Who comes to mind when someone says "scam victim"?

There's a fair chance you pictured someone older. Someone less familiar with the internet. Someone who’d click on a dodgy link or be enticed by a too-good-to-be-true offer. Someone who, in absolutely no way, is anyone like you. 

That assumption is doing a lot of work. And it's working against us.

The fastest-growing group of scam victims in Australia right now is actually people aged 18-34 - the largest group reading this newsletter right now - not older Australians. The thing making them most vulnerable isn't ignorance, but it’s actually the confidence that comes from growing up online.

Before we dive in, just a quick note from me: Commonwealth Bank is the sponsor of today’s newsletter, but haven’t had any editorial input on what I’ve written here.

According to BDO's Australian Scam Culture Report, Australians aged 18–34 recorded the fastest growth in reported scams of any age group in the 12 months up to July 2025. Young adults are exposed to scams at more than twice the rate of those over 65. And yet this same cohort remains the least worried about being targeted.

That gap between how many scams we see and how concerned we are is exactly what scammers go looking for.

According to the Australian Institute of Criminology, one in four Australians aged 18-34 fell victim to a malware scam in 2024 - not almost, not nearly, but actually fell victim. 

And here's the number that makes the other numbers feel bigger: only an estimated 10% of scams are ever reported. Stigma, embarrassment, and the particular shame of thinking I should have known better kept the other 90% silent. When you apply that to the one-in-four stat I just highlighted, it’s conceivable that the real number there is much higher.

At school, uni, and my first few workplaces, there were mini-courses designed to help me spot a scam. We were told to look for dodgy spelling, generic greetings, manipulated logos, or any DIY effort. 

Unfortunately, in the age of AI, these deficits are much less common as technology fills the gap. 

Impersonation scams (where a criminal poses as your bank, the ATO, a delivery company, or even someone you know) are now powered by tools that can clone a voice from a 30-second audio clip, replicate someone's writing style from a handful of social media posts, and personalise it all at an industrial scale. 

In fact, every employee who announces on LinkedIn that they’ve joined TDA now gets a number of emails, DMs and sometimes even texts from ‘Sam Koslowski’ encouraging them to go buy gift cards from the supermarket as their first official task at work. 

My nickname of ‘Scam Koslowski’ is well-deserved. 

So why are young Australians, who have grown up on digital platforms, getting caught out? 

Experts think it’s actually because we’re so online. 

Young Australians live on the channels scammers exploit most. There are more scams. Putting those two facts together, it makes sense that the more time you spend on a platform, the higher volume of scams you’d be exposed to, which means a well-crafted impersonation can blend right into the daily scroll.

But the deepest vulnerability is psychological. Researchers call it the "overconfidence effect", which is the gap between how capable we think we are and how capable we actually are under pressure. Growing up online leads many young Australians to believe, reasonably but incorrectly, that they'd clock a scam the moment it arrived. That confidence reduces vigilance at the exact moment vigilance matters most.

According to a recent study by Commonwealth Bank, 95% of people under 35 were at least slightly confident they could recognise a deepfake scam, but when tested, they were only 46% accurate at detecting real vs AI-generated images.

There's also an economic layer to call out. Cost-of-living pressures and casualised work mean many young Australians are more likely to act quickly on something that appears to be a financial opportunity, or a quick win. Scammers know this, too. 

So that’s sufficiently humbling (and potentially scary). The old advice (check the spelling, make sure the email address sending the note is legit) still holds, but it’s no longer enough. 

Watch for artificial urgency. Banks, government departments, and delivery companies almost never need you to act within the next few minutes. That kind of pressure is built into scams, not into how real institutions communicate.

Be suspicious if you're being asked to move outside normal channels. If "your bank" wants you to call a different number, download a new app, or continue the conversation on WhatsApp, that's worth pausing on.

Notice what they're asking back from you. A real bank confirming your identity might ask for your name and postcode. A scam will ask for your full card details "to confirm the account."

Watch out for bank impersonation scams. A genuine bank staff member will never ask you to tell them your password or other security codes.

And anything that asks you to keep it quiet ("don't mention this to anyone while we investigate") is not language a legitimate organisation uses, ever.

The trickiest one is the scam that almost feels right. AI-generated impersonations are designed to pass casual inspection. If you get a spidey-sense that something is off, that gut instinct is information. The best thing you can do is verify through a channel you've found yourself, not one provided in the message.

TDA’s reporting draws on a range of sources, with CommBank Newsroom providing additional research and data insights, including work conducted by CommBank’s Behavioural Science Centre of Excellence in September 2025. CommBank Newsroom had no editorial input on what TDA has written.

CommBank has been exploring how AI-powered impersonation scams are evolving, including the impact on young Australians. Its research is part of a broader effort to better understand who is most at risk, and why scams can still work even when something feels wrong.

For the latest scam research and intelligence, visit CommBank Newsroom.