrow/marketplace payments with buyer protection; never ship before money clears in your account (don’t trust screenshots).

9) Crypto wallet drainers — one click, zero balance

How it bites

Airdrops, “support” chats, or fake DeFi dashboards push you to connect your wallet. Malicious approvals silently grant unlimited spend permissions.

Reduce blast radius

• Use a hardware wallet for meaningful funds; check and revoke token approvals periodically; bookmark official URLs; don’t paste seed phrases anywhere.

10) Business Email Compromise (BEC) — fewer hits, larger losses

The anatomy

Attackers lurk in mailboxes, study vendor cycles, then send “updated bank details” or rush a finance team with a wire request “from the CEO”.

Controls that work

• MFA on email; payment change approvals with a phone verification to a known contact; DKIM/DMARC properly configured; least-privilege inbox rules.

What changed in law — the Scams Prevention Framework (SPF)

In February 2025, Parliament passed the Scams Prevention Framework. It’s a big shift: rather than leaving consumers to fend for themselves, the SPF places enforceable duties on the sectors scammers exploit most — banks, telcos, and digital platforms (including social and search). The framework enables designated codes, data-sharing and disruption requirements, with a two-tier civil penalty model for non-compliance. Analysts describe it as Australia’s first comprehensive, sector-wide anti-scam regime. Gilbert + Tobin, AustLII

Some media coverage highlighted potential fines up to $50 million for serious breaches and stronger checks like advertiser verification and payee identification. Industry groups broadly welcomed the move while acknowledging compliance lift. News.com.au, The Australian

What it means for you

• Banks should roll out stronger payee confirmation and outbound alerts.

• Telcos and platforms must step up scam ad detection, takedowns, and advertiser verification.

• Expect more “friction by design” (e.g., warnings on first-time payees, delayed high-risk transfers).

Case focus — the romance-scam crackdown

On Valentine’s Day 2025, the AFP publicised real “rom-con” scripts used to target Australians and highlighted arrests tied to a Philippines-based syndicate that had targeted around 5,000 Australians, with losses reported in the tens of millions. The joint messaging aimed to break the scammers’ narrative and arm would-be victims with the exact lines they would hear next. Australian Federal Police, AP News

Lesson: These are industrial operations with call-centre-style scripts, quotas, and training. Treat any online relationship that pivots to money or investing as a high-risk scenario.

The 2025 playbook scammers are using (and how to beat it)

1) Speed & pressure
They push you to act before you can verify.

• Your move: Build a personal rule: no decisions under pressure. If a deadline appears “tonight only”, it’s a red flag.

2) Authority & imitation
They impersonate brands, agencies, or executives; spoof caller IDs; replicate logos and email footers.

• Your move: Verification via an independent channel (numbers you look up). Never return calls to numbers in messages.

3) Segmentation & scripts
Syndicates train staff to handle “senior”, “small business”, or “crypto-curious” personas with tailored lines.

• Your move: Pre-commit to non-negotiables (e.g., never sending funds to a “new payee” without a callback).

4) Payment laundering
Money flows through mules, crypto ramps, and offshore accounts to frustrate recovery.

• Your move: Prefer slower rails for large transfers (escrow, bank checks) and require second-person sign-off for business payments.

5) Infrastructure switching
Once you engage, they move you to encrypted chat (WhatsApp/Telegram) and remote-access tools.

• Your move: Keep comms on official channels; never install remote access unless you initiated support with a known provider.

Practical protections — your personal checklist

For everyone

• MFA on everything (banking, email, cloud storage).

• Password manager + unique passwords; never reuse banking/email logins.

• Device hygiene: auto-updates on; app stores only; no sideloading.

• Browser hygiene: bookmark banks, ATO, courier portals; don’t search for login pages.

• Payment hygiene: treat first-time payees and urgent transfers like hazardous operations — verify out-of-band.

For families

• Shared safety plan: agree how you’ll verify emergencies (e.g., a family code word).

• Elder support: set SMS spam filters; use call-screening; pre-install password managers; consider bank alerts to a trusted relative.

• Teens: reinforce “no screenshots of IDs” and “no crypto coaching” from online friends.

For small businesses

• Email hardening: MFA, conditional access, and alerting on inbox rule changes.

• AP & vendor controls: a two-to-three-step payment change process and a “no exceptions” policy.

• Separation of duties: the requester of a transfer cannot be the approver.

• Bank tooling: ask your bank for payee-confirmation and high-risk transfer holds.

If you’re caught mid-scam — the 60-minute response plan

1. Kill the session: disconnect the device from the internet; if you installed remote access, uninstall it and shut down.

2. Call your bank immediately: ask for a freeze and fraud escalation; provide transaction IDs and the scam context.

3. Report:

   • Scamwatch (NASC/ACCC) — helps disruption and intelligence.

   • ReportCyber (AFP/ACSC) — for cybercrime aspects.

4. Secure accounts: from a clean device, change critical passwords (email first), then banking, social, cloud.

5. Collect evidence: screenshots, numbers, emails, wallet addresses.

6. Recovery: discuss chargebacks/recalls with your bank; consider IDCARE if identity information was exposed.

Category deep-dives — 2025 realities & fix-it steps

Investment scams: from high-yield bonds to “green tech”

• Reality: Fake “term deposits” and “sovereign green bonds” are hot. Cloned bank pages solicit deposits to mule accounts.

• Fix-it: Independently call the bank’s advertised number; don’t rely on links in ads. Keep large transfers in accounts with interlocks (dual approval, delay holds).

Romance + “coaching” hybrids

• Reality: Long-game grooming leads to “mentorship” on a fake platform that shows rising balances.

