Skip to content

What to do if you've been scammed

Stop all contact with the scammer, call your bank if any money or card details were involved, then secure the accounts that were touched. Acting in the right order matters more than acting instantly — and most of the damage scams do can be limited if you start now.

Answer the questions below and you'll get the exact checklist for your situation — who to call first and what to say. Everything is Australian: the phone numbers, the reporting channels, and the protections you have.

What happened?

The five moves that always apply

Whatever kind of scam it was, this is the underlying sequence the wizard tailors. If you do nothing else, do these in order:

  1. Stop all contact and payments. Don't reply, don't send more, and don't act on follow-up calls — pressure to keep going is part of the scam.
  2. Call your bank if any money or card details were involved. Use the number on your card or in your banking app. Fast reports are what make recalls and disputes possible.
  3. Secure the accounts that were touched. Change exposed passwords from a device you trust — email first — and turn on two-factor authentication.
  4. Get identity help if documents or details leaked. IDCARE (1800 595 160) is free and will build you a response plan. IDCARE — free identity support
  5. Report it. Scamwatch flags the campaign for everyone; ReportCyber creates the police record. Report to Scamwatch

A tap alone almost never causes harm — what matters is what happened on the page. Not sure the link was even a scam? Paste the message in to check it. For the full background, see the guide to what to do if you clicked a scam link.

Good news: on an up-to-date phone, opening a page almost never causes harm by itself. A few minutes of tidy-up is all this needs.

  1. Don't go back to the page. Close the tab and don't tap any follow-up buttons or “your device is infected” pop-ups — those pop-ups are part of the scam.
  2. Screenshot the message, then report it. A screenshot preserves the evidence. Forward the SMS to 7226 so carriers can block the sender, and report it to Scamwatch. Report to Scamwatch
  3. Change the password if it looked like a real login page. If the page convincingly imitated a service you use, change that account's password as a precaution — from a device you trust.
  4. Check the message so you know for sure. Paste the text into the free checker and get a verdict with the red flags spelled out. Check the message

Something downloaded or installed

The file or app is the risk, not the page. Remove it before it gets permissions, then secure the accounts that matter.

  1. Delete the download or app now. Don't open it, and never grant a new app accessibility or admin permissions on its own prompting — that's how malicious apps take control.
  2. Update your phone or computer. Install the latest OS update; security patches close the holes these pages try to exploit.
  3. Scan or clean the device. On Windows run Microsoft Defender; on a phone, remove unknown apps and restart. Factory reset is a last resort, not a first step.
  4. Change key passwords — from a different device. If anything installed, assume the device was watched: change email and banking passwords from a device you trust, not the affected one.
  5. Report it. If money or data was taken it's cybercrime — report it to ReportCyber so police have the record. Report to ReportCyber

If you sent money or entered card details

How you paid decides the playbook — banks can sometimes recall transfers and reverse card fraud, while crypto and gift cards need different (and faster) calls.

You sent a bank transfer or PayID payment

Bank transfers move fast, so you should too — your bank has the best chance of stopping or recalling a payment reported quickly.

  1. Call your bank immediately. Use the number on the back of your card or in your banking app — never one from the message. Say the words “I've been scammed” and ask them to attempt recall of the payment and watch the account.
  2. Expect the fake “bank fraud team” follow-up call. Scammers often call back posing as your bank and ask you to move money to a “safe account” or read out a code. That is always a scam — hang up and call the bank yourself.
  3. Dispute anything you didn't authorise. Under the ePayments Code you're generally protected from unauthorised transactions you report promptly. Keep notes of every call.
  4. Report it to both channels. Scamwatch flags the campaign; ReportCyber creates the police record your bank may ask about. Report to ReportCyber
  5. Watch your statements for weeks. Fraudsters trial small “test” transactions before a big one, and a responsive victim gets retargeted.

You paid by card or entered card details

Card payments have real protections — blocking the card and disputing promptly is what activates them.

  1. Call your bank and block the card. Use the number on the back of the card. Report it as compromised, ask for a replacement, and ask them to watch for fraud.
  2. Dispute the payment. Card payments can be disputed (charged back) — acting quickly and reporting promptly is what preserves your ePayments Code protections.
  3. Watch for small test transactions. Tiny unfamiliar charges are how fraudsters test a live card before a big spend — report any you see.
  4. Report it. Report the scam to Scamwatch, and to ReportCyber if money actually left the account. Report to Scamwatch

You sent cryptocurrency

Crypto moves in minutes and rarely comes back, so the first call is the exchange — and the second is the police.

  1. Contact the exchange you sent from. Report the receiving address as a scam. If the funds haven't moved on, some exchanges can freeze them — minutes matter more here than anywhere.
  2. Report it to ReportCyber. Crypto tracing runs through police channels, and the report is what makes any later action possible. Report to ReportCyber
  3. Be honest with yourself about recovery — and beware “recovery agents”. Recovering sent crypto is genuinely rare. Anyone who contacts you promising to get it back for a fee is running the follow-up scam — victims' details get sold to “recovery” scammers.
  4. Keep every record. Wallet addresses, transaction IDs, chat logs and screenshots — police and the exchange will ask for them. Then report to Scamwatch too. Report to Scamwatch

Gift-card scams rely on the balance being spent fast — if you move quickly the issuer can sometimes freeze what's left.

