Qantas scam and more: The new social media and 'Quishing' cons coming for your wallet

A new wave of Qantas scams is currently hitting inboxes and phones across Australia, with the airline warning customers to be on high alert.

Fraudsters are using fake emails and texts to steal personal details and cash. The messages often reference Qantas’ 2025 data breach—where over 5 million customers’ personal details were leaked on the dark web—to trick you into clicking links that supposedly ‘secure’ your information. These messages use official logos and create a false sense of urgency, pressuring you to act fast to claim a refund or redeem points that are about to expire.

The good news is you can spot these early if you know what Qantas won’t do. The airline has confirmed they will never ask for your PIN, passwords, or one-time codes via text or email.

But it isn’t just Qantas customers in the firing line. In 2025, over 200,000 Australians reported scams, losing a staggering $334.8 million. Scammers are getting more sophisticated, but you can stay one step ahead by learning their latest tactics for 2026.

1. Superannuation and investment scams

Investment scams are Australia’s top cause of financial loss, with scammers using fake emails and websites to dupe Aussies into handing over their cash. 

Typically, scammers will pose as a financial advisor and will convince people to move their super into a fake Self Managed Super Fund (SMSF) or invest money in cryptocurrency, promising high returns. 

If you receive an offer like this that feels too good to be true, it likely is. Always speak to a trusted financial advisor before making any decisions about your super or investments. 

The red flags

• Offers to unlock super early: You need to meet strict conditions to access your super before you retire or meet preservation age (60 years old for anyone born after June 30, 1964), so unsolicited emails offering early access are most likely fake.  
• Ads featuring AI-deepfakes of trusted figures: Scammers use artificial intelligence (AI) to create deepfakes of celebrities and finance experts to promote fake investment opportunities. These videos are often shared on social media with fake accounts leaving comments and likes to make them look legitimate. 

How to avoid the scam

• Get a second opinion: Seek expert advice before transferring money from your super fund or making an investment. Make sure you show them the email or message you received. 
• Treat celebrity videos with caution: Watch the person’s mouth carefully while they’re speaking. Deepfake videos may have glitches where the movements of the person’s mouth and the audio don’t match up. 

2. Solar and green energy scams

With power bills rising, scammers are using government rebates as bait. They often knock on doors or cold-call, pushing low-quality systems or non-existent ‘free’ solar setups.

The red flags:

• Asking for large deposits: A reputable installer will rarely ask for more than a 10% deposit. Be wary if you’re being told to pay more than this.
• Cheap ‘premium’ products: Installers quoting premium brands (like Sungrow or Tesla) for prices significantly lower than the industry standard should raise alarm bells. Often this is a ploy to get you to pay a deposit quickly, then the scammer disappears. 
• Asking for bank details: Scammers claiming to be from the Department of Energy may call and claim you’re eligible for a solar refund. They will then ask for your bank details to process the refund. Remember, the Australian government will never ask you to provide your bank details over the phone. 

How to avoid the scam

• Check if the business is legitimate: Search the company’s ABN on the Australian Business Register or search for the business name on the Australian Securities and Investments Commission (ASIC) website.  

3. Bank impersonation

Bank impersonation scams are, unfortunately, common. They’re also more sophisticated than ever. Scammers can now copy your bank’s official phone number, making a fake text or call appear in the same thread as your real bank messages. They may claim your account has been compromised and ask you to move your money into a ‘safe’ account to protect your assets. You may also be asked to download malware disguised as protection software to keep your accounts safe.

The red flags:

• Asking for a one-time password (OTP) over the phone: Your bank will rarely ask you for your OTP over the phone. Never provide any login details, passcodes or authentication codes unless you’re certain you’re speaking to the real deal. 
• Sense of urgency: A simple way to tell if something is wrong with a message you’ve received is if there is pressure for you to act immediately. Stop, slow down, and think before making a decision. 
• Requests to download software: Your bank will never ask you to download software on your device. 

How to avoid the scam

• Treat unsolicited calls with suspicion: Financial institutions will typically contact you via email, text or in-app notifications. If you get a call from someone claiming to be from your bank, hang up and call back on the number listed on its website.  
• Say no to downloads: Scammers use software to view or take control of your device. This can give them access to your personal details and bank account logins. If a caller asks you to download something on your device, hang up. 

