The March 2025 Targeting Scams report from the National Anti-Scam Centre brought to attention the havoc caused by impersonation scams (which encompass romance, payment redirection, remote access, and phishing scams). In 2024 alone, this form of fraud cost Australians and Australian businesses approximately $499.9 million.

 

The Mechanics of Impersonation Scams

Impersonation scams work by taking advantage of people by using social engineering – which Carnegie Mellon University defines as “the tactic of manipulation, influencing, or deceiving a victim in order to gain control over a computer system, or to steal personal or financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information”.

 

The Stages of An Impersonation Scam

Scammers will often take victims on a 3-stage journey:

  1. Wanting to help
  2. Increasing urgency levels
  3. Threatening negative consequences

 

Pressure Tactics

The First Stage

On first engagement, an impersonator will claim in an SMS message or phone call to represent a known service – such as a bank, the police, or a telco, and seek to provide assistance or help in resolving a [fake] problem – such as fraudulent credit card transactions or updating software.

The Second Stage

In the second stage of the scam, they will attempt to apply scare tactics to increase the sense of urgency – seeking to take immediate action lest the problem worsen. They may request access to a bank account, recommend downloading software to fix a problem, or request the use of a different BSB for payments.

The Third Stage

In the third stage – which follows if there is hesitation or resistance from the target, the scammer will stress the negative consequences of failing to follow their instructions, and sometimes even issue threats.

 

Examples of Scam Requests

In a September 2024 article, the Australian Community and Media Authority provided information on the five most common types of impersonation scams in Australia.

  1. Government Impersonations: fake claims from agencies like Medicare or the ATO, demanding a refund or that a payment be made.
  2. Parcel Delivery Scam: SMS messages impersonating established delivery agencies will demand payments for the delivery of non-existent parcels.
  3. Toll Road Operator Impersonation: impersonators of companies like Linkt will demand payment to top up an account or pay for an overdue bill.
  4. Reward Point Scam: scammers will attempt to steal personal data by sending links to fake sites designed to collect customer information.
  5. Telecom Impersonation: messages or calls will warn users of expired reward points, prizes, or unresolved account issues.

 

How Businesses Can Protect Themselves

Impersonation scams don’t just affect individuals in Australia – they also impact the reputation and trustworthiness of businesses. For those companies that do find themselves being impersonated online, some actions they can take include:

  1. Utilising site monitoring and takedown services which regularly scan for and remove fraudulent/harmful sites.
  2. Identifying the hosts of fake websites via domain registry/hosting services and issuing formal complaints.
  3. Providing customers with easy ways to report fraudulent activity online.
  4. Issuing staff with materials and guidance to educate customers about fraudulent schemes and to raise awareness of the continued threat of scams.
  5. Reporting scam incidents to Scamwatch.

 

How To Protect Yourself: Distrust and Verify

Here are several tips worth remembering when dealing with a possible scammer:

  1. Government agencies, financial institutions, and most – if not all – organisations will never ask a customer for their personal information or seek to access their devices.
  2. Scammers can imitate anyone – including family and friends. If a message or call seems unusual, call the relation on a trusted number to confirm the veracity of the request.
  3. Upon receiving a scam call, ask who they claim to represent, hang up, and then call the business back using a publicly-listed number to confirm the veracity of the communication.
  4. Never open or click on links in SMS messages and emails that are from unfamiliar senders.
  5. Beware scammers whose telephone numbers or emails aren’t quite Scammers regularly use slightly modified email addresses and telephone numbers in the hopes that users will be inattentive and won’t notice.
  6. Only ever sign in to companies’ web portals via official, confirmed apps or their official websites. Never use unfamiliar, second-party software.

 

If You’ve Been Scammed

Several actions exist that can be taken immediately to mitigate any losses from a scam.

  1. Contact the scam department of the bank whose accounts were accessed to report the scam and freeze any transactions in progress.
  2. Change the passwords for critical websites and accounts – such as banking and email systems.
  3. Call IDCare to organise a plan to minimise the damage.
  4. Contact Scamwatch to report the incident and provide all relative information regarding the incident.
  5. Enrol in and take the eSafety scam courses offered by the Australian government.

 

Key Takeaways

Impersonation scams cost Australians nearly half a billion dollars in 2024, caused immeasurable grief, stress, and anxiety, and inflicted incalculable harm to businesses, individuals, and the economy. These losses and the damage they cause can be reduced – if not completely avoided – by understanding how impersonation scams work and knowing how to fight back.