A clear, step-by-step guide for adult children of older Australians who have just been scammed — what to do in the first hour, the first day, and the first week. And the mistakes to avoid that make recovery harder.
It's late, your phone has rung, and Mum is on the other end. She's been on the phone for two hours with someone she thought was from her bank. She's transferred money. Or she's read out a code. Or she gave them remote access to her computer. She isn't sure exactly what they got, and she's terrified.
If that's the call you've just had — or that you're worried you might one day get — this is for you. The next 24 hours will set the tone for everything that comes next: what you can recover financially, what you can secure against further damage, and just as importantly, whether your parent will trust you enough to let you help them.
This guide walks you through the practical steps in the order they actually matter. It also covers the things adult children get wrong — the ones that turn a recoverable situation into a much longer, more painful one.
The single most time-sensitive action is contacting the bank. Money that's still in transit can sometimes be stopped. Money that's landed in a scammer's account can sometimes be frozen if you move fast. Once it's been moved offshore — usually within hours — it's almost always gone for good.
1. Call your parent's bank's fraud line immediately, on any phone, even if it's 2am. All the major Australian banks operate 24/7 fraud lines, and Scamwatch's official guidance is to contact the bank "immediately to report the scam" and ask them to stop any transactions. The number is on the back of the bank card. Do not use any number the scammer gave your parent. Do not wait until morning.
2. While someone is on hold to the bank, write down what happened. Names the scammer used, numbers they called from, what your parent said or typed, what software (if any) they installed, what time it all happened. Memory fades fast under stress and the bank's fraud team will need details. A few dot points on the back of an envelope is fine.
3. If your parent gave anyone remote access to their computer — disconnect it. Pull the network cable, switch off the Wi-Fi, or shut the machine down. Remote-access scams (where the caller asks the victim to install AnyDesk, TeamViewer, or similar) give the scammer ongoing control until that connection is cut. The longer it stays up, the more damage they can do.
4. Change the passwords for online banking and email — from a different device. If your parent's computer was compromised, don't change the passwords from that computer; use your phone or your own laptop. Start with email (because email is how most password resets are confirmed), then online banking, then anything else that uses the same password as either.
5. If money has already left the account, contact the police and get an event number. The Australian Banking Association recommends reporting to police and obtaining an event number, which the bank's fraud team may ask for. You can do this online or by calling your state's non-emergency police line (131 444 in most states). 000 is for crimes in progress, not for reporting a completed scam.
That's the first hour. Everything else can wait until the morning.
Once the bank is on it and the immediate compromise is contained, the next priority is making sure the scammer can't use whatever they've already gathered to come back tomorrow under a different mask.
6. Call IDCARE on 1800 595 160. IDCARE is Australia's free, government-funded identity-and-cyber-support service. They build a personalised recovery plan for your parent's exact situation — what was exposed, what to lock down, what to monitor. The service is free, the case managers are experienced with elderly clients, and they explicitly say they listen without judgement. The line operates Monday to Friday 8am–5pm AEST, so if the scam happened on a weekend, this is a Monday-morning call.
7. Report the scam to Scamwatch. The ACCC's National Anti-Scam Centre uses these reports to identify emerging scam patterns and warn the rest of the country. Reporting takes about 15 minutes and can be done online. Even if your parent feels embarrassed and doesn't want to, encourage them — every report makes the next scam easier to spot for someone else's mum or dad.
8. If money or personal information was lost online, also lodge a report with ReportCyber. ReportCyber is run by the Australian Signals Directorate and feeds into police investigations. It's a separate report from Scamwatch and serves a different purpose: Scamwatch is for pattern detection, ReportCyber is for individual-case investigation.
9. If a Centrelink, Medicare, or myGov account was touched, call Services Australia. They have a dedicated Scams and Identity Theft Helpdesk — the number is on the Services Australia "help if a scam has affected you" page. They can lock down the account, reverse unauthorised changes, and reissue compromised credentials.
10. Change every password on every device. Not just the bank and the email — every account that mattered. Start with anything that had the same password as the compromised account (this is the single biggest follow-on risk). Use a password manager if your parent is willing — even a written list in a notebook kept at home is better than the same password reused everywhere.
The early panic ebbs, but the recovery isn't over.
Watch for follow-up scams. People who have been scammed once are explicitly re-targeted. Sometimes by the same group, sometimes by a different one who's bought the list of "known soft targets" on a criminal forum. The follow-up call often pretends to be from the police, the ACCC, or a "recovery service" promising to get the lost money back — for a fee. There is no legitimate Australian service that will recover scammed money for an upfront payment. If your parent gets one of these calls, treat it exactly like the original scam: hang up, call back on a verified number.
