TL;DR

‍

• One in three scam sessions during this period were linked to Medicare or health data fraud.

• 78% of PII requests related to health information, used to profile and resell victims.

• Scammers posed as local GPs, often referencing partial Medicare details to gain trust.

• The inferred goal was to harvest healthcare data and resell it on to black market data aggregators

‍

The Spike: When Scammers Went to Medical School

In September, Apate’s Bot Army detected a sharp escalation in scam traffic that posed as at local medical clinics.

Over 33% of Apate’s unique scam calls were diverted, each attempting to impersonate a general practitioner or clinic staff member.

In total, 33% of all scam sessions captured between 11-25th September involved a health or Medicare theme – a major deviation from the usual focus on investment or government agency scams.

For telcos and banks, this shift represents a new phase in scam operations. The primary objective was of this campaign was data aggregation. Every captured call added another layer of verified data: names, Medicare numbers, and birth dates that could be resold or weaponised downstream.

‍

The Script: How the Impersonation Works

Each captured interaction followed a rehearsed script – polite, familiar, and deliberately low risk.
The caller posed as a GP or clinic administrator, greeting the victim and referencing a fabricated issue with their Medicare file.

‍

A typical exchange might sound like this:

‍

“Hi, this is Dr Lewis from your local clinic. We’ve had a problem with your Medicare details.
The system’s showing the last four digits as 1234 – could I confirm that’s correct?”

The fake digits created a sense of legitimacy, prompting the victim to supply the real numbers – often adding a date of birth or address for verification.

Apate’s analysis shows a high degree of linguistic consistency across sessions.
The same phrases, pauses, and validation prompts appeared across thousands of calls – evidence of centralised script distribution rather than ad hoc scams.

The approach relied on authority and repetition rather than fear.
Unlike investment or tech-support scams, no money was requested, and no urgency was applied.
 

Each interaction exploited a blind spot between verification and detection. Fraud controls across both telco and banking environments are tuned to flag transactional anomalies – not conversational reconnaissance.

By imitating legitimate identity-verification flows, the campaign achieved persistence without exposure, operating beneath both network-level anomaly detection and bank anti-fraud analytics.

‍

The Objective: Data as the New Scam Currency

The September campaign marked a shift from transactional fraud to data-asset engineering.

Analysis of PII requests diverted by the Bot Army shows that 78 percent sought health-related identifiers, principally Medicare numbers, dates of birth, and practice details. Each successful capture expanded a dataset used to score victim susceptibility and fuel future scam orchestration.

The GP scam surge is indicative of a broader trend in the scam economy to harvest information on prospective victims, with the intention to build ‘Scam Susceptibility Matrix Profiles’ and refine targeting strategies for further scam attempts.  

According to Apate’s intelligence, 78% of captured requests in these calls sought Medicare or health-related details. Every interaction aimed to extract data that could later be reused or sold.

Health identifiers such as Medicare numbers are increasingly treated as assets by criminal networks (Services Australia / University of Melbourne, 2017). They can be traded, combined with other leaked datasets, and exploited to enable future fraud.

These records provide fraud networks with more than static identity data – they reveal demographics, life-stage cues, and contact persistence.
That intelligence allows operators to:

• Prioritise high-yield or high-trust victims.

• Tailor scam narratives by age group or location.

• Recycle validated profiles across multiple scam verticals – from banking impersonations to investment pitches.

Emerging evidence suggests stolen health identifiers often resurface in new scam contexts, powering follow-up calls, phishing, or investment fraud (AU Cloud, 2024).

Unlike banking credentials, health system identifiers attract fewer real-time alerts.
Bank account or card theft typically triggers rapid detection and replacement; a Medicare number can remain active and unmonitored for years [Source: Privacy.org.au, 2022].

‍
That longevity makes it a durable currency in the scam economy – one that can be cross-referenced and resold indefinitely.

This scam spike has all the hallmarks of a structured data-aggregation campaign – the groundwork for a second-stage fraud wave targeting the same victims through financial or service-related channels.

Mapping the Calls

The Apate Bot Army revealed a complex global footprint behind this GP impersonation campaign. The following visual illustrates global call activity linked to the campaign.

GP scam calls diverted to the Bot Network (11–25 Sept 2025)
Source: Apate Bot Army Dataset

During this 15-day window, most sessions presented as Australian numbers, but many were likely spoofed or relayed via offshore systems, consistent with known caller ID manipulation patterns in Australia and Europe.

