AFP Operation Firestorm Scam Alert a perfect showcase of fraudster ingenuity

Relevant impacts:  Human Impact, Government Outcomes Impact, Reputational Impact, Security Impact

An Australian Federal Police (AFP) Scam Alert has shown the ingenuity of dedicated fraudsters in finding ways to exploit government mechanisms for keeping Australians safe from scams. Released on 4 February 2026, the AFP has warned Australians that fraudsters have begun impersonating law enforcement officials to access Australian assets.

As outlined in the AFP press release, the scam uses simple personal information, such as names and email addresses, to submit a false ReportCyber report. It then uses the automated response to pretend the victim was involved in a data breach. By then impersonating AFP officers that are part of Operation Firestorm – a legitimate AFP operation targeting international scam and cybercrime syndicates – they attempt to deceive the victim into transferring money, often cryptocurrency, to offshore financial accounts.

This is a textbook case of motivated scammers and fraudsters exploiting the legitimacy of Australian law enforcement to establish and betray the trust of Australian citizens. This exploitation of publicly available data and criminal reporting mechanisms also demonstrates how fraudsters may try and creatively target, subvert and exploit fraud controls for their own gain, often by targeting vulnerable people who are seeking to report or correct wrongdoing.

Government agencies should always keep these pitfalls in mind when designing reporting mechanisms or fraud controls.

In their alert, the AFP has advised members of the public to immediately report any contact with these scammers to ReportCyber. ReportCyber has implemented a one-time password function to stop scammers lodging and validating a false report with another person's email.