CANBERRA, ACT, March 31 -- Australian Federal Police issued the following media release:

This is a joint media release between the Australian Federal Police and Commonwealth Bank

Editor's note: Video grabs of Detective Superintendent Marie Andersson are available via Hightail.

Ruthless scammers posing as would-be saviours are tapping into brazen new techniques to drain the banking and cryptocurrency accounts of everyday Australians.

The Joint Policing Cybercrime Coordination Centre (JPC3), which draws on banking industry intelligence, is lifting the lid on the bold tactics used at every step of the scamming playbook.

These range from trying to replicate the hold music used by banks to audacious tag-team conversations that concurrently call banks and victims to bypass security checks.

In an extreme example, one victim lost $350,000 in cryptocurrency in 18 hours, equating to $324 every minute. This occurred after the scammer posed as a representative of a crypto ledger company and told the victim their ledger had been compromised.

And this technique of scammers posing as would-be saviours is increasingly being seen in the policing and banking sectors.

In 2025, Australians reportedly lost $97.6 million to phishing scams, which includes victims of bank impersonation scams. This was up from $84.5 million reportedly lost in 2024.*

Phishing occurs when scammers impersonate trusted people or organisations, such as banks, financial advisors, CEOs or law enforcement, and use phishing tactics to deceive victims into handing over personal information.

Another method is remote access scams where a scammer - under the guise of technical support or cyber security - will manipulate the victim to download software allowing them full control of their device.

AFP Detective Superintendent Marie Andersson said scammers were extremely tech savvy, adaptable and ruthless, particularly when it came to presenting as helpful voices of authority.

"Scammers approach victims armed and ready using secure information such as their name, date of birth, account details, and bank balances, acquired through previous cyber-attacks or data breaches," Det-Supt Andersson said.

"This allows scammers to build trust and legitimacy with their victim and acquire additional information or access to complete their scam.

"We are also seeing scammers acquire this information in real-time by working in pairs. One scammer will contact a bank and pretend to be the victim, while concurrently, another scammer is calling the victim and pretending to be a representative of the banking provider.

"Using information they gain through both conversations, they can then bypass security checks and create 'proof' that seems credible.

"We want to encourage victims to report these scams - remember scams can affect anyone and you should not feel shame or embarrassment about reporting it."

Common narratives used in bank impersonation scams to get victims to act quickly include:

* Pending unauthorised payments which can only be reversed or cancelled once banking details or codes are shared;* Locked bank accounts that can only be unlocked if you act now;* New payees added to your bank account; and* Compromised devices or accounts where money or cryptocurrency needs to be moved to a 'safe account' to be protected.

Once scammers have got your attention, they may:

* Send one-time passwords and ask you to verify the code;* Request your banking passwords or personal details to verify your identity;* Request remote access to your computer;* Ask you to approve transactions in the bank's app;* Ask you to withdraw cash from the bank and for a courier to collect for safekeeping;* Ask you to open new accounts, move money to a "safe account" or another bank; and* Ask you to make payments via a "bank-linked" or socially engineered platform.

Detective Superintendent Andersson said recognising the warning signs early and refusing to act under pressure was the best defence against bank impersonation scams.

"Cold contact from a banking provider via call, text or email, combined with an extreme pressure to act quickly and hand over personal information, should be treated as a potential scam," Det-Supt Andersson said.

"Pause and consider the veracity of the request. If in doubt, hang up and call the banking institution's official phone number, which can be found on their website, your banking card, or app.

"If you believe you have been targeted, contact your bank immediately so they can secure your accounts and change your online banking password.

"Never login via online banking links sent through email or text, or share your passcodes or passwords over email, text or phone.

"We understand that the threat of losing any money is scary, but what is scarier is actually losing money, sometimes even life savings, to a scammer."

Commonwealth Bank Executive General Manager of Group Fraud and Scams, James Roberts, said impersonation scams were becoming more advanced, with criminals using sophisticated techniques to appear legitimate.

