Internet Fraud

“Internet fraud” is a broad term used to cover common forms of cybercrime. The Australian Bureau of Statistics has reported that nearly four million Australians aged 15 years and over encountered or experienced internet fraud in 2020-21. The ACCC’s Scamwatch estimates that Australians lose more than a combined $100 million per year to various forms of internet fraud.

What is internet fraud?

Internet fraud refers to any type of fraud scheme that uses email, websites, chat rooms or message boards to present fraudulent invitations, offers or requests to potential victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to themselves or to others connected with the scheme.

Common methods of internet fraud

The most common examples of internet fraud are:

Email fraud – email is a common medium used to commit internet fraud. Individuals may be sent emails attempting to persuade them to buy a product or service, or to visit a fraudulent website to make a purchase. Some emails will tell individuals that they have won the lottery or have been gifted money. These scams will inform recipients that they can only claim their prize after they have paid a small fee.
Phishing – the individual is tricked into providing their personal information through scam emails in which the cybercriminal pretends to be a reputable company such as a bank and asks for credit card details.
Hacking – the criminal gains access to the individual’s information (which may include a government or business account) by exploiting security weaknesses on their computer, mobile device or network.
Remote access scams – the individual is tricked into giving access to their computer and paying for a service they don’t need. The criminal may impersonate a reputable IT company and state that the individual has a virus in their system.
Malware & ransomware – malware is a virus software that tricks the user into installing software that allows cybercriminals to access the user’s files and track what they are doing, while ransomware is a virus software that demands payment to “unlock” the user’s computer or files.
Fake online profiles – the cybercriminal sets up a fake profile on a social media platform such as Facebook or a dating site and attempts to gain the trust of someone and then exploit them for financial gain.
Data breaches – the criminal obtains the individual’s data through accidental data breaches of business or government accounts. The person may not even be aware that some of their information has been obtained by scammers.

Commonwealth internet fraud laws and penalties

The Criminal Code Act 1995 (Cth) has various offences that criminalise internet fraud in Australia:

Section	Offence	Maximum penalty
478.1 Unauthorised access to, or modification of, restricted data	(1) A person commits an offence if: (a) the person causes any unauthorised access to, or modification of, restricted data; and (b) the person intends to cause the access or modification; and (c) the person knows that the access or modification is unauthorised. (3) In this section: *restricted data* means data: (a) held in a computer; and (b) to which access is restricted by an access control system associated with a function of the computer.	2 years’ imprisonment
477.3 Unauthorised impairment of electronic communication	(1) A person commits an offence if: (a) the person causes any unauthorised impairment of electronic communication to or from a computer; and (b) the person knows that the impairment is unauthorised. (3) A conviction for an offence against this section is an alternative verdict to a charge for an offence against section 477.2 (unauthorised modification of data to cause impairment).	10 years’ imprisonment
474.17 Using a carriage service to menace, harass or cause offence	(1) A person commits an offence if: (a) the person uses a carriage service; and (b) the person does so in a way (whether by the method of use or the content of a communication, or both) that reasonable persons would regard as being, in all the circumstances, menacing, harassing or offensive. (2) Without limiting subsection (1), that subsection applies to menacing, harassing or causing offence to: (a) an employee of an NRS provider; or (b) an emergency call person; or (c) an employee of an emergency service organisation; or (d) an APS employee in the Department administered by the AFP Minister acting as a National Security Hotline call taker.	5 years’ imprisonment
480.4 Dishonestly obtaining or dealing in personal financial information	A person commits an offence if the person: (a) dishonestly obtains, or deals in, personal financial information; and (b) obtains, or deals in, that information without the consent of the person to whom the information relates.	5 years’ imprisonment
480.5 Possession or control of thing with intent to dishonestly obtain or deal in personal financial information	(1) A person commits an offence if: (a) the person has possession or control of any thing; and (b) the person has that possession or control with the intention that the thing be used: (i) by the person; or (ii) by another person; to commit an offence against section 480.4 (dishonestly obtaining or dealing in personal financial information) or to facilitate the commission of that offence. (2) A person may be found guilty of an offence against subsection (1) even if committing the offence against section 480.4 (dishonestly obtaining or dealing in personal financial information) is impossible. (3) It is not an offence to attempt to commit an offence against subsection (1).	3 years’ imprisonment

NSW internet fraud laws and penalties

The Crimes Act 1900 (NSW) criminalises internet fraud through various offences:

