Speed is the Priority, Not Structure: The Next Phase of Australia’s Anti-Scam Response

‍By Brad Joffe, CCO

‍

Executive Summary

Australia has built one of the world’s most coordinated responses to scams, anchored by the ACCC’s National Anti-Scam Centre (NASC) and the Targeting Scams reporting program. This national model is working,  seen by the continuing coordination between banks, telecommunication providers and government agencies. However the key factor and real challenge in this program is the speed of intelligence delivery, which is the common constraint for most programs targeting the evolving scam economy.

In the world of scam and fraud, every minute counts. In many cases, by the time intelligence is surfaced and complaints are filed,  the money has already moved, and scammers have moved on to a new campaign. They’ve likely rotated their domains, phone numbers and bank accounts, and  have started targeting their next victim (whilst intelligence teams are often still focusing on the initial scam).

That's the gap we're focused on closing.

‍

Intelligence gathered during live scam activity lets organisations identify networks while they're still running, and enables them to drain scammers’ time and resources that would otherwise be converting victims into losses.

In practice, our approach surfaces new and novel ways in which we turn true real-time intelligence into action every single day.

In two recent anonymised case examples, our system surfaced 10 linked Australian mule accounts within four days and expanded a small set of phishing reports into 174 connected domains. This cluster-level disruption enables reduction of the timing gap between detection and defence and even allows organisations to get ahead of scammers by predicting their activity and behaviours.

‍

Key insights:

• National coordination is working, but the bottleneck is time to action.  

• Live intelligence lets organisations predict scammer behaviour, and act before infrastructure rotates.

‍

Australia’s anti-scam response already has strong coordination. The next phase is not necessarily any structural reform to the Scams Prevention Framework, but reducing the time between signal and coordinated action.

‍

The Bottleneck: Speed, Not Structure

Australia’s anti-scam ecosystem is already well-structured. NASC, banks, telcos, digital platforms and government agencies coordinate in response to emerging threats.

But scammers move fast; and I dare say much faster than the response cycle. The architecture of what we have built as a nation is strong. But most of the strongest inputs are downstream i.e. responding to attacks, not predicting them.

This creates a timing gap between detection and disruption. Complaints and loss reports are essential  but are mainly used as damage control. By the time intelligence arrives, scammers have rotated their infrastructure and the window for intervention has narrowed or closed.

Domains are replaced, phone numbers are discarded and mule accounts are sourced and swapped. For scammers, their campaigns continue as BAU.

The next phase of Australia’s anti-scam response is therefore about reducing the time between signal and action. Getting upstream intelligence to the right organisations before scammer infrastructure rotates.

‍

The Prediction Layer: What Live Intelligence Captures

Intelligence gathered during active scam attempts captures actionable artefacts before victims are reached, and costs scammers time and resources they'd otherwise spend on real targets.

Most scam reporting is naturally retrospective, capturing information after victims have been contacted, after they have lost money, or after suspicious activity has already occurred.

This reporting is still essential. It helps identify trends, measure harm and coordinate responses across sectors. But earlier signals create more opportunities to disrupt scams before losses occur.

‍

Live engagement surfaces:

• Payment artefacts: beneficiary bank accounts and payment instructions used for monetisation.  

• Infrastructure indicators: domains, URLs, redirect chains, and hosting patterns.  

• Communication identifiers: phone numbers, sender IDs, and channel migration steps.  

• Operational context: scripts, impersonated entities, and behavioural handoffs.  

The critical variable is timing.

What determines impact is when the artefact is captured, not simply what is captured.

Intelligence gathered live gives organisations the window to act and disrupt before infrastructure rotates.

‍

‍Scams move in minutes & hours. Reports only arrive days later.

‍

Case Study Integration: Early Visibility into Mule Networks

Over a four-day anonymised engagement, 10 Australian bank accounts were surfaced in one conversation and linked to a single scam network. As the engagement continued, the scammer sourced and rotated mule accounts on demand.  

This revealed two things: the existence of a broader mule broker ecosystem, and a clear window for intervention before any victim funds moved.

The value wasn't the information alone. It was having it while the operation was still live, giving our partnering financial institutions the time to act.

The purpose of highlighting this particular engagement is to showcase the effect that one conversation can have on actively disrupting a scam network. It’s worth noting that our system is handling tens of thousands of these conversations per day, which when distilled, surface an incredible volume of high-confidence, real-time intelligence (after all, our system is extracting intelligence directly from the mouths and keystrokes of the scammers themselves).  

‍

‍

The "One Domain" Myth: Why Cluster-Level Disruption Works

Scam campaigns are not isolated incidents; they are coordinated systems built on reusable infrastructure that are tried and tested by scammers as service-based cybercrime models.  

Created from the same toolkit, website domains and phone numbers are provisioned in batches and temporarily active, replaced when blocked.  This is why simply removing one domain or blocking one number at a time barely slows the operation..