Secondary clusters appeared in the United States, Russia, and the United Kingdom, indicating coordinated activity across jurisdictions. Regulators have moved to curb international calls that spoof domestic Call Line Identities (CLI’s), underlining how common this tactic has become (Ofcom, 2024).

For telcos, this pattern shows why traffic lineage and behavioural metadata matter more than raw block counts. UK regulatory steps to block abroad-to-domestic spoofing further evidence the need for route-aware defences.

For banks, these routing anomalies are early signals of infrastructure being staged for downstream fraud. Interpol’s recent operations against voice phishing and cyber-enabled fraud illustrate the cross-border nature of these networks.

Together, the evidence points to a mature, distributed operating model - local in appearance, international in execution - and a growing need for shared intelligence between carriers, banks, and regulators.

Implications for Telcos

Telcos sit at the front line of the scam economy – yet most still measure success by the volume of traffic blocked, not by the insight captured.

Australia’s Scam Calls and SMS Industry Code (ACMA, 2023) mandates blocking and traceback, but the regulator implies that high block rates do not correlate with reduced consumer harm (ACMA, 2023).
Apate’s analysis confirms that many calls blocked by one carrier simply reappear through another network – often within minutes – illustrating how scammers re-route campaigns as easily as they rewrite scripts.

Traditional blocking tools stop traffic; they don’t expose the infrastructure or intent behind it.

‍
By shifting from blocking to behavioural visibility, telcos can:

• Detect emerging scam typologies earlier, before they reach consumers

• Trace cross-border routing chains that exploit carrier interconnects

• Provide downstream partners (banks, regulators, law enforcement) with early warning intelligence

Global regulators are reinforcing this direction. Ofcom’s 2024 guidance on scam call mitigation highlights the need for information sharing and intelligence collaboration across operators (Ofcom, Preventing and protecting consumers from scam calls and texts, 2024).

Telcos who invest in intelligence-led defences gain not only compliance cover but strategic insight into the scam economy running over their networks.

‍Implications for Banks

For banks, the September campaign shows that fraud rarely begins at the transaction – it begins at the conversation. Each diverted GP impersonation call was a pre-fraud event: a data-gathering exercise that built the foundations for later financial or identity scams.

Apate analysis shows a clear chain of escalation:

1. Stage 1 – Data Capture: Health and identity information harvested under the guise of Medicare verification.

2. Stage 2 – Data Exchange: Profiles refined and redistributed across connected fraud ecosystems.

3. Stage 3 – Monetisation: Follow-on scams—bank impersonations, investment offers, or APP fraud- target the same verified individuals.

Repeat-victimisation research reinforces this pattern. A US Department of Justice study found that 62 percent of mail-fraud victims were targeted again (OJP, Using Scammers’ Data, 2020).
Australia’s Institute of Criminology similarly reported a high incidence of repeat online-fraud exposure among survey respondents (AIC, Online Fraud Victimisation in Australia, 2020).

Australia’s Institute of Criminology also notes a “large number of respondents could potentially be considered repeat victims of online fraud” (AIC, Online Fraud Victimisation in Australia, 2020).
This pattern of re-targeting helps explain the downstream exposure banks face once personal data has leaked upstream.

Health-themed scams heighten that risk by conditioning trust.
After “verifying” details with a fake GP, victims are conditioned to comply with authority and to share information quickly.

That makes them more responsive to later calls claiming to be from a bank’s fraud team or government department – a common precursor to authorised-push-payment (APP) fraud.
Both the UK Payment Systems Regulator and the ACCC have identified APP fraud as a rapidly growing threat (PSR UK, Fighting APP Fraud Strategy, 2024) (ACCC, Scamwatch Annual Report 2024, 2024).

Banks that integrate proactive scam threat intelligence gain the ability to:

• Flag customer calls linked to known scam infrastructures before any loss occurs

• Enrich risk models with behavioural metadata such as call origin and spoofing indicators

• Collaborate with carriers and regulators on shared scam-infrastructure tracing

Cross-sector cooperation is already taking shape.

The National Anti-Scam Centre continues to emphasise the need for this telecom-to-bank visibility to prevent losses before they materialise (ACCC, 2024).

When banking and telecom data intersect, fraud detection becomes proactive rather than reactive - stopping scams before they reach the payment layer.

The Bigger Picture: From Blocking to Visibility

The September GP scam surge was more than a single campaign – it was proof of how far the scam economy has industrialised its data supply chain.
Where traditional fraud relied on deception and speed, today’s networks operate like information brokers, trading validated personal data to optimise future attacks.