Get a credit report and consider a credit ban. Australia has three credit reporting bodies (Equifax, Experian, Illion). Each is required to provide one free report per year. If identity information was exposed, you can also ask each of them to place a temporary ban on the credit file — during the ban, no new credit applications can be made in your parent's name. IDCARE can walk you through which agency to start with based on what was exposed.
Consider a Commonwealth Victims' Certificate. If identity information was used (or attempted to be used) to commit a Commonwealth offence — falsely claiming a Centrelink payment, redirecting Medicare rebates, opening accounts in your parent's name — you can apply for a Commonwealth Victims' Certificate through the Attorney-General's Department. The certificate is issued by a state or territory magistrate and helps your parent re-establish their credentials with banks, government agencies, and credit bodies. It's not automatic and there's paperwork, but for serious identity-theft cases it makes the recovery much smoother.
If the bank's response wasn't good enough, escalate to AFCA. Australian Financial Complaints Authority is the free, independent ombudsman for disputes with Australian banks. If the bank refuses to investigate, refuses to refund where you think they should, or just stops responding, AFCA is the next step. Filing is free and Australian banks are required to participate.
This is the part nobody puts in the official guidance. Government pages tell you the steps; they don't tell you how to behave so your parent will actually let you help. After watching dozens of families go through this — and after my own family being on the receiving end — these are the patterns I see most:
1. Don't lead with "Why didn't you call me first?" It is, in the moment, the most natural question in the world. It is also the one that guarantees your parent will hide the next scam from you. Shame is what kept them on the call with the scammer for two hours in the first place — adding more shame, even by accident, makes the next scam more dangerous, not less. The first words out of your mouth should be "I'm so glad you rang me. We'll work it out together."
2. Don't take over their accounts. Your instinct will be to change their bank password to something only you know, hold their card, manage their email for them. Resist it. Stripping their independence is exactly the outcome they feared when they didn't tell you about the close call last time. Help them secure things; don't take their things off them.
3. Don't tell the wider family without asking. This is your parent's story. They get to decide who hears it. If they ask you not to tell their brother, their friend at bowls, or their other kids — respect that, even if you think it's the wrong call. Trust is more valuable right now than openness.
4. Don't try to "find" the scammer or get the money back yourself. Calling the number back, signing up to message boards, hiring a "fund recovery" service, posting on the scammer's social media — none of it works, all of it puts more of your information into criminal databases, and most of it is itself a follow-up scam waiting to happen. Let the bank, IDCARE, and the police do their jobs.
5. Don't let it be a one-conversation event. Most adult children have the panicked conversation, then never raise it again because nobody wants to relive it. The result is the parent processes it alone, in silence, often blaming themselves. Check in a week later. A month later. Three months later. Not to police them — to remind them they aren't alone in it.
Being scammed is more than financial. Research on elder fraud in Australia and overseas has consistently found that the lasting damage isn't usually the money — it's confidence loss. Older Australians who've been scammed often stop answering the phone entirely, stop using internet banking, stop trusting their own judgement on much smaller decisions. That confidence loss is itself a driver of cognitive decline.
The most protective thing you can do for your parent isn't security software or a stricter screening rule — it's making sure they don't carry this alone, and don't redefine themselves as "the kind of person who falls for things." They aren't. They're the kind of person who answered the phone, like every adult does, and met someone who'd practised this script on a thousand other people before them.
FamilySentry exists for the conversation that happens before the scam, not just after it. Every unknown call to your parent's phone is screened in real time by AI configured to recognise the scam scripts running in Australia right now — the bank fraud-team script, the ATO arrest script, the Centrelink overpayment script. If the caller starts walking through one of them, you get an SMS or push alert while the call is still happening, with a summary of what's being said.
Known contacts — the GP, the bank's real fraud team, family, friends — ring through normally. Your parent doesn't have to learn anything, change anything, or admit anything. The technology is invisible to them; the visibility is yours.
If you'd like to be among the first families using it when we launch publicly, you can join the founding-member waitlist — the first 100 families get three months free at launch, plus 20% off the subscription forever.
Found this useful? Share it.
Remote-access scams targeting older Australians now cost an average of $17,943 per victim. Here's how the scam actually works, the five scripts that lead to the software being installed, and the single rule that prevents every version of it.
Australian carriers block billions of scam calls before they reach customers — and the system still leaves elderly parents exposed to the calls that matter most. Here's why network-level blocking can't see the calls that get through, and what fills the gap.
The five scam patterns Scamwatch is reporting most heavily in early 2026, what each one sounds like on the phone, and the simple questions that trip every one of them up.