Individual indicators are regenerated faster than they can be removed. Effective disruption means targeting the broader campaign infrastructure, not the individual components.

‍

Case Study Integration: Phishing and Investment Scam Clusters

As our agents pick up more and more artefacts, we can use that intelligence to pivot and expand the intelligence surface area. An anonymised phishing investigation autonomously conducted by our system expanded from a small number of initial reports to 174 connected domains, all linked to the same phishing operation and hosting infrastructure. This cluster-level visibility enabled investigators to move beyond isolated takedowns and instead target the entire campaign - not just individual takedowns.

Analysis of a suspicious investment website revealed a 124-domain cluster. One registrant controlled 66 of those domains - a clear signal of industrialised, templated deployment.

‍

‍

The Mule Opportunity: Why Bank Accounts Are the Weakest Link

Scam scripts, phone numbers and domains change rapidly. Bank accounts are harder to replace.

Mule accounts require recruitment, onboarding and coordination. That makes them one of the more durable components of a scam operation, and that friction creates leverage in the fight against fraud and scam.

If beneficiary accounts can be identified while a campaign is still active, regulators and financial institutions have a clear point of intervention before funds rotate.

‍

Case Study Integration: On-Demand Mule Provisioning

In a separate anonymised engagement, multiple mule accounts across numerous institutions were observed being sourced within 20 to 30 minutes of a payment request. This behaviour indicates an organised mule supply network operating as external providers to scam operators.

The operational significance is not only the speed at which upstream intelligence allows organisations to engagers with scammers live, but the visibility to scammer tactics it provides.

The key insight is that mule infrastructure changes more slowly than narrative and communication layers, making it a durable lever for coordinated disruption.

‍

Effective Coordination Depends on Artefact Quality and Timing

Fusion Cells are one of the strongest components of Australia’s anti-scam architecture. The coordination model works.

The question is not whether coordination exists, but . It’s whether coordination is fed with intelligence early enough to change outcomes.

At a high level, Fusion performance is shaped by two variables: the structure of the artefact and the timing of its delivery.

When intelligence arrives late, coordination becomes reactive. When artefacts are structured, attributed and shared during an active campaign window, coordination becomes precise.

To keep this practical, the most useful artefacts tend to include:

• Campaign-linked domains and URLs  

• Phone numbers and channel migration indicators  

• Beneficiary bank accounts and payment instructions  

• Timestamps, infrastructure relationships and linkage context  

• Confidence scoring and provenance metadata  

‍

This is less about volume and more about improving the effectiveness of coordinated action.

The earlier these artefacts enter a Fusion workflow, the higher the probability of campaign-level disruption rather than isolated removal.

That shift moves disruption forward in time. It reduces regeneration cycles. And it strengthens cross-sector trust in the intelligence being shared.

In practical terms, speed determines whether coordination changes the outcome or simply records it.

‍

What This Means in Practice

For government and regulatory stakeholders shaping national disruption programs, integrating upstream intelligence has measurable operational implications.

‍

1. Treat Speed as a Core Performance Metric
   

Measure time to artefact, time to share, and time to coordinated intervention. Reducing this interval directly increases the probability of disrupting campaigns before infrastructure rotates.  

2. Prioritise Cluster-Level Disruption

Shift focus from isolated indicators to interconnected clues on scammer infrastructure. Coordinated action against clusters sustains impact and reduces regeneration cycles.  

3. Embed Governance Within Intelligence

Standardised handling protocols, provenance metadata, and confidence scoring enable lawful, rapid cross-sector sharing without delay or reinterpretation.  

4. Focus on Operational Choke Points

Prioritise monetisation layers, particularly mule accounts and payment instructions, where intervention produces low impact relative to effort.  

‍

These shifts do not require structural reform. They require performance optimisation within the existing national framework.

‍

‍

Strengthening Australia’s World-Leading Model

Australia’s anti-scam ecosystem is already a global benchmark for coordinated disruption.  

The integration of upstream, real-time intelligence is a practical enhancement, not structural reform. The goal is to improve visibility earlier in the campaign lifecycle, so that organisations can respond before scammers move on.

Combining NASC’s coordination architecture with a complementary live intervention increases the system’s ability to intervene while campaigns remain active.

Earlier signals mean faster coordination which leads to greater disruption before harm occurs.

‍

Operational Engagement

Australia has built a world-leading coordination model. The architecture is strong. Fusion Cells, cross-sector collaboration and structured reporting have materially lifted national response capability.

The next gains will come from improving the speed and structure of what feeds that system.

Reducing the time between live scam activity and coordinated intervention changes outcomes. It increases the probability of campaign-level disruption, reduces regeneration cycles and strengthens trust in shared intelligence.

This is not about expanding the framework. It is about sharpening it.

We are actively contributing to that effort and welcome engagement with those responsible for shaping Australia’s national disruption capability.

‍

www.apate.ai
hello@apate.ai

‍