Interactive training essential to fight ‘scam fatigue,’ report says

“Scam fatigue” can make employees more susceptible to cyber risks even when they’ve received scam training, BDO’s forensic services team warned in its March 2025 Australian Scam Culture Report.

“Employees, bombarded with constant scam alerts, may become desensitised to warnings. As a result, even after multiple cautions, many still fall victim to sophisticated phishing schemes,” the report read.

“In this climate, businesses must find innovative ways to maintain vigilance and keep employees engaged with scam prevention messaging.”

Australians lost $92.5 million to scams in the March 2025 quarter, the report revealed. Of this, $11 million was related to “buying or selling” scams, including false billing.

As new technologies boost the efficiency and sophistication of cyber criminals, BDO’s report urged firms to find innovative ways to get employees locked in with scam prevention strategies.

Interactive training, including simulated scams, could be key to assessing scam readiness and equipping employees to deal with real cyber threats.

Sending out fake phishing emails to staff and tracking their responses could help businesses identify training gaps without the risk of actual compromise, the report said.

BDO added that mindset was key when it came to scam prevention.

“Instead of framing it as an occasional task to check off the list, businesses should work to create a cyber vigilant culture where security is ingrained in everyday operations,” the report said.

It encouraged firms to engage in frequent discussions on cyber security, foster a sense of shared responsibility and consistently reinforce the importance of scam prevention.

Niek Dekker, VP of marketing at payment fraud prevention firm Eftsure, said businesses often underestimated the total costs associated with fraud.

“[When] money goes to the wrong supplier or vendor or bank account,” Dekker said, “you still have to pay [the original] supplier for goods or services delivered.”

Additional costs are imposed on businesses, including legal fees, operational costs as payments are paused, and costs associated with investigating breaches and communicating with vendors.

“All these costs and totals are estimated to be five times the value of the money that is lost [in the initial scam].”

To better engage employees in scam prevention training, BDO suggested businesses send out personalised alerts to each team or function, tailored to their specific risks. Individualised messaging was typically more effective than generic company-wide security alerts, the report noted.

“Senior executives may face different types of scams, such as CEO fraud, to client-facing staff,” the report said.

“By tailoring security messages to reflect these risks, businesses can make their communication more relevant and impactful.”

A common scam that accounts payable teams face – business email compromise (BEC) scams – occurs when cyber criminals either gain unauthorised access to an email account to impersonate a user, or use a copycat email address to trick their target.

In the context of accounts payable teams, the scammer could ask the recipient to make a wire transfer, divert payroll or change banking details for future payments.

Australian businesses lost almost $84 million in 2023–24 to business email compromise (BEC) scams, the Australian Signals Directorate's Annual Cyber Threat Report found. The ACCC found $91.6 million was lost to payment redirection scams in 2024.

To mitigate the risk of BEC scams, BDO urged businesses to have robust procedures in place when client or vendor financial details change, to verify financial-related requests, and to ensure staff were aware of cyber risks and their costs.

“By investing in dynamic and interactive training tools, businesses can ensure that their workforce remains vigilant and prepared, regardless of how many phishing emails land in their inbox.”