4. Sales and shopping scams

Online shopping scams are common and fake online stores spike during popular sales like Black Friday or Boxing Day, using social media ads to sell products that never arrive. You should also beware of dodgy sellers listing fake items on websites like Facebook Marketplace and eBay, who take your money but never deliver the product. ‘Quishing’ scams are also on the rise. This scam uses fake QR codes placed in public areas (like parking meters) that lead to fraudulent payment sites.

The red flags:

• No ABN, privacy policy or terms and conditions: If the business you’re buying from doesn’t list these on its website, think twice before buying. Genuine, registered businesses will always display these clearly on their website. 
• Strange payment types: Requests to pay via gift card, pre-loaded card, money order or using several PayID accounts are likely a scam.
• PayID upgrade: If you are selling an item and a buyer claims they can’t pay until you upgrade your PayID account to a business account, do not pay the fee. PayID does not require you to have a business account to receive payments.

How to avoid the scam:

• Go direct to the source: If you see a ‘fire sale’ or a deep discount on social media, don’t click the ad. Instead, open your browser and search for the name of the retailer to see if they are legitimate, and if there are any user reviews mentioning fake sales or scams.

5. Fake event and ticketing listings

Fake ticket listings for major concerts, sports events and festivals are profitable for scammers, who exploit the hype around these events to lure buyers away from official sites. They may use stolen or edited images as ‘proof’ to trick you into paying for a ticket that doesn’t exist.

The red flags:

• Pressure for non-secure payments: Be extremely wary if a seller pushes you to pay via cryptocurrency, gift cards, or a direct bank transfer. These methods are like handing over cash; once the money is sent, it is nearly impossible to recover.
• The hacked friend ruse: Scammers often hack legitimate social media accounts to post ticket offers to that person’s friends. 
• No physical address or council approval: If you are shopping for tickets to a local event found through social media, make sure there is a physical address listed and council approval. Vendors cannot sell tickets to an event if there is no approval. 

How to avoid the scam

• Stick to the pros: Only buy through official sellers like Ticketek or Ticketmaster, or authorised fan-to-fan marketplaces like Tixel.
• The two-step check: If a friend is selling tickets on social media, contact them by some other means to confirm it’s really them. Accounts are easily hacked to target people who trust them.
• Demand digital proof: Don’t settle for a screenshot. Ask for a screen recording of the ticket in the official ticketing app to ensure it’s real.
• Choose safe payments: Use credit cards, PayPal, Apple Pay, or Google Pay for better protection. Never pay via cryptocurrency or direct bank transfer, as this money is almost impossible to recover.

6. The tech support ruse

It’s an old trick, but it’s still one of the most effective: the tech support ruse. Scammers will call and pretend to be from trusted brands–often telcos or banks. They claim your account is hacked and insist you download software to fix the issue. Of course, this software gives the scammer remote access to your device. It’s essentially like handing over your house keys; they can watch you log into bank accounts or steal your details directly.

The red flags:

• Unsolicited calls: if your account has really been hacked, you’ll likely receive an email from your provider before you get a call. Treat calls from people claiming your account has been hacked as suspicious until you can confirm it’s real.  
• Asking to download software: We’ve said it once and we’ll say it agian–if you’re asked to download software, don’t. Never give remote access to your phone, tablet or computer. 
• Asking for login details: Be wary if you are asked to provide login details or authentication codes. It’s unlikely a legitimate business would call you to ask for these details. 

How to avoid the scam

• Say no to remote control: Legitimate companies will never ask for remote access to your device. If someone calls and asks for this, hang up immediately and contact the provider using an official number from its website.

How can I protect myself?

The idea of hackers and scammers is scary, but there are effective ways to protect yourself and your assets. 

• Stop, check, protect: If you receive a message that feels panicked or urgent, take the time to check the sender details to make sure it’s real. Search the number of the business on official listings and call directly rather than using the links or phone numbers sent to you. 
• Never give personal information: If you receive a call from a telco, bank, or other service provider asking for personal details or login information, don’t hand it over. 
• The call back rule: Never use the number provided in a text. Call the official number that is listed on the official website.
• Screen calls and emails for scams: Most smartphones can screen calls or emails and identify if it is likely a scam. These can be set up through your device’s settings. 
• Verify the URL: Check shopping URLs via the ICANN Lookup tool. If the website claims to be an established brand but was only registered a month ago, it’s possibly a scam.
• Reporting: If you’ve lost money, contact your bank’s fraud department as soon as possible. Afterwards, report the scam to Scamwatch.