Where to Report a Scam in Australia (2026 Guide)

The short answer

Australia's official reporting routes in 2026 are: Scamwatch (ACCC) at scamwatch.gov.au for intelligence and stats; ReportCyber (ACSC) at cyber.gov.au/report-and-recover/report for the police-referred channel when you have lost money or data; IDCARE on 1800 595 160 for identity and account-compromise support; ASIC for investment fraud; AFCA at afca.org.au for bank dispute escalation; and 000 for immediate danger or 131 444 for non-emergency police. The most-misunderstood detail: Scamwatch is NOT a police report — it is the awareness and intelligence channel. ReportCyber is the police route. File both. The Scams Prevention Framework Act 2025 puts new obligations on banks, telcos, and digital platforms, but does not impose automatic mandatory reimbursement the way the UK PSR rule does.

"The Scams Prevention Framework is a world-first reform that sets mandatory and enforceable obligations on the industries scammers most exploit — banks, telcos and digital platforms — to prevent, detect, report, disrupt and respond to scams targeting their customers."
— ACCC / National Anti-Scam Centre, welcoming the passage of the Scams Prevention Framework Bill 2025 through both Houses of Parliament on 13 February 2025. Banks must comply with the core obligations by 30 June 2026.

If you have been scammed in Australia, two things sit underneath the entire 2026 reporting picture, and most online guides explain neither correctly. The first is that Australia has separate reporting paths for "tell the government what happened" and "open a criminal-investigation file" — and the difference matters. The second is that since February 2025, Australia has a world-first scams-specific law that changes what your bank, your telco, and your social-media platform owe you when something goes wrong. Here is the actual current map.

If you are reading this with a recent transaction you regret, skip to If money has already moved. The first hour is the only window where bank-side reversals reliably work.

Scamwatch vs ReportCyber — the distinction nobody explains

This single point causes more useless reports than anything else in the Australian system, so it is worth being precise.

—Scamwatch (scamwatch.gov.au). Run by the ACCC's National Anti-Scam Centre. A Scamwatch report is an intelligence and awareness submission — it feeds the national fraud picture, the quarterly NASC updates, and the annual Targeting Scams report. It is NOT a police report. The ACCC does not investigate individual cases and Scamwatch does not, by itself, open a criminal file. Use it when you want the system to know a scam happened — including for attempted scams where you lost nothing.

—ReportCyber (cyber.gov.au/report-and-recover/report). Run by the Australian Cyber Security Centre, within the Australian Signals Directorate. A ReportCyber submission IS the official police-routed channel. Reports are forwarded to your state or territory police, who decide whether to investigate. Use this when you have lost money or had data compromised.

—The right answer is almost always both. If you have lost money or data, file with ReportCyber and Scamwatch. The ReportCyber report gives you a police-referred case file (or at least the attempt at one); the Scamwatch report contributes to the national intelligence picture and policy work. If you only saw an attempted scam, Scamwatch alone is fine.

What changed in February 2025: the Scams Prevention Framework

On 13 February 2025 both Houses of the Australian Parliament passed the Scams Prevention Framework Bill 2025. It is the first specific anti-scam legislation passed by any government and the ACCC has described it as a "world-first reform." The framework matters even if you have never heard of it, because it is the lever your bank, your telco, and the big digital platforms will increasingly be measured against when something goes wrong.

—Who it applies to. Initially: banks, telecommunications providers, and large digital platforms (social media, online marketplaces). The list of 'designated sectors' is expandable.

—The four core obligations. Prevent, Detect, Disrupt, and Respond to scams. Each is now a regulated obligation with measurable expectations, not a marketing commitment.

—The difference vs the UK approach. The UK PSR rule imposes mandatory reimbursement on banks (up to £85,000 per APP claim, within 5 business days). The Australian framework does not. Reimbursement instead depends on whether the bank can demonstrate it took 'reasonable steps' under the framework — issued the right warnings, monitored transactions to the expected standard, responded to actionable intelligence.

—The deadlines that matter. Banks must comply with the core obligations by 30 June 2026. All banks must be members of AFCA for scam disputes by 1 September 2026. AFCA begins hearing Scams Prevention Framework-aligned complaints from 1 January 2027.

