For Australia’s banking and financial services sector, scams are no longer just a customer-service issue or a fraud-team problem. They are now a governance, compliance and reputational issue that boards and senior executives need to treat as a core business priority. The reason is simple: scams have become more sophisticated, more industrialised and more costly, while regulators are making it clear that prevention can no longer rely on voluntary action alone.
That shift is playing out against a sobering backdrop. According to reporting on the National Anti-Scam Centre’s latest figures, Australians lost $2.18 billion to scams in 2025, while Scamwatch and ReportCyber data showed 60,657 scam reports and $248.3 million in reported losses in the first quarter of 2026 alone. Email remains the most commonly reported contact method, underscoring how frequently scams still begin through everyday digital interactions that customers may perceive as legitimate.
At the same time, the regulatory environment is changing fast. The Scams Prevention Framework Act passed Parliament in February 2025 and, in late May this year, Treasury released draft rules and sector codes that show how the new regime is expected to work in practice for banks, telcos and digital platforms. For banking leaders, this is the clearest signal yet that scam prevention is moving from a “best endeavours” posture to a more prescriptive operating model with accountability attached.
The proposed framework goes well beyond broad principles. Draft requirements point to stronger governance arrangements, clearer customer warnings, transaction and account monitoring, payee confirmation, scam detection processes, payment recall steps and more coordinated disruption activity. Regulators are also pushing for more consistent intelligence-sharing and complaint handling, with AFCA confirmed as the external dispute resolution body for scam-related disputes under the framework. In other words, the question for banks is no longer whether scam controls matter; it is whether existing controls are visible, joined-up and customer-centric enough to meet the next phase of scrutiny.

This matters because scams increasingly target the customer, not just the institution. Financial institutions have invested heavily in securing internal systems, but cybercriminals have become adept at exploiting the end user through impersonation, phishing, social engineering and AI-assisted deception. ASIC’s latest push to publish verified website addresses for AFS licensees is a timely example of this new reality: criminals are copying the names, licence numbers and websites of legitimate providers to create fake sites and investment scam ads, making trust itself a contested space.
That is why board-level scam strategy now has to extend beyond reimbursement, dispute resolution and internal fraud controls. It also has to address how institutions help customers recognise threats before harm occurs. In practice, that means looking at scam prevention as part of the customer experience, not just as a back-office function. Education still matters, but it is no longer enough on its own when scams are timed, personalised and often delivered in channels customers already use every day.

This is where a more embedded model of protection becomes relevant. Rather than expecting customers to find, download and manage separate cyber tools, banks have an opportunity to integrate scam and identity safeguards more directly into their own digital ecosystems. Norton Embedded Solutions offers a suite of embeddable scam and identity protection services that partners can integrate into mobile and desktop experiences, with configurable dashboards, alerts and support built into the customer journey.
The value of that approach is not simply product expansion; it is customer protection delivered at the point of need. Norton’s embedded capabilities described in partner materials include AI-powered scam detection, proactive email scanning, dark web monitoring and identity protection services designed to alert consumers to suspicious activity or compromised information. For a bank, that can support a more B2B2C model: helping the institution strengthen trust and differentiation by helping customers stay safer in their everyday financial lives.
There are already relevant Australian proof points. Some credit bureaus have partnered with Norton in Australia to integrate identity monitoring into their consumer offerings, with the proposition centred on helping Australians detect exposed personal information and reduce the risk of identity theft and downstream fraud. That kind of partnership illustrates a broader market direction: protection is becoming more valuable when it is embedded into an existing trusted relationship, not offered as an afterthought.

For boards and risk leaders, the strategic implication is clear. Scam prevention is now part regulatory readiness, part operational resilience and part customer-value proposition. The institutions that respond best will likely be those that treat anti-scam capability not only as a compliance obligation, but to better protect customers in a threat environment that is changing faster than most consumers can keep up with.
Learn more about how Norton Embedded Solutions can help protect your customers.