2026 scam trends: what’s changed, what’s the same & how to stay safe

Published by Shameela Gonzalez, Financial Services Industry Lead, on 27 January 2026

Scams have become the reality we can’t ignore with every Australian likely receiving one in some form. As cyber criminals grow more sophisticated, leveraging generative AI and cutting-edge tech, spotting scams has become trickier than ever. 

In my role as the Financial Services Industry Lead at CyberCX, I see new scams emerging and gaining traction all the time. Here’s the top threats to watch out for in 2026 and smart ways to protect yourself.

1. Fake online stores. Phony websites imitating well-known brands with too good to be true, ‘limited time only’ prices are targeting shoppers through social media ads. These sites steal payment details – or send goods that won’t resemble what you purchased.  

How to stay safe:  

• Avoid clicking on social media ads – find the legitimate website through a search engine.  

• Verify the website – check for ‘https:’ at the beginning of the URL, check review sites and inspect the website’s creation time. You can find this by clicking the three dots next to the site’s Google Search result and going to ‘About the Source’. 

• Check payment methods – be wary of websites that only accept one payment method. Use services such as PayPal, Amazon Pay or Apple Pay to help reduce the number of places your payment information is stored.   

2. Phishing and deepfakes. AI is fuelling slicker and harder to spot phishing tactics, including convincing deepfake videos. Once deemed ‘sophisticated’, deepfake video clips are easier and more efficient for threat actors to create, especially based on high profile individuals who have images and videos readily available on the web to use and manipulate.  

While deepfake scams are a growing threat to watch, classic email and SMS phishing scams containing malicious links aren’t going away anytime soon.  

How to stay safe: 

• Go direct to the source – type URLs manually into your browser or find it via a search engine. This also applies to people you think you’re communicating with – call the person directly before making a payment or disclosing sensitive information.  

• Watch for red flags – when viewing videos or receiving calls, look for unnatural lip-syncing, delayed responses or odd eye movements.  

• Beware of shortened URLs – phishing attacks often use URL shorteners to hide malicious links. While some legitimate businesses use them too, exercise caution and use a link expansion service.
   

3. ‘Tap to pay’ charity scams. Real-life scammers exploiting your generosity at events or while doorknocking, stealing large sums of money through contactless ‘tap-to-pay’ methods that use Near Field Communications (NFC) technology.  

Typically, a scammer pretends to be collecting small donations for a charity, however when the victim taps their card or phone for payment, they are charged a much larger amount to a fraudulent business.  

How to stay safe:  

• Be vigilant – always check the merchant’s name and transaction amount before tapping.  

• Don’t rush – be wary of any vendor who tries to rush you, hide the screen or cannot provide a receipt.  

• Turn on alerts – enable transaction alerts with your bank or credit card for real-time updates. 
   

4. Social media scams.  Scamwatch has reported several scams associated with new Australian laws restricting certain social media platforms to users aged 16 years or over. Reported scams include fake age verification platforms, accounts, and threats from government and law enforcement impersonators.  

How to stay safe:

• Pause before sharing – don’t rush into sharing age verification details or making payments – no legitimate platform will ask for payment associated with these laws.   

• Check validity – make sure the organisation or person you’re dealing with is real. Visit Social media ‘ban’ or delay FAQ | eSafety Commissioner for guidance.   

5. “Hi Grandma” phone scams. Evolved from the better known “Hi mum” scam, the “Hi Grandma” scam sees grandparents targeted with urgent calls, using AI to mimic a loved one’s voice claiming to be in an accident or arrested, and in need of emergency funds.  

How to stay safe:  

• Resist pressure – scammers often try to pressure victims into sending money via mobile payments or gift cards.   

• Check to be sure – if in doubt, hang up and call your family member directly.  
   

6. Parcel scams. Text messages or emails mimicking Australia Post or other delivery services lure people into clicking on links to resolve delivery issues or pay delivery fees. The links direct users to fake websites designed to steal your personal and financial information.   

How to stay safe: 

• Official apps – use the official AustPost app, or other official apps/websites of postage services.   

• Avoid clicking links – never click on a link from an unknown number or email claiming to be from Australia Post or other postage service.  

• Delete, block and report suspicious emails and text messages.
   

If you’re caught out by a scam in the year ahead, follow these steps:  

• Stop contact and transactions – cut off all communication with the scammer and do not send any more money or personal details.  

• Contact your bank or financial institution – call your bank or credit card company right away to report the scam, freeze accounts and prevent any unauthorised transactions going through.  

• Secure your information – change passwords (especially banking and email) and scan your devices for malware or unusual activity if you clicked on any links.  

• Report – be sure to report the scam to relevant authorities including Scamwatch or the police. 
   

Your organisation can also take steps to better protect customers and employees: 

• Consider how customers’ identity can be better protected. Is multi-factor authentication (MFA) enabled for customers? Consider events where their credentials have already been compromised.  

• Are processes in place to ensure each employee is ‘trusted’ in a digital sphere? If an employee was deepfaked on a video call, would your organisation be able to identify this malicious behaviour?  

• Train employees – the more educated and aware employees are, the better they’ll be able to spot potential threats and report them.
   

Whether you’re an individual or a business, staying alert and adopting best practices online will help you detect and by-pass the traps of evolving scams in 2026 – and beyond.