The practical implication: in 2026 your bank is in the run-up to mandatory compliance. If your bank denies a scam claim, the question to ask in escalation — and the question AFCA will increasingly ask from 2027 — is whether the bank actually met its Prevent/Detect/Disrupt/Respond obligations on your specific transaction. "We told you not to do it" is not a sufficient defence under the new framework if the warnings were generic and the transaction-monitoring missed obvious red flags.

The full Australian reporting directory, by scam type

Different scam types route to different agencies, and the timing of who you contact first can affect whether anyone acts. The most-effective order:

—Any scam where money has left your account. Your bank's fraud line FIRST (call the number on the back of your card), then ReportCyber at cyber.gov.au/report-and-recover/report, then Scamwatch at scamwatch.gov.au/report-a-scam. The bank call is where reversals happen; the others build the record.

—A scam attempt where nothing was lost. Scamwatch alone is fine. Also report any phishing emails or texts impersonating real Australian organisations to that organisation's fraud team (banks all have a phishing@... address).

—Identity theft or account compromise. IDCARE first on 1800 595 160 (free, government-backed, not-for-profit; idcare.org). Then ReportCyber. IDCARE walks you through credit-bureau locks, account lockdowns, and police liaison — it is the most valuable single phone call available.

—Investment fraud, fake brokers, crypto scams. ASIC at asic.gov.au plus ReportCyber. Check the ASIC Investor Alert List on Moneysmart before any investment. ASIC handles enforcement against unlicensed financial firms targeting Australian consumers.

—A bank or financial firm dispute you cannot resolve. AFCA (Australian Financial Complaints Authority) at afca.org.au or 1800 931 678. Free, independent, binding on the firm if they rule in your favour. From 2027, AFCA will hear Scams Prevention Framework complaints specifically.

—Telco-side scam (spoofed numbers, scam texts at volume). Report to your telco's spam-reporting channel — Telstra, Optus, TPG/Vodafone all have established routes. Major carriers together block billions of scam SMS per year using upstream filters. Reports help build the network-level block lists.

—Online marketplace or social-media scam. Report to the platform (Facebook Marketplace, Gumtree, eBay, Instagram), then to Scamwatch. Under the Scams Prevention Framework, digital platforms now have direct legal obligations to act.

—Tax-related scam (fake ATO calls, fake debt collection). Verify by calling the ATO directly on 1800 008 540 (scam reporting line). The ATO does not threaten arrest or demand payment in iTunes / gift cards — every version of that scam has been a fake for over a decade.

—Anything involving a child or minor. If a child is in danger or being exploited online, contact the Australian Centre to Counter Child Exploitation (accce.gov.au) and your state police. eSafety Commissioner (esafety.gov.au) handles online abuse, cyberbullying, and image-based abuse.

—Immediate danger or crime in progress. Call 000. For non-emergency police matters, call 131 444 (most states/territories use this number).

If money has already moved — the first 24 hours

Speed is the entire game. Bank-side reversals only work in the first hour or two. Australia's faster-payments network (NPP/PayID) is, by design, fast and final — much of the recovery battle is upstream of the network's settlement window.

1Call your bank's fraud line immediately on the number on the back of your card. Not general customer service. State: "I am the victim of fraud and want to dispute the transaction." If the bank's transaction monitoring or warnings failed to catch the scam, mention the Scams Prevention Framework explicitly — it elevates the case from routine customer service to a regulated dispute. Get a written reference number.

2File a ReportCyber report at cyber.gov.au/report-and-recover/report. This is the police-referred channel. You will get a reference number; keep it.

3File a Scamwatch report at scamwatch.gov.au/report-a-scam. This feeds national intelligence and is also where the ACCC tracks scam-trend data.

4Call IDCARE on 1800 595 160 if any personal information, ID documents, banking credentials, or device access was exposed. Free, government-backed, not-for-profit. They walk you through the practical lockdown steps your bank will not.

5Document everything in one place. Screenshot the conversation, the scammer's number or email, the URLs, transaction details (date, time, amount, BSB/account or PayID), and any names the scammer used. Save as one PDF.

6If your bank denies the dispute after their internal investigation, escalate to AFCA at afca.org.au or 1800 931 678. Free, independent, binding. Wait for the bank's final decision letter before filing.