"Scammers are getting better at sounding convincing, but there are a few simple things to remember that can help keep you safe," Mr Roberts said.

"Banks won't rush you - and we will never ask you to share passwords, PINs or one-time codes, or move money to a 'safe account'.

"If you bank with us and get a call you're unsure about, stop, hang up and contact your bank using the number on your card or message us securely in the app. Do not call back the number that contacted you or any number from a suspicious SMS or email."

To help Australians spot the warning signs and navigate online banking more safely, the JPC3 has launched 'ClickFit: Impersonation Scams' , a national cybercrime awareness campaign supported by law enforcement across the country.

ClickFit encourages Australians to build simple habits into their online routine to protect their personal information, bank accounts and money from cybercriminals.

Get ClickFit in six simple steps

Stop, think before you click

If you get a call, text or email purporting to be from your "bank", pause before you act. Real banks won't rush or pressure you.

Check with official bank sources

Don't trust unexpected contact. Contact your bank using their official app, website or number on your card.

Protect your codes and passwords

Your bank will never ask you to disclose an OTP, password, or PIN over the phone.

Never move money

Banks will never ask you to move money to a "safe account". If asked - stop and contact your bank.

Secure your accounts

Use strong passphrases and multi-factor authentication (MFA). Keep your devices updated.

Report immediately to bank

If something feels off - act fast. Report it to your bank immediately. Have you lost money? Report it to police at cyber.gov.au/report.

Case study 1 - moving money to 'safe accounts'

* Victim received an automated call saying their debit card had been charged $3890 for train tickets.* They had to press 1 to accept or 2 to reject the payment.* They selected 2 and the line was redirected. The person who answered told the victim to ring the bank's fraud section, and provided a mobile number which the victim called.* The person who answered said to prevent theft, they would set up special bank accounts to keep the money safe.* The victim transferred $156,000 into bogus bank accounts.* The victim also gave the scammer access to her computer after being told they wanted to check if it had a virus.

Case study 2 - fake hold music

* Victim was contacted by a scammer purporting to be from a bank's fraud team.* Scammer said there was suspicious activity in a business bank account and asked the victim to verify personal and banking details (which they already had) and provide the pin.* Scammer said the card would have to be cancelled and reissued and the customer registration number (CRN) would need to be changed. They also said that due to malware, the bank's app should be deleted and reinstalled, and that they would text a code to verify the new CRN.* The victim was placed on hold several times to verify other transactions and became suspicious as the hold music was different to the usual tune they knew.* The victim hung up and called the bank through their main number, however, by then, $197,000 had already been transferred out of the accounts.* The victim attended a branch the following day to verify their identity and regain access to the accounts.* The matter is being investigated by the bank but it's uncertain if the funds will be returned.

Case study 3 - crypto wallet

* Victim received an email saying their email address was exposed in a data breach.* Later that day, they received two calls from an unknown Australian number from a person with a British accent purporting to be from the crypto company the victim's ledger was from.* The person had the victim's ledger receipt and did not require further details. They advised the wallet had been compromised and asked the victim to check on their computer, which connected wirelessly to the ledger without turning it on.* The victim was then told the ledger information had been leaked, and another third party had contacted them to get a new seed phrase. They asked the victim to change their seed phrase as soon as possible so this person could not access their crypto.* The victim put in their seed phrase and requested a new one. After the new seed phrase connected, the victim got suspicious and tried to reset it again and realised $350,000 had left their crypto wallet.* The money was traced offshore to the UK and Italy.

*National Anti-Scam Centre

About the JPC3

The JPC3 brings together Australian law enforcement and key industry and international partners, including the AFP, to fight cybercrime and prevent harm and financial loss to the Australian community.

We are committed to equipping all Australians with the knowledge and resources to protect themselves against cybercrime.

* Watch our cybercrime prevention videos and protect yourself from being a victim of cybercrime.* If there is an immediate threat to life or risk of harm, call 000.* If you are a victim of cybercrime, report it to police using Report Cyber.

Disclaimer: Curated by HT Syndication.