IronSights
All insights

threat intelligence

Online Fraud Is Rising in Australia. Almost Nobody Is Reporting It.

Online fraud and scam victimisation rose from 9.7 to 11.1 percent in 2025. Roughly 86 percent of victims didn't report. And identity crime isn't falling. It's just moving from banks to utilities, telcos, and government services.

By IronSights Editorial, Practitioner team12 July 20263 min read
ByIronSights Editorial12 July 20263 min read

Australia's fraud and scam rate got worse in 2025. The AIC's Cybercrime in Australia report puts online fraud and scam victimisation at 11.1 percent, up from 9.7 percent the year before. Consumer and seller scams were the most common type (buying or selling online and getting deceived), affecting 4.7 percent of respondents and accounting for nearly 38 percent of recent fraud incidents.

Online marketplaces are a natural target. Transactions are high volume, often low value, and the verification requirements are minimal compared to financial services. Anyone selling furniture on Facebook Marketplace is operating in a much lower-trust environment than any bank.

Identity crime is shifting

The overall identity crime figure dropped from 22.1 to 20.4 percent, which looks like progress. Financial account compromise fell from 17.7 to 15.8 percent. Banks have been tightening controls, and that seems to be working.

But other forms of identity compromise went up, from 4.8 to 5.7 percent. Attackers are moving to utilities, telcos, health portals, and government services. These accounts have weaker verification than banks and hold enough to build a usable identity profile for more complex fraud later. The criminals didn't stop; they moved.

The reporting gap

Across all cybercrime types, about one in ten victims reported to police or ReportCyber. Fraud and scams had the highest reporting rate of any crime category, at 13.7 percent, which means roughly 86 percent of fraud victims didn't report.

The reasons: many didn't think it was serious enough, some were embarrassed, and others didn't know ReportCyber was an option. That last one is notable. A government reporting portal has been running for years and a meaningful share of victims still don't know it exists.

Of those who did report, 45.3 percent did so to try to recover money. The recovery rate averaged about 30.7 percent of losses. Most victims who lost money ended up less than $1,000 out of pocket after recoveries. That said, 36 percent of fraud victims lost money at all.

Who gets hit

Victimisation rose most sharply among men and people aged 25 to 49. SME owners and managers were more likely to be targeted than other workers, and their median losses were higher: $209 versus $150 for other employed Australians.

The entry point is usually a marketplace transaction gone wrong. A seller doesn't deliver. A buyer disputes a legitimate sale. A platform impersonator redirects a payment. High volume, low friction, minimal verification. Easy to exploit at scale, and hard to investigate after the fact.

What this means for businesses

Rising fraud has a few knock-on effects. More customers will experience fraud this year, sometimes involving your brand or systems. More staff will encounter and . And more of your suppliers and customers will have had credentials compromised from non-financial accounts, which is the identity data that makes work.

BEC is worth naming directly. Attackers impersonate a supplier or executive, request a payment redirect, and collect the transfer before anyone notices. The identity data that makes this convincing often comes from utility, telco, and government account compromises, which is exactly what's growing in the AIC data.

For individuals: verify payment change requests through a separate channel before acting, treat unexpected messages from known contacts as suspicious until confirmed, and be sceptical of marketplace deals requiring unusual payment methods.

If something happens, report it, even if the amount is small. ReportCyber is at cyber.gov.au/report. Pattern data at the national level depends on it.

Keep reading

More from the IronSights team.