The industry speaks: Scams Awareness Week 2025

Despite this progress, the challenge is far from over. The growing use of AI and large language models has given cyber criminals more sophisticated tools, enabling highly convincing phishing scams, deepfakes, and other deceptive tactics. Veeam’s Data Resilience Maturity Model research shows that 74 per cent of organisations still fall short of best practices, with many operating at the lowest maturity levels. Alarmingly, over 30 per cent of CIOs in the least resilient organisations overestimate their data resilience capabilities, leaving them more exposed to scams and cyber attacks.

To strengthen protection, organisations and individuals should maintain a zero-trust mindset, implement multifactor authentication, and actively watch for the warning signs of scams. Vigilance and preparation remain our best defences in an increasingly complex threat environment. This also means ensuring secure, reliable backups so data remains accessible and restorable in the event of an attack. Following the proven 3-2-1-1-0 backup rule can help organisations quickly resume operations and enable individuals to recover lost data with minimal disruption.

Professor Craig Costello
School of Computer Science at QUT

As tech continues to evolve, so do cyber criminal tactics. Scams are becoming increasingly sophisticated, exploiting computing and algorithmic advances to bypass traditional security measures, making them convincing and harder to detect. The Australian Institute of Criminology’s latest report highlights the scale of the problem, with nearly half of Australians experiencing some form of cyber victimisation in the past year.

Post-quantum cryptography offers a glimpse of the future in digital protection, supporting new ways to secure and protect our data and privacy. But tech solutions are not enough. In my role and more broadly across the university, too, we’re dedicated to training the next gen of cyber defenders to be better equipped in recognising, understanding, and proactively defending against the future of cyber crime.

Here are some top scam-busting tips for everyday Aussies:

VIEW ALL

Verify before you trust – if someone contacts you unexpectedly, don’t act on it right away. Call the company or check their official website to confirm, rather than relying on links of contact info in messages. Scammers thrive on urgency. If something feels rushed or too good to be true, it probably is.

Keep devices and accounts secure – regularly update your devices and apps, use strong passwords and don’t recycle them across accounts (a password manager can help with this!), and turn on two-factor authentication wherever possible.

Share and report suspicious activity – if you spot a scam email, text, or call, alert friends and family, and report it to authorities like Scamwatch. Awareness helps protect everyone.

Erich Kron
Security awareness advocate at KnowBe4

Can you differentiate what’s real and what’s a scam? With hundreds of messages flooding inboxes daily, differentiating legitimate ones from clever scams is getting increasingly difficult.

Threat actors are constantly stepping up their game. Today, they are leveraging our trusted contacts, familiar formats and even AI to make scams appear legitimate. Recent research focused on phishing stimulation found that 98 per cent of phishing clicks came from internal emails or trusted senders, a stark reminder that even messages from sources you “know” can be faked.

Scam Awareness Week is the perfect time to pause and ask: are you and your team truly prepared to spot the red flags?

With scammers constantly sophisticating their tactics, the key to resilience lies in building a strong security culture. One that isn’t built once a year but evolves every day. Employees need to keep up to date with the latest techniques to know what they’re up against. Keeping employees informed about the latest tactics equips them to recognise and resist threats. By maintaining high awareness, organisations can empower their people to be their first and best line of defence.

Nigel Tan
APAC SE director at Delinea

Scammers succeed by exploiting gaps in responsibility and trust, and poor password hygiene shows just how easily attackers can take advantage. Whether it is an individual or a business, the issue is the same – clear ownership of systems and access is too often missing.

Almost one in two Australians experienced cyber crime, such as scams and identity theft, yet only a quarter regularly update their passwords, showing how poor identity practices open the door to criminals. In businesses, the same risk arises when no one takes accountability for who can access critical applications, leaving sensitive data exposed.

As we mark National Scam Awareness Week, it is a reminder that defending against scams starts with the basics of identity security: stronger passwords, regular updates, and knowing who is responsible for access to sensitive data. By getting these foundations right, we can shut scammers out before they get in.

Andrew Black
Managing director at ConnectID

Scammers thrive on individuals oversharing sensitive information, so minimising the amount of data circulating online can be one of the best tools to help keep us safe. Scams Awareness Week is the perfect time to stop and think about how we’re sharing and requesting information, and whether we can reduce our digital footprint.

Every day, people in Australia are targeted by scammers trying to trick us into handing over money or personal details. The Cybercrime in Australia: 2024 Report found identity crime and misuse affected 21.9 per cent of Australians last year, more than one in five people.

A significant amount of our data is already stored across different platforms and services. Whenever we create a new account or check into a hotel, we’re handing over our information freely. With all that data floating around, we’re making it significantly easier for scammers to appear legitimate, especially now with the adoption of AI. They can copy official communications, create false identities, and carry out scams that are far more sophisticated than ever before.

When scammers get hold of a driver’s licence, passport, or bank statement, the damage can be even greater. They can impersonate individuals, open accounts or apply for credit on their behalf, and often the victim doesn’t even realise until it’s too late.

So, what can we do? While we can’t reclaim the data that’s already out there, we can reduce the risk of future identity-related scams by sharing less personal information going forward. This is where data minimisation comes in, a principle that asks how we can share only what’s necessary, instead of oversharing.

For businesses, that means rethinking outdated processes. If all that’s required is proof someone is over 18, there’s no need to store their entire licence or even date of birth. Technology now exists to verify a single fact, for example, that someone is over 18, from reliable sources, without collecting every other piece of information.

Tackling identity crime means cutting off the information that fuels it. The less personal data collected, the less there is for criminals to exploit.

Adhil Badat
Managing director APJ at Rackspace Technology

Artificial intelligence is now a core part of cloud strategies, with 84 per cent of organisations already incorporating it. The opportunities are clear with faster decision making, greater agility and the ability to scale innovation. But Scam Awareness Week is a reminder that the same technologies enabling progress are also being used by scammers in new ways.

The concern is not only the technology but how it is deployed. In many organisations, staff are experimenting with AI tools without formal guidance while leadership is still shaping governance. This lack of structure creates openings for fraud. AI can generate phishing emails, fake voices or entire conversations that appear authentic, making scams harder to detect.

Scam Awareness Week highlights why awareness and governance matter. Building clear policies and educating teams are essential steps to reduce exposure as AI and cloud adoption continue to grow.

Anthony Daniel
Managing director ANZ at WatchGuard

As we approach Scam Awareness Week, it’s a timely reminder that real-world threats require real-world security. Fraudsters use tactics like phishing emails, impersonation, and social engineering to exploit human behaviour, making awareness just as vital as technical protections.

In Australia, scams are responsible for hundreds of millions of dollars in losses each year, with many incidents causing serious disruption to operations and reputations. WatchGuard’s Q1 2025 Internet Security Report reported a staggering 71 per cent of malware arrives via encrypted connections, and almost three-quarters of that malware bypasses signature-based protections as zero-day threats. The report also reveals a 171 per cent surge in network malware, signalling that attackers are increasingly sophisticated, often AI-assisted, and hitting harder than ever.

Preventing scams requires a combination of clear processes, staff training, and verification steps to ensure requests and communications are legitimate. While secure email gateways and multifactor authentication are essential, they’re not foolproof.

For businesses, it’s not just about compliance – it’s about protecting reputation and trust. Leaders must regularly ask: Are our people prepared to spot a scam? Are our processes strong enough to stop one?

Shannon Davis
Principal AI security researcher, SURGe/Foundation AI, at Splunk

Scams today move faster, are more targeted, and harder to catch. For organisations, disrupting scammers requires an understanding of current tactics being utilised, along with data being organised. Ultimately, security is a data problem. The quicker we can break down silos and connect the dots, the quicker we can respond.

The reality is [that] no amount of data sharing will stop every scam. The most powerful defence is to educate the people being targeted and [give] Australians the tools to recognise, question, and avoid the scams before they cause harm. Public awareness, paired with faster disruption efforts, gives us the best chance of staying ahead of increasingly agile criminal operations.

Technology and partnerships play a role, but empowering people to spot the signs and protect themselves remains the frontline defence.

Reuben Koh
Security Technology and Strategy Director of Asia-Pacific and Japan at Akamai Technologies

Artificial Intelligence (AI) is increasingly exploited by scammers to target victims. Automating scams enables bad actors to generate more sophisticated attacks more quickly and effectively, resulting in far-reaching effects. Cybercriminals are using AI in various ways:

Offering scams “as-a-service”: Sophisticated cybercriminals develop complete AI-powered phishing kits which are sold to less experienced scammers, lowering the barrier to entry for would-be cybercriminals while exponentially increasing the number of scams.

Personalised attacks: Scammers use AI to research and gather information from social media and the internet to build rich and detailed profiles of targets quickly.
Generating convincing content: Cybercriminals use AI to develop realistic phishing emails, deepfake audio and malicious QR codes to target victims.