• Fix-it: If someone you met online introduces an investment, stop. Call your bank’s fraud team before any transfer.

Phishing

• Reality: Brand-perfect emails and texts; QR codes in letters.

• Fix-it: Use official apps (myGov, bank apps). Password managers block most fake domains because they won’t auto-fill.

Delivery/parcel

• Reality: Fee pages that harvest card + identity; robocalls that transfer you to agents.

• Fix-it: Track parcels in official apps; never pay fees from a link.

Jobs/recruitment

• Reality: “Remote evaluator” roles; upfront equipment costs; fake recruiter domains.

• Fix-it: Look up the recruiter on LinkedIn and the company switchboard; refuse any role requiring upfront payments.

Government/AFP imposters

• Reality: AI voices; case numbers; threats of arrest or account freeze.

• Fix-it: Hang up. Call the agency’s main number listed on .gov.au.

Tech-support

• Reality: Pop-ups that lock the screen; “over-refund” scams.

• Fix-it: Force-quit the browser; call your device maker via the number on their official site.

Marketplace

• Reality: Deposits to “hold” items; fake courier pages; doctored bank confirmations.

• Fix-it: No deposits; cash or protected methods in person; verify funds cleared in your account.

Crypto drainers

• Reality: Malicious approvals buried in airdrop sites.

• Fix-it: Hardware wallet; use revoke tools; treat every “connect wallet” like a financial contract (because it is).

BEC

• Reality: Quiet mailbox rules; vendor bank detail swaps just before invoice due.

• Fix-it: Payment-change call-backs and allow-list known beneficiaries; DMARC enforcement.

What the 2025 data tells us (and how to use it)

• Fewer reports, higher dollars per hit: Early 2025 data (Jan–Apr) shows nearly $119 million lost with 24% fewer reports, so campaigns are more targeted and persuasive. Expect more impersonation and scripted phone funnels. Australian Broker News, GadgetGuy

• 2024’s drop is real but fragile: The NASC’s 2024 report credits coordinated disruption and data-sharing for a ~26% fall in reported losses and ~18% fewer reports. Keep the pressure up — report every attempt. National Anti-Scam Centre, Accounting Times

• Law is shifting incentives: The SPF adds penalties and duties for banks, telcos, and platforms. Consumers should see more pre-transaction warnings, stronger advertiser verification, and scam-ad takedowns. Gilbert + Tobin, News.com.au

• Romance syndicates are industrial: AFP’s Valentine’s Day push showed large-scale scripts and cross-border arrests; awareness + verification are still the best shield. Australian Federal Police, AP News

Quick tools & habits that neutralise most scams

• Bank features: enable payee confirmation, high-risk transfer warnings, and SMS/email alerts for new payees.

• Email security: turn on advanced phishing protection; watch for new inbox rules; enable MFA.

• Password manager + MFA: this combo blocks the majority of credential-theft cascades.

• “Out-of-band” verification: for any payment, change request, or “urgent” notice, verify via a second channel you look up yourself.

• Family code word: decide a phrase known only to your household for emergencies.

• Report, even if you didn’t lose money: your report helps NASC/ACCC disrupt active campaigns. National Anti-Scam Centre

Frequently asked “is this legit?” scenarios (2025 edition)

“ATO text about a refund with a link.”
Ignore the link. Log in to myGov by typing the URL or using the app. If there’s a refund, it’ll be there.

“Courier fee to reschedule delivery.”
Go to the courier’s official site/app. If the parcel exists, you’ll see it without using a link in a text.

“Bank called me about suspicious activity and wants me to move funds to a safe account.”
Hang up and call the bank via the number on the back of your card. Banks do not ask you to move money to “safe accounts.”

“A recruiter asked me to pay for onboarding.”
Legitimate employers don’t charge applicants. Decline and report.

“A new supplier sent updated bank details.”
Call the contact you already know using a number from your vendor file, not the email signature.

Where to report and get help (Australia)

• Scamwatch / NASC — central reporting and education hub. National Anti-Scam Centre

• ReportCyber (AFP/ACSC) — report cybercrime incidents.

• Your bank — fraud/dispute team for card and bank transfers.

• IDCARE — support for identity compromise.

• State/Territory Police — for immediate threats or if you’ve transferred funds.

Conclusion — staying ahead in 2025

You don’t need to outsmart every scammer; you just need to add enough friction that the con collapses. The combination of MFA + password manager + call-back verification stops most high-impact attacks cold. Layer on slow-down habits (“sleep on large transfers”), keep software up to date, and report every attempt to help the ecosystem block repeat offenders.

Australia’s Scams Prevention Framework is pushing the burden toward the services scammers exploit. That’s progress. But your habits are still the first and last line of defence. Treat urgency as a red flag, verify claims via a channel you control, and never feel pressured into a payment you didn’t plan to make.

Stay sceptical. Stay kind to yourself if you get spooked. And remember: real opportunities survive verification; scams don’t.

Notes on sources used in this report

• NASC / ACCC “Targeting Scams 2024” report (March 2025) — core statistics and trends for 2024, including the ~26% drop in reported losses and ~18% drop in reports. Scamwatch, National Anti-Scam Centre, Accounting Times

• Early-2025 loss data (~$119 m Jan–Apr, reports down ~24%) — multiple outlets summarising NASC/Scamwatch updates. Australian Broker , NewsGadget, GuyStarts at 60

• Scams Prevention Framework (SPF) — bill passage and implications. Gilbert + Tobin, Australian Parliament House, AustLII

• AFP Valentine’s Day campaign / romance-scam syndicate — media release and coverage. Australian Federal Police, AP News