Cyber crime and real-world crime are converging in a dangerous new way – here’s how to stay safe

It starts with a call from someone claiming to be your bank. They know your name. They know your bank. They even know your credit card number. There’s been “unusual activity” on your account, they say – and they just sent you a one-time passcode to verify your identity so they can assist.

You read out the code and feel reassured. Moments later, your funds are gone and the bank refuses reimbursement, citing a breach of terms because you voluntarily shared your passcode.

This is not a niche or isolated scam. It’s part of a growing pattern we’re seeing across Australia and beyond: cyber criminals are merging digital and real-world tactics in ways that make these frauds more convincing, harder to stop, and far more damaging.

It starts with stolen data

These scams don’t begin with a phishing email or fake app. They begin with data – your data – stolen in one of countless breaches, such as the latest Qantas incident that exposed the details of up to 5.7 million customers.

Sometimes the personal data has been sold through third-party data brokers. Names, phone numbers, emails, even card details are routinely leaked and traded online.

Once they have this information, scammers get to work. The phone call mimics a real interaction with a bank, perhaps with a spoofed caller ID. Victims are pressured in urgent language to “verify” their identity, often by reading out a one-time passcode that, unbeknownst to them, is authorising a transaction using their own card details.

We refer to this as a “convergence scam” – where online data leaks, psychological manipulation and weak enforcement come together. It’s a sophisticated hybrid of digital theft and physical-world exploitation, and it’s on the rise.

Devastating and personal

These scams are deeply personal and can be financially devastating. But what makes them even more alarming is the system-wide failure surrounding them.

For starters, many credit card fraud insurance policies contain clauses that exclude coverage when the customer “voluntarily” provides account credentials – including one-time passcodes – even if they did so under duress or deception.

One victim we spoke to lost nearly A$6,000 after a scammer posing as their bank prompted them to read out a passcode over the phone. The transaction was verified using that code, and the bank later refused to reimburse the loss.

In a formal response, the bank stated that by voluntarily sharing the one-time passcode, the customer had breached the epayments code, even though they were manipulated into doing so. As a result, the customer was held liable and ineligible for a chargeback.

Law enforcement may not help

Even when the criminals leave a physical trail, follow-up is rare. Law enforcement rarely investigates. In the cases we’ve seen, reports are acknowledged but not pursued. Officers don’t explicitly say the case is too small or not worth the effort, but their inaction suggests it, especially given how resource-intensive most cyber-crime investigations tend to be.

In many instances, particularly when the total loss isn’t deemed significant, victims are simply told to follow up with their bank, based on the assumption they’ll be reimbursed.

In one case we reviewed, stolen card details were used in-store at major Australian retailers such as Woolworths and Coles – indicating that a cloned card had been physically used. These purchases could, in theory, be tracked back to in-store CCTV footage. But no investigation was launched.

This reluctance to act, even when the evidence is tangible, sends a dangerous message: that scammers can operate with near-impunity.

Meanwhile, banks and regulators are slow to update verification systems. One-time passcodes are still widely used, even though scammers now exploit them routinely. There’s little recourse for victims, and minimal accountability for data brokers whose records fuel these scams.

What can we do to protect ourselves?

For individuals, the first line of defence is simple but vital:

• never share a one-time passcode or security code over the phone, even if the caller seems legitimate
• if in doubt, hang up and call the bank directly using the number on your card
• be cautious about where and how you share your personal information, especially online through websites or social media. Only disclose what personally identifiable information you have to.

The true answer is systemic change

Banks and other institutions need to put into place stronger identity verification systems that don’t rely solely on SMS codes. We need greater transparency and regulation of data brokers.

Read more: 70% of Australians don’t feel in control of their data as companies hide behind meaningless privacy terms

Crucially, we also need active enforcement of cyber-enabled fraud, especially when there’s physical evidence, such as in-store purchases and CCTV footage.

Banks should also reassess their policies and procedures on how they communicate with customers. If scam calls closely mimic real ones, it’s time to change the script. More proactive education, clearer warnings, and redesigned verification processes can all help prevent harm.

The real danger of these convergence scams isn’t just financial loss. It’s the erosion of trust: in our banks, in our security systems, and in the institutions meant to protect us.

Once that trust is gone, it’s not easily recovered.