Scaling of operations: Small scam rings can now reach a wider number of victims by automating multiple social engineering campaigns.

Ashley Diffey
Vice President Australia and New Zealand at Ping Identity

As artificial intelligence rapidly evolves, so too does the threat landscape. Deepfakes and AI-generated impersonations have become mainstream for bad actors, making us question everything we see, hear or interact with online. This Scam Awareness Week, when trust can only come from what can be verified, businesses that infuse verification into every step of the identity journey, from onboarding, to access permissions, and even liveness detection, will be the ones that earn customer trust long term.

Les Williamson
Regional Director Australia and New Zealand at Check Point Software Technologies

Deepfakes have surged into commercial and consumer consciousness alike owing to their growing sophistication. The ability to mimic a human at a higher quality than is now much more possible than ever before. That’s because access to the AI tools used to create deepfakes is better and this - along with low cost barriers to entry - means that convincing fakes can be deployed at scale. The significant business impacts associated with malicious deployment of deepfakes have people and businesses asking what they can do to protect themselves and their operations. How can they work out whether the person on the other end of a videoconference is real and not an AI creation?

In order to avoid scams in the workplace, enterprises need people to be vigilant and to perform some common-sense checks. In all situations people tend to weigh up what they’re seeing and make certain risk assessments and judgements. In the same way people currently check the veracity of an email or its contents - cross-checking the sender ID, hovering over a url or attached file, examining the style and grammar - they can benefit from applying the same type of approach to videoconferencing engagements today. This triangulation of clues and risk factors is a kind of 'multi-factor authentication' that we now need to perform more consciously in workplace settings.

Employees should continue to be cautious and stay current with the evolution of AI technology, to deal with the threat of encountering a deepfake. Their efforts can be ably supported by organisations implementing cyber security solutions, including robust email protections, that can detect and prevent many malicious meeting invitations from being delivered to inboxes in the first place. Given the potential cost of the threat, it’s important to have well-rounded protections in place.

Adrian Covich
Vice President, Systems Engineering, APJ, at Proofpoint

As we mark Scams Awareness Week in a rapidly advancing AI-driven landscape, it's essential to recognise and address the emerging risks posed by new technologies. Today’s scams are more targeted, more convincing, increasingly powered by artificial intelligence and exploiting human behaviour at scale.

At Proofpoint, we see firsthand that the vast majority of successful cyberattacks rely on human interaction. Our recent Human Factor report found that malicious URLs are now used four times more often than attachments in email threats, reinforcing that attackers are targeting people, not just systems, across email, SMS, and collaboration platforms.

Scams aren’t just a technical problem and they’re a people problem. Proofpoint advocates for a human-centric approach to online safety. By combining user education with behaviour-driven controls and threat intelligence, organisations can significantly reduce their risk of falling victim to scams.

Alan Win
Founder and CEO, Middlebank Consulting Group

Scams targeting supply chains are becoming more sophisticated from fake suppliers and falsified compliance data to hidden ownership links designed to evade detection. Traditional due diligence methods are no longer sufficient. Artificial Intelligence (AI) can now surface red flags that manual checks often miss including anomalies, inconsistencies, and subtle risk signals buried in fragmented data. But AI is only part of the solution. Organisations must embed ethical oversight, real-time monitoring, and proactive intelligence into their procurement and supplier management practices. Without this shift, they risk exposing critical operations to fraud, reputational damage, and serious disruption.

Manju Naglapur
SVP and GM, Cloud, Applications & Infrastructure Solutions at Unisys

When it comes to how sophisticated cyber-criminals and their attacks have become, a breach isn’t a matter of if but when. For organisations, prevention is no longer enough, robust strategies to limit the impact of a cyber attack and the ability to recover from a breach are critical.

Our research shows that over three-quarters (78 per cent) of organisations believe a breach is likely to occur in their organisation. However, alarmingly, we also see the majority (90 per cent) of Australian and New Zealand businesses admit their cyber security approach is reactive. The same research shows that when an attack does occur, leading to unplanned downtime, up to $500,000 per hour is what is at stake. Data, trust and the bottom-line are at risk, costly implications to any business.

The most security-conscious organisations know that cyber resilience is a company-wide practice. Having the right technology in place is crucial, but the ability to prevent and the capability to recover from scams and attacks start when everyone, including the C-Suite, understands and implements secure online practices.