Cybercrime is no longer a niche beat. It is one of the largest reported crime categories in Victoria, and the financial losses now sit on the same scale as a small state budget line item. Our newsroom has spent the first quarter of 2026 tracking what changed, what stayed the same, and what victims are running into when they try to get help.
The headline number from the National Anti-Scam Centre’s most recent annual report is that Australians lost $2.18 billion to scams in 2025, a rise of around 7.8 per cent on the previous year, even as overall report volumes stabilised. Victoria’s share of those losses has historically tracked the state’s share of national population, which puts Victorian losses comfortably above $500 million for the year.
What Australians are losing money to in 2026
The composition of scam losses tells you where the criminal economy is concentrating effort. According to the National Anti-Scam Centre, the top categories by dollar value in 2025 were:
- Investment scams — around $837 million in reported losses
- Payment redirection scams — around $166 million
- Romance scams — around $140 million
- Phishing scams — around $97 million
- Remote access scams — around $70 million
Investment scams alone are now larger than every other category combined. Mei Calloway has been talking to Victorian victims for the better part of two years and the pattern is consistent. The bait is no longer a cold call from someone with an obvious accent and a bad script. It is a polished website, a fake celebrity endorsement on a social platform, a deepfake video, and a chat thread that runs for weeks before any money moves.
Where the data actually comes from
One of the things that has improved through 2025 and into 2026 is the consolidation of reporting. The National Anti-Scam Centre, sitting inside the Australian Competition and Consumer Commission, now ingests reports from Scamwatch, ReportCyber (run by the Australian Cyber Security Centre), the Australian Financial Crimes Exchange, IDCARE and the Australian Securities and Investments Commission. The 2025 totals draw on roughly 481,000 reports across those channels, of which about 274,000 involved a financial loss.
For Victorians the practical takeaway is that reporting in one place — Scamwatch or ReportCyber — now gets the data into the same system that informs takedowns and bank-side disruption. That is a meaningful change from three years ago, when reports often sat in silos.
Ransomware against Victorian organisations
The Australian Cyber Security Centre’s most recent threat assessments continue to flag ransomware as the highest-impact category for Australian organisations. We are not seeing many ransomware events publicly attributed to Victorian targets in early 2026 — and that silence is partly by design, because mandatory reporting under the Cyber Security Act 2024 (Cth) routes incidents to the Department of Home Affairs and the ASD’s ACSC rather than to the press.
What we do see in our reporting is the indirect signal. Local councils, regional health services, mid-sized law firms and education providers in Victoria have all spent the last twelve months investing in incident response retainers, multi-factor authentication uplift and offline backups. That is not happening because nothing is going on. It is happening because boards are reading the threat reports.
Identity theft is now the slow-burn problem
Where investment fraud is the headline, identity-related compromise is the long tail. IDCARE, the national identity and cyber support service, continues to handle six-figure case volumes annually, with a meaningful share of clients reporting that the original breach traces back to one of the large-scale data exposures from 2022 to 2024. Health, telecommunications, superannuation and recruitment data have all turned up in criminal marketplaces during that window.
The lived experience for a Victorian whose driver licence, Medicare number and tax file number have been compromised is not a single dramatic event. It is a multi-year sequence of fraudulent credit applications, mobile number ports, mis-directed mail and persistent phishing that draws on real personal details. Cleaning that up is slow and tedious, and the support contacts at the end of this article matter more than the headlines.
What changed in policy and policing through 2025–26
Three changes are worth flagging for Victorian readers:
- Scams Prevention Framework. Federal legislation passed in early 2025 imposes obligations on banks, telecommunications carriers and digital platforms to detect, disrupt and report scams. The framework is being phased in across 2025 and 2026, with the first formal codes covering banking and telco already in force. Victorian banks operating under those codes are now under a positive duty to act on red-flag indicators rather than waiting for a customer to ring up panicked.
- Confirmation of Payee. The Australian Banking Association’s name-checking service for account-to-account transfers continues to roll out across the major banks through 2026. Once a customer is enrolled, a transfer to a name that does not match the BSB-and-account combination triggers a warning before the money moves. Early indications from the banks involved are that this single intervention has reduced payment redirection losses materially.
- Victoria Police Cybercrime Squad. The squad continues to focus on serious and organised cyber-enabled offending, often working alongside Australian Federal Police-led joint operations and the ASD’s offensive cyber work. For everyday scam victims, the front door remains ReportCyber and Scamwatch — Victoria Police directs victims to those services for a reason.
The hardest call: getting your money back
Our newsroom is regularly asked the same question. If a Victorian transfers money to a scammer, what is the realistic chance of recovery? The honest answer in 2026 is “it depends on the speed of the report and the cooperation of the receiving institution”. Reports made within hours, where the receiving bank can freeze the destination account before funds move on through layered shell accounts or convert to crypto, have a meaningfully better recovery profile than reports made days later. Once funds leave the Australian banking system — which can happen in minutes through some pathways — recovery becomes very difficult.
The Australian Financial Complaints Authority remains the right escalation point if a bank has failed to meet its obligations, including under the new Scams Prevention Framework codes.
Where Victorians should report
If you have lost money or had your identity compromised, the four contacts that matter are Scamwatch (scamwatch.gov.au), ReportCyber (cyber.gov.au/report), IDCARE (1800 595 160) and your bank’s fraud line. Reporting to one does not replace reporting to the others. Victoria Police will take a report at a station for matters where a local crime has occurred, but for most cyber-enabled scam matters, the Commonwealth pathways are where the disruption happens.
If a scam is causing immediate distress, Lifeline (13 11 14) and Beyond Blue (1300 22 4636) are open around the clock. For older Victorians being targeted by repeat scam contacts, Seniors Rights Victoria (1300 368 821) can help. If you are in immediate danger, ring triple zero.
