The new face of cyber fraud: Why retailers must stop turning a blind eye
Cyber fraud in Australia is evolving at a pace that should alarm every employer, parent and policymaker. What once required sophisticated breaches now relies on something far simpler: human vulnerability, LinkedIn visibility and retailers who fail to recognise obvious warning signs. The newest victims are not wealthy executives or large corporations. They are international students who come to Australia seeking education and safe employment, only to find themselves targeted by organised fraud rings operating with disturbing efficiency.
In recent months I have seen this pattern emerge repeatedly inside my own business. The attackers begin by trawling LinkedIn, searching for young graduates and students who proudly update their profiles with new roles, new companies and, in many cases, personal email addresses. This is not their mistake; it is what the platform encourages as part of professional identity-building. But cyber criminals now use this as a harvesting ground.
Once they identify a student who has recently started a job, they look up the CEO or senior leader of that employer. They then send an urgent email impersonating that person, often with a spoofed display name that looks legitimate at first glance. The message is always the same: a seemingly private request to purchase gift cards immediately, followed by instructions to send the numbers back urgently. The pressure is so intense that they crumble and they have done this so many times before that they know exactly what to say to put the pressure on in an authoritative tone.
Within minutes of receiving the card details, the money is gone.
The victim, often wanting to impress their new employer and fearful of making mistakes, acts without questioning the request. The shame and distress that follow are profound. In two recent cases involving employees of mine, the losses were $800 and $1500 respectively. In both situations, these young workers believed they were helping their boss and even though it was uncomfortable, fortunately had the money in the bank that allowed them to pay this amount of money. They were being exploited by criminals who understand exactly how to manipulate power dynamics between a new employee and a perceived authority figure.
But the failure does not end there. It extends directly to the retailers facilitating these transactions.
In both of the recent incidents affecting my staff, the gift cards were purchased at major retailers, Woolworths and Officeworks, without any intervention, hesitation or questioning from store staff. In the most recent case, the Officeworks manager even acknowledged that this kind of fraud had been happening frequently. According to the employee, the manager smirked and said, "this has happened many times in the past 2-weeks, but you are not the worst off, someone got done for $3000."
That comment alone reveals how commonplace this issue has become, and how little is being done at the point of sale to prevent it.
Let's be clear: when a young international student walks into a store asking to buy hundreds or even thousands of dollars in gift cards, the minimum standard of customer care should include a simple question.
"Are these for you?"
Or, "Have you received an SMS or email from anyone asking you to buy these?"
Or, "Have you checked the actual email address or phone number requesting this?"
No accusation. No interrogation. Just a basic safeguard.
This type of questioning has already been mainstreamed in the banking sector, telcos and government digital services. There is no reason retailers cannot do the same. Yet stores like Officeworks continue to process high-value gift card purchases without so much as a raised eyebrow.
After my employee was defrauded last week, I raised the issue on X (formerly Twitter). Officeworks publicly responded with the following:
"Hi Mellissah, sincerest apologies for the delay in getting back to you and thank you for bringing this to our attention. You're absolutely right, our team should have conducted a scam awareness check when a high-value gift card purchase was made.
We've escalated this feedback directly to the store for immediate training and process review, and have asked that they reach out to assist in rectifying this situation."
Shortly after, another message followed:
"Thank you for taking the time to reach out and share your concerns and your patience while we have looked into this. We're truly sorry to hear about what's happened and completely understand how upsetting this situation must be."
Finally, they added:
"We've reviewed this with the store, and can confirm that our team followed the correct process for online gift card orders. Unfortunately, once Apple Gift Card codes have been issued and the details provided to a third party, we're unable to cancel or refund them."
These replies expose a troubling contradiction. On one hand, they acknowledge the store should have conducted scam-awareness checks. On the other, they assert the process was followed. If a process allows a vulnerable young employee to unknowingly hand over hundreds of dollars to criminals, then it is not a process fit for purpose.
And if a retailer knows these scams are increasing as the Officeworks manager claimed, yet fails to implement even minimal preventative questioning, that is not operational oversight. It is negligence disguised as policy compliance.
Retailers profit every time a gift card is sold. Every time a victim is coerced into purchasing one under false pretences, the retailer still wins financially while the victim bears the full weight of the loss. Entire fraud ecosystems exist today because gift cards provide an almost immediate, untraceable value transfer. If major retailers know this, and they do, they have a moral obligation to act.
The emotional toll on victims cannot be understated. International students already face high living costs, cultural adjustment and employment insecurity. To lose a week or even a month of wages to a scam designed to exploit their trust is not an inconvenience; it is a crisis. Many feel too embarrassed to report it. Others fear repercussions at work. This is precisely why retailers must implement proactive screening, not retroactive sympathy.
Cyber attackers have evolved. They no longer need to penetrate corporate firewalls. They simply impersonate someone with authority, apply pressure and rely on retailers to complete the transaction without question. The weakest link is not the technology; it is the absence of human intervention.
If Australia wants to take cyber crime seriously, retailers must be part of the solution, not passive observers. A few basic questions at the counter could prevent thousands of dollars flowing into criminal networks every day. Our retail giants have the resources, the capability and the societal responsibility to introduce these checks immediately.
Until they do, the scams will continue. The victims will remain the same. And the retailers will keep profiting from the very transactions that enable these crimes.
It should not be this easy for thieves. And it should not be this hard for victims to be heard.