Section	Offence	Maximum penalty
192E Fraud	(1) A person who, by any deception, dishonestly— (a) obtains property belonging to another, or (b) obtains any financial advantage or causes any financial disadvantage, is guilty of the offence of fraud. (2) A person’s obtaining of property belonging to another may be dishonest even if the person is willing to pay for the property. (3) A person may be convicted of the offence of fraud involving all or any part of a general deficiency in money or other property even though the deficiency is made up of any number of particular sums of money or items of other property that were obtained over a period of time. (4) A conviction for the offence of fraud is an alternative verdict to a charge for the offence of larceny, or any offence that includes larceny, and a conviction for the offence of larceny, or any offence that includes larceny, is an alternative verdict to a charge for the offence of fraud.	10 years’ imprisonment
192G Intention to defraud by false or misleading statement	A person who dishonestly makes or publishes, or concurs in making or publishing, any statement (whether or not in writing) that is false or misleading in a material particular with the intention of— (a) obtaining property belonging to another, or (b) obtaining a financial advantage or causing a financial disadvantage, is guilty of an offence.	5 years’ imprisonment
308C Unauthorised access, modification or impairment with intent to commit serious indictable offence	(1) A person who causes any unauthorised computer function— (a) knowing it is unauthorised, and (b) with the intention of committing a serious indictable offence, or facilitating the commission of a serious indictable offence (whether by the person or by another person), is guilty of an offence.	The maximum penalty applicable if the person had committed, or facilitated the commission of, the serious indictable offence in this jurisdiction.
308F Possession of data with intent to commit serious computer offence	(1) A person who is in possession or control of data— (a) with the intention of committing a serious computer offence, or (b) with the intention of facilitating the commission of a serious computer offence (whether by the person or by another person), is guilty of an offence.	3 years’ imprisonment
308G Producing, supplying or obtaining data with intent to commit serious computer offence	(1) A person who produces, supplies or obtains data— (a) with the intention of committing a serious computer offence, or (b) with the intention of facilitating the commission of a serious computer offence (whether by the person or by another person), is guilty of an offence.	3 years’ imprisonment
308H Unauthorised access to or modification of restricted data held in computer (summary offence)	(1) A person— (a) who causes any unauthorised access to or modification of restricted data held in a computer, and (b) who knows that the access or modification is unauthorised, and (c) who intends to cause that access or modification, is guilty of an offence.	2 years’ imprisonment
308I Unauthorised impairment of data held in computer disk, credit card or other device (summary offence)	(1) A person— (a) who causes any unauthorised impairment of the reliability, security or operation of any data held on a computer disk, credit card or other device used to store data by electronic means, and (b) who knows that the impairment is unauthorised, and (c) who intends to cause that impairment, is guilty of an offence.	2 years’ imprisonment

Offences under sections 308C, 308F and 308G criminalise using a victim’s stolen data to commit a serious offence such as theft, fraud or extortion. For example, if a cybercriminal logs into a victim’s bank account using the victim’s information obtained by a scam and steals money from the account, the cybercriminal will be in breach of section 308F as they possessed unauthorised data for the purpose of committing theft.

It is not an offence to attempt to commit offences under sections 308C, 308F and 308G.

What the prosecution must prove

For offences under both Commonwealth and NSW laws, the prosecution must generally prove beyond a reasonable doubt that the accused did any of the following, in relation to the commission of an indictable offence:

Intended to access or impair communications or data,
Intended to gain a financial advantage for themselves or cause a financial loss to the victim, or
Intended for unauthorised data to be used for committing or facilitating the offence.

Possible defences

Possible defences include:

Did not access or impair data or electronic communication.
In the instance the accused did access this data, they had authorisation or a legitimate reason to access it.
Did not have intention to commit or facilitate the offence.

For offences involving a carriage service, a potential defence is establishing that the accused did not use or obtain information through a carriage service (such as a phone, mobile device or computer).

How to report internet fraud in Australia

If you are a victim of internet fraud, you should immediately contact the police on 131 444 for advice and assistance. You should also contact your financial institution/s and any relevant websites that you use such as social media accounts.

After you report the incident to the police, ask for a police report or reference number so you have evidence that you reported the issue.

Report scams to the ACCC using this form.

How to prevent internet fraud

You can take several steps to ensure you are protected from internet fraud. Some steps include:

Use public computers and internet services with caution. Cybercriminals may set up fake free WiFi spots to hack into your phone or laptop.
Use strong and unique passwords for your accounts. Write these passwords down instead of saving them on your device. Frequently change the passwords.
Carefully read emails before you click on any links. Check for typos, spelling errors, and review the sender’s email address, as scam emails may come from uncommon email addresses.
Frequently review your bank statements and credit card statements to check for any suspicious withdrawals.
Review credit reports annually to check for any suspicious loans or financial activity under your name.
Install antivirus software.
Do not give out personal or sensitive information in response to unprompted telephone calls or emails. Banks and other financial institutions will never call or email you to ask for these details.
Do not add people you do not know on social media. Block and report them if they ask for suspicious information.
Be wary of posting personal information on social media.

Internet fraud case examples

The NSW Police have charged two men for being involved in a criminal syndicate which used phishing to steal banking and identification details of thousands of Australians in a bid to access their bank accounts. The arrests by NSW Police are a part of an operation which began in September 2021 to identify the criminals responsible for sending hundreds of thousands of automated text messages that contained links to fraudulently replicated Australian banking and telecommunications company websites. The SMS phishing scam is alleged to have started in 2018 to target customers of the Commonwealth Bank of Australia, National Australia Bank and Telstra, among others. The men have been charged with several offences under the Criminal Code Act 1995 and are currently awaiting trial as of September 2022.
In 2019, a Brisbane man used two aliases to arrange an elaborate online job scam through various companies to steal the identities of 52 taxpayers. He lodged 62 fraudulent income tax returns and attempted to obtain over $565,000 in refunds. After conducting fake interviews over the phone, the fraudster would email applicants to confirm they had been successful in their application for the job. He would also request a scanned copy of their driver’s license, bank account details, tax file number and shirt size. He used this information to fraudulently create myGov accounts. If they already had an account, he used the information to take over their account and change the details as required. He would then link the myGov accounts to the ATO’s online services where he would lodge false income tax returns in the victims’ names. The man was charged with 106 offences and was sentenced to five years in prison.

How can we help?

Nyman Gibson Miralis provides expert advice and representation in internet fraud investigations.