The same dataset that once powered health impersonation scams now underpins banking, investment, and identity fraud across multiple channels.
In this model, data moves faster than money.  The data harvested in September will likely underpin new waves of targeted phishing, voice impersonation, and synthetic identity fraud well into 2026.

Apate’s Bot Army provides a new form of visibility – capturing scam interactions in real time and decoding their intent.

Each diverted call reveals:

• Scam syndicate scripts, tactics and techniques evolving in real time.

• Routes shifting across carriers and jurisdictions.

• Reused data points appearing across unrelated scam typologies.

This visibility exposes the scam economy’s logistics layer - the infrastructure that allows it to scale.
Each diverted call represents a traceable unit of intelligence: where it came from, what data it sought, and how it adapts to defences.

A Call to Action

Scammers are no longer improvising – they’re industrialising.
The GP impersonation surge shows how professionalised networks now treat personal data as capital and use telecom infrastructure as transport.
The industry’s defensive posture must evolve at the same pace.

Blocking is table stakes.
Intelligence is the differentiator.

Telcos and banks hold complementary pieces of the puzzle:

• Telcos see how scams move through routing chains and device networks.

• Banks see how those same patterns translate into monetary loss.

By combining these perspectives through shared intelligence, the industry can move from fragmented reaction to coordinated disruption.

Apate’s Bot Army transforms scam traffic into visibility – diverting live scam conversations to expose their origins, playbooks, and infrastructure.
Each captured session adds to a global dataset that makes scams harder to run, harder to scale, and harder to hide.

_Resources:

• _{Australian Competition & Consumer Commission (ACCC) (2025). Targeting scams: Report of the National Anti‑Scam Centre on scams data and activity 2024. Canberra: ACCC. Available at: https://www.accc.gov.au/system/files/targeting-scams-report-2024.pdf (accessed 2025-11-04).}

• _{Australian Competition & Consumer Commission (ACCC) (2021). Targeting scams: Report of the ACCC on scams activity 2020. Canberra: ACCC, June 2021. Available at: https://www.accc.gov.au/system/files/Targeting%20scams%20-%20report%20of%20the%20ACCC%20on%20scams%20activity%202020%20v2.pdf.}

• _{Australian Communications and Media Authority (ACMA) (2025). Action on scams, spam and telemarketing: October to December 2024. ACMA quarterly report, last updated 26 Feb 2025. Available at: https://www.acma.gov.au/publications/2025-02/report/action-scams-spam-and-telemarketing-october-december-2024.}

• _{Priezkalns, E. (2025). “Leading Anti‑Fraud Expert Says Blocking Millions of Scam Calls Is Unsustainable.” Commsrisk, 29 September 2025. Available at: https://commsrisk.com/leading-anti-fraud-expert-says-blocking-millions-of-scam-calls-is-unsustainable/.}

• _{Murray, T., Tracy, L., & Mela, J. (2025). Ringing in Our Fears 2025: Robocalls hit 6‑year high. U.S. PIRG Education Fund, 16 October 2025. Available at: https://pirg.org/edfund/resources/ringing-in-our-fears-2025-robocalls-hit-6-year-high/.}

• _{GSMA Asia Pacific (2025). ASEAN Consumer Scam Report 2025: Victims Rising, Defences Under Strain. (Report by Armidale, commissioned by GSMA). Published 23 September 2025. Available at: https://www.gsma.com/newsroom/resources/asean-consumer-scam-report-2025.}

• _{Langton, L., Deliema, M., Brannock, D., & Preble, E. (2024). “Using Scammers’ Data to Estimate the Impact and Importance of Preventing Repeat Mail Fraud Victimization.” British Journal of Criminology, 65(1), 163–181 (June 2024). DOI: 10.1093/bjc/azad056. (NIJ/OJP grant publication: https://nij.ojp.gov/library/publications/using-scammers-data-estimate-impact-and-importance-preventing-repeat-mail).}

• _{Federal Trade Commission (FTC) (2025). Consumer Sentinel Network Reports. Washington, DC: FTC. (Online resource including annual Data Book of fraud and scam reports.) Available at: https://www.ftc.gov/enforcement/consumer-sentinel-network/reports.}

• _{Payment Systems Regulator (PSR) (2024). APP scams – our work to prevent Authorised Push Payment fraud. London: PSR (policy program on APP fraud, updated Dec 2023). Available at: https://www.psr.org.uk/our-work/app-scams/.}