The intersection of cybercrime and traditional crime is becoming increasingly perilous. Here’s how you can protect yourself.
It begins with a phone call from someone impersonating a bank representative. They know the victim’s name, bank, and even credit card number. The caller claims there has been “unusual activity” on the account and states that a one-time passcode has been sent to verify the victim’s identity. The victim, feeling reassured, reads out the code, only to discover moments later that their funds have vanished. The bank refuses to reimburse the loss, citing a breach of terms because the victim voluntarily shared their passcode. This scenario is not an isolated incident; it reflects a growing trend in Australia and beyond, where cyber criminals are blending digital and real-world tactics to create increasingly convincing and damaging scams.
These scams do not originate from phishing emails or fake applications. They start with stolen personal data, often acquired through numerous breaches, such as the recent Qantas incident that exposed the details of up to 5.7 million customers. In some cases, this data is sold through third-party brokers. Names, phone numbers, emails, and card details are frequently leaked and traded online. Once scammers obtain this information, they initiate contact, often using spoofed caller IDs to mimic legitimate bank interactions. Victims are pressured to “verify” their identity by reading out a one-time passcode, which unknowingly authorises a transaction using their own card details. This phenomenon is termed a “convergence scam,” where online data leaks, psychological manipulation, and weak enforcement converge, resulting in a sophisticated hybrid of digital theft and physical-world exploitation that is on the rise.
The impact of these scams is deeply personal and can lead to significant financial losses. What exacerbates the situation is the systemic failure surrounding these incidents. Many credit card fraud insurance policies contain clauses that exclude coverage when customers “voluntarily” provide account credentials, including one-time passcodes, even if they were coerced or deceived. One victim reported losing nearly A$6,000 after a scammer, posing as a bank representative, prompted them to read out a passcode over the phone. The bank later refused reimbursement, claiming the victim had breached the ePayments Code by voluntarily sharing the passcode, despite being manipulated into doing so. Consequently, the victim was held liable and ineligible for a chargeback.
Even when criminals leave a physical trail, law enforcement follow-up is rare. Reports of these scams are often acknowledged but not pursued. Officers do not explicitly state that the cases are too small or unworthy of investigation, but their inaction suggests a lack of resources or prioritisation. This lack of response leaves victims feeling abandoned and vulnerable, as they navigate the aftermath of these sophisticated scams. The combination of personal data theft, psychological manipulation, and inadequate support from financial institutions and law enforcement creates a troubling environment for consumers, making it increasingly difficult to combat these rising threats.