There’s nothing quite like a good old-fashioned government crackdown — the kind where politicians promise to end scams forever with big fines and strict rules. Enter Australia’s Scam Prevention Framework (SPF), a plan that slaps businesses with fines of up to $50 million if they don’t do enough to stop scams. You can find the framework on the Department of Treasury (treasury.gov.au) website but don’t expect much from it. 12 pages of information and 5 pages of title page, contents, blank page and the usual “not so useful” content.

Sounds impressive, right? A bold move to stop cybercriminals in their tracks? Well… not quite.

The reality is this framework punishes businesses — not scammers. And in a world where cybercriminals operate across borders, hide behind anonymous accounts, and adapt faster than legislation can keep up, we have to ask: will this actually work? Or is this just another compliance-heavy distraction that makes businesses pay for the government’s inability to stop cybercrime at its source?

Let’s break it down.

The Glaring Holes in the Scam Prevention Framework

1. Fines, But No Real Accountability

$50 million fines sound scary, but who’s actually going to pay them?

• Mid-sized businesses? Most don’t even make that much in revenue.
• CEOs? They’ll resign before the fine lands.
• Cyber insurance? Think again — no insurer is covering that level of liability “just like that”. Cyber insurance is not even mentioned in the framework as a risk mitigation measure.

The problem isn’t just that businesses might face massive fines. It’s that scammers face nothing. No penalties, no deterrents, no real fear of consequences. How does that solve anything?

2. This Framework Ignores How Scams Actually Work

Scams don’t succeed because of bad IT systems alone. They succeed, in the majority, because criminals are master manipulators — they exploit human psychology, trust, and deception through the following but limited to:

• Fake invoices trick finance teams into wiring money to the wrong place.
• Deepfake audio mimics executives giving fraudulent instructions.
• Social engineering convinces employees to hand over credentials.

None of these require a “hacker” breaking into systems. They require good people falling for well-crafted lies. And yet, the SPF focuses on tech controls rather than the human element.

3. Businesses Are the Fall Guys — Not the Government

The SPF shifts all responsibility onto businesses while ignoring the fact that law enforcement and international policy failures are what contribute to allow scammers to operate freely.

• Where are the cross-border crackdowns?
• Where’s the intelligence-sharing between nations?
• Where’s the effort to track and take down cybercriminals at scale?

Instead, we get more compliance checklists while scammers keep moving faster than regulations can keep up.

What Would Actually Work?

Rather than punishing victims, let’s actually go after the criminals. Here’s what the Scam Prevention Framework should include because at the moment they are only indicating to take reasonable steps (what does that mean anyway):

Expand the Scope Beyond Banks and Telcos

• Scams don’t just happen on banking platforms. Fintech companies, e-commerce marketplaces, crypto exchanges, and payment processors all play a role and should be included.

AI & Automation to Block Scams in Real Time

• If businesses are expected to stop scams, they need AI-driven scam detection tools to identify fraudulent transactions before they happen.

Actual Law Enforcement Against Cybercriminals

• Instead of just fining businesses, why aren’t we hunting the actual fraudsters?
• Governments need better cooperation with global intelligence agencies to track and arrest international scam syndicates.

Real Cybersecurity Education, Not Just Compliance Training

• The biggest security risk is people, not systems.
• Companies should invest in real-world, scenario-based training to help employees recognise scams before they fall for them.

There are some good companies out there that are performing due diligence for bank accounts and verifying back account details, but this is only one aspect. What happens when the attack does not involve the bank accounts in the first instance, but an attack of a human’s mind and psychology.

This Isn’t Fixing the Problem — It’s Just Making Business Harder

If this framework was really about stopping scams, it wouldn’t just be fining businesses into compliance and at the same time provide a vague framework which does not resolve anything when so much is at stake. It would focus on proactively dismantling scam networks, improving intelligence sharing, and securing the human layer of cybersecurity.

Instead, what we have is another bureaucratic attempt at “doing something” that will ultimately:

• Raise costs for businesses
• Increase cyber insurance premiums
• Give auditors another lucrative compliance scheme
• Leave actual scammers untouched

At Shimazaki Sentinel, we believe in real solutions, not compliance theatre. We work with businesses to build proactive security strategies, implement threat intelligence-driven protection, and provide real-world cybersecurity education to stop scams affecting the organisation before they start.

Because fines don’t stop cybercrime — smart security does.

So, what do you think? Will this framework actually stop scammers, or is it just a big payday for auditors? Let’s talk.