Skip to main content

Action on scams, spam and telemarketing: April to June 2023

 

Our key actions

Penalties icon Commonwealth Bank Australia paid a $3.55 million dollar penalty and mycar Tyre & Auto paid a $1 million penalty for non-compliance with spam rules.
Compliance alerts We directed telcos Sinch Australia and Infobip Information Technology to comply after we found their breaches were used by scammers to send SMS scams.
Scams Telcos blocked over 256 million scam calls and over 85 million scam SMS in the quarter, bringing the totals to over 1.4 billion scam calls and 257 million scam SMS blocked.
""
We announced that our compliance priorities in 2023–24 will include enforcing e-marketing unsubscribe rules and combating SMS scams.
""
We stepped up the fight against scammers by partnering with international regulators from Canada, the Netherlands, New Zealand, Korea and the United Kingdom.

Our 2022–23 priorities

Combating SMS and identity theft phone scams, and enforcing unsubscribe rules were our unsolicited communications compliance priorities for the 2022–23 financial year. Some of our key outcomes and enforcement activities included:

Combating SMS and identity theft phone scams

  • We contacted approximately 600 telcos to remind them of their obligations and directed them to information on the ACMA’s website about how to comply.
  • We audited 42 telcos that send bulk text messages, revealing that in some cases, scammers used vulnerabilities created by non-compliance to send high-profile SMS scams to Australians.
  • We have seen a dramatic reduction in porting and SIM swap fraud as reported by telcos, major banks and other intelligence sources.

Enforcing SMS and email unsubscribe rules

  • We finalised 9 investigations (with another 5 underway) into SMS and email unsubscribe rules.
  • We gave more than $8 million in infringement notices and accepted court-enforceable undertakings, including from large, established organisations, for not providing unsubscribe facilities that complied with spam laws.
  • We gave compliance alerts and tailored information to around 2,000 businesses identified as potentially breaching the unsubscribe rules, reminding them of their obligations and the penalties for non-compliance.

Read more about our 2022–23 compliance priority activities.

New compliance priorities for 2023–24

We will continue to focus on scams and non-compliance with unsubscribe rules in 2023–24:

Combating SMS scams 

  • We will keep working to prevent these scams reaching Australians by enforcing existing rules, collaborating with Australian and global partners, and exploring new ways to stop scam messages that impersonate legitimate brands or organisations.
  • We have already started working with the telco industry to implement a sender ID registry in Australia to help protect well-known brands and government agencies’ SMS message headers from being used in impersonation scams.

Enforcing SMS and email unsubscribe rules 

  • We will focus on businesses that don’t provide or action opt-out requests, especially those marketing products that cause significant harm, like direct marketing of gambling, alcohol and ‘buy now, pay later’ products and services.

Read more about our 2023–24 compliance priorities.

Combating phone scams

We continue to take the fight to scammers to disrupt their activities and protect Australians. 

Following the ACMA’s registration and enforcement of rules to identify and block scam calls in December 2020, and scam text messages in July 2022, telcos have reported over 1.4 billion scam calls and over 257 million scam messages have been blocked to the end of the quarter.

 

2022–23 scam call and SMS blocking figures by quarter

""

 

 

 

 

 

 

 

In addition to our work preventing phone scams, we also took action against Sinch Australia Pty Ltd (Sinch) and Infobip Information Technology Pty Ltd (Infobip) after their compliance failures allowed SMS to be sent using text-based sender IDs without sufficient checks to ensure they were being used legitimately.

The ACMA found Infobip allowed its customers to send 103,146 SMS scams, including scams impersonating well-known Australian road toll companies. Sinch allowed its customers to send 14,291 SMS scams, including Medicare and Australia Post impersonation scams.

We also issued consumer alerts about government agency impersonation and remote access scams and worked behind the scenes with telcos, government agencies and well-known brands to disrupt phone scams.

Key compliance issues

Failure to unsubscribe consumers 

For the quarter, our outcomes on unsubscribe rules include:

  • CBA paid a $3.55 million infringement notice after the ACMA found it breached the Spam Act 2003 by requiring consumers to login to an account to unsubscribe and failing to provide unsubscribe functions in commercial messages. The ACMA has also accepted a 3‑year court-enforceable undertaking that commits CBA to review its systems, practices and processes, and make improvements to ensure compliance with the spam rules.
  • mycar Tyre & Auto paid a $1,047,000 infringement notice after the ACMA found it breached the Spam Act by sending commercial texts and emails without a functioning unsubscribe facility. The ACMA also accepted a 3-year court-enforceable undertaking.
  • 478 compliance warnings with targeted fact sheets were given to businesses identified from complaints to the ACMA that indicated potential issues with unsubscribe requirements.

The ACMA has seen a positive response from industry to our compliance warnings and targeted fact sheets. Specifically, 80% of businesses that received a compliance alert were not the subject of further complaints to the ACMA during 2022–23.

Common causes of unsubscribe non-compliance

In the course of the ACMA’s compliance and enforcement activity, several common themes emerged about the root causes of business non-compliance with unsubscribe requirements, as set out below.

Common cause Issue Key considerations/Actions
System issues A company has an automated system process where ‘unsubscribe’ requests are uploaded on a daily basis and synced with their marketing list. There is also a weekly reconciliation report that automatically flags any issues with the unsubscribe process. The company goes through a system upgrade, and while it appears the unsubscribe process is functioning, the marketing list in their system is no longer syncing correctly. The weekly reconciliation report also stops functioning, so the issue is not identified until multiple complaints are received from customers.
  • When implementing system upgrades or transitioning to new systems, all compliance processes and controls should be thoroughly tested before and after the transition to ensure they are effective.
  • Automated processes and controls should be monitored and tested on a periodic basis (regardless of whether any system changes have occurred) to ensure they continue to operate effectively.
  • Businesses should monitor data that might assist in identifying underlying system issues (e.g., a sudden drop in unsubscribe rates could indicate issues with unsubscribe functionality).
Third-party assurance A business relies on a third-party platform to manage marketing lists and the distribution of marketing messages, including managing their ‘unsubscribe’ function. A customer lodges a complaint to the business, advising they received marketing messages after unsubscribing. The business contacts the third-party provider, which assures them they have now removed the customer from the marketing list. The same customer continues to receive marketing messages from the business (via the third-party platform) and the third-party provider is unable to quickly identify and fix the issue.
  • Businesses are responsible for their compliance with the spam rules, even if third parties are engaged to send marketing messages or manage marketing lists on their behalf. Any business that sends a message or causes a message to be sent, has obligations under the Spam Act.
  • It is important to have QA processes in place to monitor the capabilities and compliance of third parties. If a third-party provider is unable to resolve potential compliance issues quickly, businesses should take action to ensure they remain compliant.
Manual processing errors A firm’s marketing contact lists are updated centrally, and individuals involved in sending commercial messages are supposed to check the centralised list before sending a commercial message. One individual forgets to check the centralised list before sending a commercial message and sends the message to an old list of customers, including some who recently unsubscribed.
  • Processes should be centralised and automated where possible to reduce the risk of manual errors.
  • Where processes cannot be automated, manual processes should be supported by robust controls (e.g., periodic reporting and reconciliation, appropriate level of oversight, sample QA reviews and feedback).

Automated gathering of addresses

Another emerging compliance issue that we are seeing through our complaints and investigations relates to potential breaches of consent obligations caused by use of the default settings of popular automated marketing software systems.

Common cause Issue Key considerations / actions
Default customer relationship manager system settings Automated marketing software can assist businesses with a number of functions, including the sending of marketing emails, generation of unsubscribe links and management of customer databases. The ACMA is seeing examples of these systems automatically adding the email address of any consumer who corresponds with the business to a marketing list. This blanket process is likely to lead to non-compliance with consent requirements under the Spam Act.
  • Businesses must ensure that their marketing systems are compliant with Spam Act requirements, including use of consent.
  • The mere act of a consumer corresponding with your business is not in itself sufficient to meet the definition of a business relationship to satisfy consent requirements.

Investigations and enforcement

We commenced 13 investigations and finalised 6 investigations in the quarter. We had 13 underway at the end of the quarter. 

Investigations took 2.7 months on average to complete.

We monitored compliance with 20 court-enforceable undertakings in force during the quarter; setting out actions businesses must take to improve their compliance with spam, scam and/or telemarketing laws.

View our enforcement actions for breaches of spam and telemarketing laws.

Enforcement actions for breaches of scam laws can be viewed here

 

Finalised investigations

""

 

 

 

 

 

 

Complaints

In 2022–23, the ACMA received almost 28,000 complaints from consumers about potential breaches of telemarketing and spam laws. These complaints helped us identify issues and trends and informed our regulatory and enforcement actions. A key trend observed in 2022–23 is a promising downward year-on-year number of complaints associated with the introduction of anti-scam call and SMS rules:

  • phone scam complaints have decreased by 72% since 2020–21 (with the blocking rules introduced in December of that period)
  • SMS scam complaints have decreased 86% since 2021–22 (with the blocking rules introduced at the beginning of the 2022–23 period).

 


Complaints received by financial year

""

 

 

 

 

 

 

Note: We also received 66 complaints about commercial instant messages in 202223.

 


Complaints received about scam calls and SMS

""

 

 

 

 

 

 

 

Compliance alerts

Where we receive enough information, we alert businesses about potential compliance issues raised in complaints – one alert can relate to several issues or complaints. 

 


Compliance alerts given to businesses

""

 

 

 

 

 

 

More information

Find out more about spam and telemarketing rules and what actions you can take, including making a complaint. 

Subscribe to our newsletters to get updates about our actions on telemarketing, spam and scams.

 

Access the data

Download the data for the charts in this report.

Back to top
ONLINE ENQUIRY