Elderly shoppers, distraction fraud, and the insurance blind spot retailers are ignoring

Thirteen victims. Five regions. Three weeks. One offender who was part of a still-active transnational syndicate.

When Vasile Bombonel was sentenced at Wollongong Local Court on 25 fraud charges — targeting shoppers aged 55 to 90 near supermarkets, ATM vestibules, and car parks across regional New South Wales — most of the coverage focused on the sentence and the offender. But ABC News reports that Bombonel's associates remain at large, with international arrest warrants still outstanding. The group is still operating. And the retailers where those 13 victims were approached have a question sitting in their risk registers that most have not answered yet.

The liability question nobody is asking out loud

Distraction fraud does not happen in a vacuum. It happens in specific physical spaces that retailers own, lease, or manage: ATM lobbies, car park exits, store entrances. When an organised fraud group selects those spaces repeatedly as operating ground, and when the pattern persists across multiple incidents before anyone formally connects it, the question of whether a retailer had adequate duty-of-care measures in place becomes a live one.

Australian tort law does not require retailers to prevent every crime that occurs on their premises. It does, however, require them to take reasonable steps to address foreseeable risks. When a fraud syndicate targets elderly shoppers at supermarket ATMs across five regions in three weeks, and when the behavioural pattern is consistent enough that a court later convicts on 25 charges, the foreseeability test gets a lot easier to meet retrospectively.

Most retailers are not aware their general liability or public liability policies may carry specific exclusions or reduced coverage for incidents that occur in unmonitored transitional zones. Car parks, ATM vestibules, and entry forecourts are common exclusion or sub-limit areas in commercial property policies. If an incident occurs in one of those zones and the retailer cannot demonstrate that reasonable precautionary measures were in place, they may find their insurer disputing the claim or apportioning liability differently than expected.

What "reasonable steps" actually looks like for this threat

The good news is that the bar for demonstrating reasonable precaution against distraction fraud is not high. It does not require dedicated security personnel in every transitional zone around the clock. What it does require is documented evidence that the risk was identified, assessed, and addressed through some combination of physical, procedural, and staff-level controls.

From an insurance and liability standpoint, documentation is as important as the measures themselves. A retailer that has a written policy noting that ATM vestibule and car park zones carry elevated fraud risk for older customers, and that frontline staff have been briefed on that risk, is in a materially different position than one that has no record of the risk being acknowledged at all. Courts and insurers both look at what a defendant knew, or should have known, and what they did about it.

Practical controls that satisfy both the duty-of-care standard and create an audit trail include: zone-specific risk notes in the site security plan, a record of staff briefings that reference distraction fraud as a named threat type, CCTV coverage that demonstrably includes transitional zones rather than just the trading floor, and a process for logging staff observations that fall short of a formal incident but indicate suspicious approach behaviour.

Why the syndicate model makes individual site liability worse

Bombonel's case is instructive specifically because he was not operating alone. Organised distraction fraud groups deliberately spread their activity across multiple sites and regions to stay below the threshold that triggers formal investigation at any single location. From a retailer's perspective, this means the number of incidents at any one store may be low — sometimes just one or two — while the aggregate pattern is much larger.

This creates a liability problem. A retailer who has experienced one incident may reasonably argue they could not have anticipated a pattern. A retailer who shares data with a retail crime network or police liaison program and discovers that the same suspect description has appeared at eight other sites in the past three weeks is in a different position. At that point, the foreseeable risk is documented and the question becomes what was done in response.

Retail peak bodies and state police in New South Wales both operate information-sharing channels specifically for this kind of cross-site pattern recognition. Participating in those channels, and recording that participation, is itself a reasonable precautionary step that strengthens an insurer's position on a claim.

XGuard helps retail operators maintain a documented record of observations, near-misses, and flagged behaviours that would otherwise go unlogged — creating the kind of audit trail that matters when insurers or courts ask what a site knew and when it knew it.

Pro tip: Pull your current public liability policy and check whether your ATM vestibule, car park, and store entry forecourt are explicitly covered or whether they fall under a sub-limit or exclusion. If the answer is unclear, ask your broker to confirm in writing before the next policy renewal.

The gap between incident response and risk documentation

Most retail sites respond to incidents. Far fewer document the near-misses, the suspicious approaches that didn't result in a completed fraud, or the informal staff observations that didn't rise to the level of a formal report. In a distraction fraud context, those undocumented observations are often where the pattern first becomes visible — and where the earliest evidence of a foreseeable risk sits.

Closing that documentation gap costs very little. The return, if a claim or a legal dispute ever arises, can be substantial. Bombonel's 13 victims were each targeted in a space a retailer was responsible for. The sentence is handed down. The liability question is still open.

Need protection where you are? XGuard connects you with licensed, vetted security operators in minutes — for events, residences, retail, executive protection, and fire watch. Available globally.

Source: au-abc-news — 2026-05-26