Advanced Holiday Scams: How Technology is Shaping New Threats

With Black Friday sales kicking off the end-of-year shopping frenzy and Christmas sales now in full swing, Australians are facing an alarming surge in cyber scams designed to exploit this peak shopping season. The Australian Competition and Consumer Commission (ACCC) and the Australian Federal Police (AFP) have issued urgent warnings about the growing sophistication of these scams. Leveraging advanced technologies, scammers are preying on shoppers who are projected to spend nearly $70 billion, much of it online, during this period. The financial risks posed by these scams extend well beyond the festive season, emphasizing the need for heightened vigilance.

Scammers are increasingly deploying artificial intelligence (AI) to make their schemes more convincing. AI-generated phishing messages closely mimic legitimate communications, while deepfake technology is being used to create highly realistic video and audio impersonations of trusted individuals. Additionally, fake retail websites and QR code phishing tactics are being used to trick consumers into providing personal and financial information. 

According to the Australian Cyber Security Centre’s (ACSC) 2023–24 Cyber Threat Report, identity fraud, online shopping scams, and banking fraud collectively account for a significant portion of cybercrimes, with the average financial loss per incident now reaching $30,700. In response, Australian banks and government agencies, including the Commonwealth Bank’s anti-scam intelligence loop and the Australian Banking Association’s Scams Prevention Framework, are stepping up efforts to protect consumers. The AFP’s Operation Firestorm and its public call for caution underscore the importance of staying alert and informed during this high-risk shopping season.

Visa Mandates Shift from SMS OTPs to Combat AI-Driven Fraud

Visa has unveiled its Security Roadmap for Australia 2025-2028, requiring Australian financial institutions to transition away from SMS One-Time Passwords (OTPs) as the sole factor for payment authentication. This move addresses the rising threats posed by AI-driven fraud and sophisticated scams, with October 2026 set as the compliance deadline. The roadmap mandates advanced authentication measures like biometric verification, in-app authentication, app-to-app flows, and passkeys, leveraging multiple devices to fortify the payment ecosystem against evolving cyber risks.

Generative AI and machine learning technologies, coupled with the growing reliance on e-commerce, have created new vulnerabilities in payment systems, particularly exploiting human error. In 2023, Australians reported scam losses of AUD 2.7 billion across 601,000 cases, with scammers intensifying attacks during high-activity periods like the holiday shopping season. 

Visa’s Martyna Lazar warned of increasingly sophisticated tactics by cybercriminals, such as social engineering and phishing, to manipulate consumers into sharing OTPs. This exploitation enables fraudulent transactions, resulting in financial and emotional stress.

The Security Roadmap outlines six strategic pillars to reinforce Australia’s payment security, including preventing automation-based enumeration attacks, advancing fraud management technologies, adopting risk-based security frameworks, and securing digital payment systems with robust protocols. Lazar urged Australians to stay vigilant, particularly during peak holiday periods, advising against sharing sensitive information through SMS or responding to suspicious links.

Visa’s collaboration with financial institutions, merchants, and consumers aims to strengthen resilience and outpace the ever-evolving threat landscape.