  1. Contact the card issuer straight away. Call the company whose cards you bought (Apple, Google, Coles etc.) with the card numbers and receipts — if the balance hasn't been drained they can sometimes freeze it.
  2. Keep the cards and receipts. They're your proof of purchase and the issuer and police will want the numbers.
  3. Report it. Report to Scamwatch — and remember for next time: no legitimate business or government agency ever asks to be paid in gift cards. Report to Scamwatch
  4. Watch for follow-up contact. Paying once marks you as responsive; expect further attempts and treat any “we can refund you” call as a scam.

If you gave personal details or codes

Details can be misused long after the scam, so these checklists are about making what leaked useless. If the message impersonated a specific organisation, the brand-by-brand guides show what that organisation's genuine contact channels are.

You entered a password or sign-in details

Assume those credentials are in someone else's hands and move in this order — it genuinely limits the damage.

  1. Change that password first, from a device you trust. Then change it everywhere you reused it — reuse is how one leak becomes many.
  2. Secure your email before anything else. If email credentials were exposed, they're the priority: whoever controls your email can reset every other account.
  3. Turn on two-factor authentication. An authenticator app or passkey beats SMS. Start with email and banking.
  4. Sign out other sessions and check recovery settings. Confirm the recovery phone and email on the account haven't been changed, and end any session you don't recognise.
  5. Report it, and get help if it spreads. Report the scam to Scamwatch. If you start seeing signs of identity misuse, IDCARE (1800 595 160) is a free, government-supported service that builds you a response plan. Report to Scamwatch

You gave ID documents — licence, passport or Medicare

Identity documents can be misused months later, so the goal now is to make them useless to the scammer.

  1. Call IDCARE on 1800 595 160. IDCARE is Australia's free identity support service. A case manager will tell you exactly which documents to replace and in what order — it's the single most useful call for this situation. IDCARE — free identity support
  2. Consider a credit ban. A ban stops anyone opening credit in your name while it's active. It's free, initially lasts 21 days and can be extended — you request it from each of the three credit bureaus (Equifax, Experian and illion); IDCARE can walk you through it.
  3. Watch your credit report and accounts. New accounts, loans or credit checks you didn't ask for are the warning sign that details are being used.
  4. Report it. Report to Scamwatch, and to ReportCyber if money was taken or accounts were accessed. Report to Scamwatch

myGov, Centrelink or ATO details were involved

Government identity has its own dedicated help channel — use it first, then lock the account down.

  1. Call the Scams and Identity Theft Helpdesk on 1800 941 126. Services Australia's helpdesk (Mon–Fri, 8am–5pm AEST) secures your myGov, Centrelink and Medicare records after a scam. Tell them exactly what you entered or shared. Services Australia — help after a scam
  2. Change your myGov password and check sign-in settings. Sign in directly at my.gov.au (never via a link), change the password, and check that linked services and contact details weren't changed.
  3. Bring in IDCARE if documents were involved. If the scam also captured licence, passport or Medicare details, IDCARE (1800 595 160) will plan the document replacements with you. IDCARE — free identity support
  4. Report it. Report the scam to Scamwatch so the campaign gets flagged. Report to Scamwatch

You shared security codes or phone/SIM details

Codes and SIM control are how scammers get past two-factor security, so the phone account itself is what to protect now.

  1. Call your telco and ask about port-out protection. Ask them to note the scam on your account and add extra identity checks so no one can move your number to a new SIM.
  2. Treat a sudden “no service” as an emergency. If your phone unexpectedly drops to no service, someone may have taken your number — contact your telco and bank immediately from another phone.
  3. Change the passwords behind those codes. A code is only useful with the matching password. Change the password on whichever account the code belonged to, and never read a code to anyone who calls you.
  4. Move two-factor to an authenticator app. App-based codes or passkeys can't be stolen through a SIM swap the way SMS codes can.
  5. Report it. Report to Scamwatch; if money moved, add a ReportCyber report for the police record. Report to Scamwatch

Frequently asked questions

Can I get my money back after a scam in Australia?

It depends on how you paid and how fast you act. Bank transfers can sometimes be recalled if you call your bank quickly, and card payments can be disputed — the ePayments Code generally protects you from unauthorised transactions you report promptly. Cryptocurrency and gift cards are much harder to recover, which is why anyone promising to get them back for a fee is running a follow-up scam.

Who should I call first?

If money or card details were involved, your bank — using the number on your card or in your banking app, never one from the message. If identity documents were taken, IDCARE on 1800 595 160. If myGov, Centrelink or ATO details were involved, Services Australia's Scams and Identity Theft Helpdesk on 1800 941 126.

Should I report a scam even if I didn't lose anything?

Yes. Reporting to Scamwatch helps get the campaign flagged and shut down for the next person, and forwarding scam texts to 7226 helps carriers block the sender. If money was taken or accounts were accessed, also report to ReportCyber so police have the record.

Is IDCARE actually free?

Yes. IDCARE is an independent not-for-profit identity support service — its case managers build you a personal response plan at no cost. Be wary of anyone charging money for 'identity recovery' services.

Will the scammers come back?

Often, yes. Responding once marks you as reachable, and victims' details get shared. Expect follow-up attempts — including calls posing as your bank's fraud team or as a company that can 'recover' your money. Both are scams: hang up and call the organisation on its official number.

Once the immediate steps are done, how to report a scam text walks through every Australian reporting channel in detail.

Last updated 2026-07-08. This page is general information for Australians, not legal or financial advice — if you've lost money, your bank and the official channels above are the priority.