7If it was an investment scam, also report to ASIC at asic.gov.au and check the Moneysmart Investor Alert List. Australian investment-fraud losses are the single largest category — $837.7 million in 2025 — and ASIC actively investigates unlicensed-firm cases.

8Block, do not engage, and ignore any 'recovery' offers. Once you are visibly a recent victim, recovery scammers will find you within days. Real Australian recovery channels — your bank, ReportCyber, IDCARE, ASIC, AFCA — are all free.

Within days of any public report or social-media post about your loss, "recovery scammers" will find you. They will know details of your scam — because your data was sold. Real Australian recovery channels never charge an upfront fee. The ACCC's own warning is explicit: anyone contacting you offering to recover lost funds for a payment is running the second scam. See the recovery-scams piece for the full pattern and the honest recovery odds by payment method for what actually works.

The Australian numbers, in context

The National Anti-Scam Centre's annual Targeting Scams report aggregates losses across Scamwatch, ReportCyber, the Australian Financial Crimes Exchange (AFCX), IDCARE, and ASIC. The 2025 update (released March 2026) is the most recent complete year and shows the pattern clearly:

—Total reported losses 2025: $2.18 billion. Up 7.8% from 2024 ($2.03 billion). The 2024 figure was itself down 25.9% from 2023's $2.74 billion — so 2025 is the first uptick after a multi-year decline. Both years remain well below the 2022 peak of $3.1 billion.

—Investment scams: $837.7 million in 2025. Largest single category, including pig-butchering / romance-baiting hybrids and fake brokerage platforms. See our investment guide for the mechanics.

—Payment redirection scams: $166.8 million. Often business-email-compromise variants where invoices are intercepted and bank details swapped. See the business-fraud guide.

—Romance scams: $139.9 million. Increasingly merged with investment scams (the pig-butchering pattern). Covered in detail in the AI romance scams piece.

—Phishing scams: $97.6 million. Email, SMS, and impersonation of major Australian institutions — banks, ATO, Australia Post, MyGov. The 2026 advice is unchanged: do not click; go directly to the institution's app or website.

—Remote access scams: $69.9 million. Caller asks you to install AnyDesk, TeamViewer, or similar 'support' software, then walks you through transferring money. No real institution ever needs remote access to your device.

The Top 5 scam categories accounted for 60% of total 2025 losses. The remaining 40% is spread across attempted classifications including hi-mum/family imposter, gift card scams, shopping scams (Facebook Marketplace, Gumtree), tax/government imposter, and emerging AI-powered variants.

From the field. The single most common Australian case we see in 2026 is a PayID transfer made after a phone call from someone claiming to be from the victim's bank's "scam protection team." The caller knows enough about the victim — name, recent transactions, sometimes the actual bank branch — that the call feels real. The script then walks the victim through transferring money to a "secure holding account" the caller has set up. Every word is a lie, the recipient PayID is the scammer's. The defence is unchanged from a decade ago: real banks never call you and ask you to move money to protect it. Hang up. Call the number on the back of your card. Twenty seconds of friction defeats the entire script. The Scams Prevention Framework now also obliges your bank to have transaction-monitoring that should catch the suspicious outbound transfer in real time — which is changing how often the scam succeeds.

The habits that keep you out of the reporting machinery entirely

Reporting is downstream. Three small habits stop most Australian scams cold:

—Never authorize a PayID, OSKO, or bank transfer based on a phone call you did not initiate. Real banks, the ATO, Centrelink, Australia Post, and MyGov do not call demanding immediate transfers. Hang up and call back on the number on the back of your card or from the institution's official app.

—Use PayID name confirmation every time. When you set up a payment to a PayID, you see the registered name on that PayID before you confirm. If the name does not match what you expect, do not proceed. Scammers register PayIDs in their own names; the discrepancy is your stop signal.

—Treat any messaging-app financial conversation as hostile until verified. Hi-Mum scams, romance baiting, recruiter scams, investment scams in Australia overwhelmingly run on WhatsApp, Telegram, Instagram DMs, and Facebook Messenger. The pivot off a verifiable platform onto a messaging app is the single most reliable scam signal.

If you are not sure whether something is a scam, the fastest second opinion is the Scam Checker on this site, or our free case review. Both are read by a human and respond within 24 hours.

One rule, end to end

If you take one habit from this piece, take this: any unsolicited phone call, text, or message asking you to move money is a scam until you have verified it by calling the institution back on a number you already trust. Everything else is detail.

