Scams are now the single largest category of crime by volume affecting Victorian households, and by some measures the largest by total financial loss. The traditional crime story — the burglary, the assault, the stolen car — is still with us, but the steady, grinding background noise of fraud and cyber-enabled offending has overtaken every other category for sheer reach. Most Victorians have either been targeted or know someone who has.
This is our plain-English guide to the scams costing Victorians the most, what the National Anti-Scam Centre data is showing, and what to do if you have already lost money.
The data we have, and what it does not capture
The headline source is the National Anti-Scam Centre (NASC), which sits inside the Australian Competition and Consumer Commission and publishes the Targeting Scams report each year, drawing on data submitted to Scamwatch, ReportCyber, IDCARE, the major banks and a growing list of digital platforms.
The 2024 Targeting Scams report recorded combined reported losses of around 2.74 billion dollars across Australia, down from 3.1 billion the previous year. That decline is the first in years, and the NASC attributes it to a combination of bank-level interventions, platform takedown work and public awareness. Victorian households accounted for a substantial share of those losses.
The figure is also a floor. Scamwatch reporting is voluntary, and the under-reporting in this category is enormous — embarrassment, the cost of going through a formal report process and the perception that nothing will be recovered all keep the recorded losses below the actual losses.
Investment scams
By dollar value, investment scams are consistently the largest single category in the NASC data. The pattern has been remarkably stable for several years. The victim sees an advertisement, often on social media, often using the face and voice of a recognisable Australian public figure who has nothing to do with the offer. They click through, fill in a form, and are contacted by a polished ‘account manager’ who walks them through opening an account on what appears to be a legitimate trading platform.
The platform is fake. The early returns shown on the dashboard are fake. The pressure to top up the investment is high. By the time the victim attempts to withdraw, the platform has stopped responding or is asking for ‘tax payments’ before withdrawal can be processed. The funds are typically gone within 24 hours of being deposited, moved through cryptocurrency exchanges offshore.
The Australian Securities and Investments Commission maintains a public list of unlicensed entities and known scam websites. If you are considering an investment offer that came to you unsolicited, our team’s standing advice is to assume it is a scam until you can verify the entity against ASIC’s register.
Romance scams
Romance scams are smaller in absolute number than investment scams but produce some of the most devastating individual losses, and the harm extends well beyond the financial. The offender builds a relationship over weeks or months, almost always entirely online, almost always involving someone who claims to be working overseas in a profession that explains why they cannot meet in person. Eventually a financial crisis is introduced — a medical emergency, a stuck container, a customs fee, a delayed inheritance — and the requests for money begin.
What makes romance scams particularly hard is that even after the victim recognises the pattern, the emotional attachment can persist. NASC data has consistently shown that older Australians, particularly those who are widowed or divorced, are over-represented in this category. The financial loss is often a second wound on top of the emotional one.
Remote-access scams
Remote-access scams are the modern descendant of the ‘Microsoft tech support’ calls of the early 2010s. The script has evolved, but the mechanism is the same. The victim is contacted — by phone, by pop-up, by email — and told there is a security problem with their computer or with their bank account. They are walked through installing remote-access software (AnyDesk, TeamViewer or similar). Once the offender has control of the device, they log into internet banking and move funds out, sometimes in front of the victim’s eyes.
No legitimate bank, no legitimate government department and no legitimate IT company will ever ask you to install remote-access software in response to an unsolicited contact. If you have ever installed such software at the request of someone who called you, treat your accounts as compromised and contact your bank’s fraud line immediately.
Business email compromise
Business email compromise (BEC) is the highest-loss category for Australian small and medium businesses, and Victoria’s exposure is significant because of the size of the state’s SME sector. The mechanism is simple. An offender obtains access to a business email account, usually through a phishing email earlier in the chain, and watches the inbox. When an invoice is about to be paid, they intercept it and substitute their own bank account details, sometimes by sending a forged ‘updated bank details’ email from the supplier’s real address.
The funds go out on the next pay run. The supplier follows up weeks later wondering where the payment is, and only then does the breach become apparent. Recovery rates on BEC funds are low because the money usually leaves the country within hours.
The defences are unglamorous: multifactor authentication on every business email account, a written policy that bank details are never updated by email alone, and a phone call to verify any change of payment details using a number you have on file from before the change request.
MyGov and government-impersonation phishing
MyGov phishing is one of the most prolific scam types Victorians see, partly because almost every working-age Victorian uses MyGov for tax, Medicare or Centrelink purposes. The text message or email tells the recipient that there is a new message in their MyGov inbox, that their tax return is on hold, or that they are owed a refund. The link goes to a near-perfect imitation of the MyGov login page. The credentials harvested there are then used to lodge fraudulent tax returns, redirect Centrelink payments or compromise linked banking.
The Australian Taxation Office and Services Australia both publish that they will never send a link in an SMS to log in. If you receive a message that includes a login link, treat it as suspicious. Open MyGov by typing my.gov.au into your browser yourself.
What to do if you have been scammed
If money has just left your account, the order of operations matters and the first hour is the most important.
- Call your bank’s fraud line immediately. Every major Australian bank now has a 24/7 fraud line. The faster you call, the higher the chance the bank can recall the transaction or freeze the destination account.
- Change your passwords on the affected accounts, starting with email, then internet banking, then anything reusing the same password.
- Report to Scamwatch at scamwatch.gov.au. The report feeds into the National Anti-Scam Centre and into the bank-led disruption work.
- Report to ReportCyber at cyber.gov.au if there has been a cyber-enabled element — account takeover, malware, ransomware. ReportCyber routes the report to the police agency with jurisdiction.
- Contact IDCARE on 1800 595 160 if any identity documents have been compromised. IDCARE is the national identity and cyber support service and is free for individuals.
- If you have lost a substantial sum and the offender appears to be in Australia, you can also report to Victoria Police via 131 444 or your local station for a state-level investigation.
The hardest single piece of advice we give in this space is the simplest: tell someone. Scams of every kind rely on the victim’s isolation and embarrassment. The faster the loss is shared with a bank, with a family member, with IDCARE or with Scamwatch, the more options remain.
To report a scam, visit scamwatch.gov.au. For identity recovery support, contact IDCARE on 1800 595 160. To report a cyber incident, visit cyber.gov.au. If a scam has caused significant emotional distress, Lifeline is available on 13 11 14 and Beyond Blue on 1300 22 4636. In an emergency call 000.
