First 24 Hours After Being Scammed — Australia

Researched by , Head Researcher

Primary sources cited; not legal advice.

Last verified:

Source: ReportCyber (AFP + ACSC); Scamwatch (NASC, ACCC); ePayments Code (ASIC); AFCA Act 2018.

Sourced from Commonwealth Acts of Parliament, federal regulations, and official government guidance. State-level information reflects each state's own Acts and court decisions. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Australian Federal Law

What is this right?

Three jobs in parallel. Call your bank's fraud line — under the ePayments Code, the bank must investigate unauthorised electronic transactions and reimburse where the customer did not contribute to the loss. Customer liability cap AUD 150 unless contributory negligence (sharing PIN, etc.). Report to ReportCyber at cyber.gov.au — single national channel. Add to Scamwatch at scamwatch.gov.au for ACCC scam intelligence. Preserve evidence.

Emergency: 000. IDCARE (free identity-theft support): 1800 595 160.

When does it apply?

  • Unauthorised debit / credit card or online-banking transaction on your Australian bank account.
  • You were tricked into authorising a transfer.
  • Online sale on Gumtree, Facebook Marketplace failed to deliver.
  • Investment / crypto scam.
  • SIM-swap fraud.
  • Sextortion or NCII — see Data Privacy & Digital Rights.

What to Do in the First Day After Being Scammed

  1. Call your bank's fraud line. Number from the card or in the official banking app.
  2. Report to ReportCyber at cyber.gov.au. Single national channel run by AFP + ACSC. Reports route to state / territory police for investigation where appropriate.
  3. Add to Scamwatch at scamwatch.gov.au. NASC scam intelligence; helps warn other consumers.
  4. For identity-theft support, call IDCARE 1800 595 160 (free).
  5. For SIM-swap or telecom scams, parallel a complaint to your telco and to ACMA.
  6. Preserve evidence. Cloud-save immediately.
  7. Change passwords; switch to authenticator-app 2FA.
  8. Write a one-page timeline. Bank reference, ReportCyber reference, Scamwatch reference. AFCA escalation will ask for them.

What should you NOT do?

  • Don't share OTP / PIN / banking credentials with anyone.
  • Don't pay 'recovery agents' upfront.
  • Don't delete evidence.
  • Don't miss the AFCA two-year clock from the bank's final IDR response.

About Scams, Fraud & Money Recovery in Australia

Australia's scam-recovery system runs across three institutions. ReportCyber at cyber.gov.au is the single national reporting channel run jointly by the Australian Federal Police (AFP) and the Australian Cyber Security Centre (ACSC). Scamwatch at scamwatch.gov.au, run by the National Anti-Scam Centre (NASC) at the ACCC, is the scam-intelligence and consumer-warning hub. For bank refunds, the ePayments Code — voluntary but adopted by all major Australian banks — sets unauthorised-transaction rules. If the bank refuses, the Australian Financial Complaints Authority (AFCA) resolves disputes for free; AFCA decisions up to AUD 1,236,000 (since 1 November 2024) are binding on the firm if you accept.

Emergency: 000.

Common Questions

What is ReportCyber?

ReportCyber is Australia's single national channel for cybercrime reporting, run jointly by the Australian Federal Police and the Australian Cyber Security Centre (ACSC) at cyber.gov.au. Reports are routed to the relevant state / territory police force for investigation. Reports also feed national intelligence and pattern analysis.

What's the difference between ReportCyber and Scamwatch?

ReportCyber is the criminal-investigation channel (AFP + ACSC + state police). Scamwatch is the scam-intelligence channel (NASC at ACCC) — it doesn't investigate individual cases but uses the data to warn consumers, work with platforms / telecoms, and inform policy. File both for fastest combined effect.

Is the ePayments Code legally binding?

The ePayments Code is voluntary, but all major Australian banks (the big four — CBA, Westpac, NAB, ANZ — plus others) have adopted it. Where a bank has adopted the Code, it is contractually binding on them. AFCA enforces the Code in disputes. The customer-liability cap of AUD 150 for unauthorised transactions (unless contributory negligence) is the key consumer protection.

What does IDCARE do?

IDCARE is Australia and New Zealand's free national identity-theft and cyber-support service. Their free helpline (1800 595 160) provides specialist case management for victims of identity theft. They can help with restoration steps, dealing with banks / credit bureaus / Centrelink / ATO.

What is the first 24 hours after being scammed right in Australia?

Three jobs in parallel. Call your bank's fraud line — under the ePayments Code, the bank must investigate unauthorised electronic transactions and reimburse where the customer did not contribute to the loss. Customer liability cap AUD 150 unless contributory negligence (sharing PIN, etc.). Report to ReportCyber at cyber.gov.au — single national channel. Add to Scamwatch at scamwatch.gov.au for ACCC scam intelligence. Preserve evidence.Emergency: 000. IDCARE (free identity-theft support): 1800 595 160.

When does first 24 hours after being scammed apply?

Unauthorised debit / credit card or online-banking transaction on your Australian bank account.You were tricked into authorising a transfer.Online sale on Gumtree, Facebook Marketplace failed to deliver.Investment / crypto scam.SIM-swap fraud.Sextortion or NCII — see Data Privacy & Digital Rights.

What should I do immediately after being scammed in Australia?

Call your bank's fraud line. Number from the card or in the official banking app.Report to ReportCyber at cyber.gov.au. Single national channel run by AFP + ACSC. Reports route to state / territory police for investigation where appropriate.Add to Scamwatch at scamwatch.gov.au. NASC scam intelligence; helps warn other consumers.For identity-theft support, call IDCARE 1800 595 160 (free).For SIM-swap or telecom scams, parallel a complaint to your telco and to ACMA.Preserve evidence. Cloud-save immediately.Change passwords; switch to authenticator-app 2FA.Write a one-page timeline. Bank referenc...

What mistakes should I avoid with first 24 hours after being scammed?

Don't share OTP / PIN / banking credentials with anyone.Don't pay 'recovery agents' upfront.Don't delete evidence.Don't miss the AFCA two-year clock from the bank's final IDR response.

More in Scams, Fraud & Money Recovery

Reporting Cybercrime via ReportCyber and ScamwatchAustralia uses a single national portal for cybercrime reporting: ReportCyber at cyber.gov.au, jointly operated by AFP a...Read more →Recovering Money from an Australian Bank via AFCAAustralia's money-recovery framework is two-step. Step 1: Internal Dispute Resolution (IDR). The bank must investigate a...Read more →
← Browse all Scams, Fraud & Money Recovery

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission