The AFP and Royal Thai Police have uncovered a script used by cybercriminals in a Cambodian scam compound to impersonate AFP officers and target unwitting Australian victims.
The script was unearthed when the Royal Thai Miliary discovered the compound in O’Smach, a small town in Cambodia, in January, 2026. They alerted Royal Thai Police, who then advised the AFP.
The raid also discovered AFP logos and signage allegedly used to make the site appear as a legitimate AFP facility during the scam via video calls.
The script, which precisely structures a conversational narrative, instructs scammers to call their victim, identify themselves as an AFP officer and inform them a bank account had been opened with their identity by a “suspect” linked to a money laundering investigation.
The scripted conversation then escalated to an encrypted video call that verified the victim’s identification, asked the victim to record a formal statement, and identify the fake suspect.
Victims were then required to enter a ‘confidentiality agreement’ via a social media application and provide detailed information about their bank accounts and financial position under the guise of helping the fake AFP investigation.
The script’s final step was to impose a ‘temporary surveillance protocol’, including check-ins every four hours, reporting of unknown contacts, and submission of signed or video-confirmed declarations.
The reason for this was to legitimise the efforts undertaken by the ‘AFP officer’ and to socially coerce the victim that this matter was time-sensitive and required their compliance.
The aim of this process was to obtain bank account information of the victims to then gain access to their accounts and withdraw funds.
The AFP identified personal details of about 300 potential Australian victims from this scam centre who were alerted via text message in February, 2026, by the National Anti-Scam Centre.
Investigations are ongoing by Thai Royal Police.
AFP Acting Superintendent Nuckhley Succar said scammers were highly organised and professional manipulators who only wanted one thing – money.
“This script was sophisticated, convincing, and was designed to target victims via social engineering to play on their trust,” Acting Superintendent Succar said.
“But while the scammers may have thought they were smart, the AFP and our law enforcement partners are smarter.”
The scam used a sophisticated social engineering process. Acting Superintendent Succar encouraged everyone to pause and think about how legitimate a call could be, even if it sounds convincing.
“Let me be clear about one thing – the AFP will never ask you to verify your bank details or ask for money over the phone or in a video call. If someone posing as an AFP member asks for those details, end the call immediately.
“Scams evolve quickly, and while it’s encouraging that people are reporting it, sadly some people have lost money to cybercriminals with ill intent.
“Offshore scam centres are hives of activity, often facilitated by serious organised criminal networks, and ones specifically targeting Australians are commonly found in Asian countries including Cambodia, Laos, Thailand, the Philippines, Vietnam, and Myanmar.”
Operation Firestorm, launched in August 2024, has provided law enforcement assistance to five offshore scam centre investigations, resulting in 560 arrests and the disruption of 15 scam centres in Thailand, the Philippines, Malaysia, and Cambodia targeting Australian victims.
The operation is supported by the AFP’s Global Operations posts in Southeast Asia, Europe, and the Middle East, which work with foreign law enforcement agencies to disrupt, dismantle and prosecute those involved in scam centres, and deliver technical support and training throughout the region.
To help Australians spot the warning signs and navigate cybercrime threats, the Joint Policing Cybercrime Coordination Centre (JPC3) launched ClickFit, a national cybercrime awareness campaign supported by law enforcement across the country.
Get ClickFit to protect yourself from police impersonation scams with six simple steps:
- Stop and think before you act: If you get a call, text or email purporting to be from the AFP, pause before you act.
- Protect your codes, passwords and details: The AFP will never ask you to disclose bank details such as account information, passwords or bank balances over the phone.
- Never join new phone or video calls: The AFP will never ask you to move to a different call for “protection” or “verification”.
- Secure your accounts: Use strong passphrases and multi-factor authentication (MFA).
- Do not transfer money on request: Police will not ask you to transfer or move money to a “safe account”.
- Report immediately to police: If you suspect you are a victim of a scam, report it to police via ReportCyber.