Based in Australia and not sure where to start? Let's look at it together.

Describe the message, the call, the transaction. A real expert reviews every case and replies within 24 hours. Free, confidential, no pressure.

Submit a free case review →Full international reporting directory

Common questions about reporting an Australian scam

What is the difference between Scamwatch and ReportCyber?

Scamwatch is operated by the ACCC's National Anti-Scam Centre and is a reporting service for intelligence, awareness, and policy — NOT a police report. A Scamwatch report alone does not trigger a criminal investigation. ReportCyber is operated by the Australian Cyber Security Centre (within the Australian Signals Directorate) and IS the official channel for cybercrime reports that get routed to your state or territory police. If you have lost money or your data has been compromised, file with ReportCyber (often in addition to Scamwatch). If you just want to warn others about an attempted scam where nothing was lost, Scamwatch alone is fine.

What is the Scams Prevention Framework, and does it mean banks have to refund me?

The Scams Prevention Framework Act passed Australian Parliament on 13 February 2025 — the world's first anti-scam-specific legislation. It applies to banks, telcos, and digital platforms, requiring them to 'Prevent, Detect, Disrupt and Respond' to scams. Unlike the UK's PSR rule, the Australian framework does not impose automatic mandatory reimbursement. Instead, it guarantees access to internal and external dispute resolution (via AFCA, the Australian Financial Complaints Authority), and a bank's liability for reimbursement depends on whether it can demonstrate it took 'reasonable steps' under the framework. Banks must comply with the core obligations by 30 June 2026, must be AFCA members for scam disputes by 1 September 2026, and AFCA begins hearing SPF-aligned complaints from 1 January 2027.

What number do I forward suspicious text messages to in Australia?

Report suspicious texts directly to your mobile carrier — Telstra, Optus, TPG/Vodafone all have spam-reporting routes — and submit a report to Scamwatch at scamwatch.gov.au with the message details. There is no single national '7726' equivalent in Australia (unlike the UK). For phishing emails impersonating real Australian organisations, also report to that organisation's fraud team directly (banks all run phishing@... addresses), and to ReportCyber if you clicked anything or lost anything. Major mobile carriers in Australia together block billions of scam texts per year using upstream filtering, but reports help build the network-level block lists.

Who is IDCARE and when should I contact them?

IDCARE is Australia and New Zealand's national identity and cyber support service — a not-for-profit jointly funded by government and the financial sector. They are the right call for identity theft, online account compromise, data-breach impact, and the practical steps to lock down your accounts and credit file. Call them on 1800 595 160 or use idcare.org. Their case managers work with you free of charge, and they coordinate with banks, credit bureaus, government, and police where needed. If your problem includes ID-document misuse, account takeover, or anything where someone else now has your personal details, IDCARE is the most valuable single phone call you can make.

I lost money to an Australian scam. Will my bank refund me?

Probably only if your case clearly falls into a narrow category — unauthorised transfer (your account was hacked, you did not press send), or a clear failure by the bank to meet its Scams Prevention Framework obligations. For 'authorised' transfers (you initiated the payment yourself under deception), Australia does not yet have automatic mandatory reimbursement equivalent to the UK's PSR rule. Your path is: bank internal dispute resolution first, then escalate to AFCA (afca.org.au or 1800 931 678) if the bank denies. AFCA's existing scam jurisdiction has produced occasional wins for victims where the bank failed to honour its own warnings, transaction-monitoring obligations, or Confirmation of Payee equivalent.

Are 'Hi Mum' scams still a problem in Australia?

Yes. The 'Hi Mum' family-impersonation scam, where the scammer texts pretending to be a child with a 'new number' and an urgent money problem, was first widely documented in Australia in 2022 and the ACCC logged more than 11,000 reports that year. The scam has evolved: AI voice cloning now makes the phone-call variant more convincing, the new-number opening still works, and Australia's high WhatsApp adoption keeps the channel productive for scammers. The defence is unchanged — never send money to a new number until you have verified by calling the real person back on the number you already have. See our family-impersonation-scams piece for the full pattern.

Sources & further reading

Every figure in this piece is drawn from these authorities. Click any of them to verify.

Where to report a scam in Australia — and what changed when the Scams Prevention Framework became law.