Act immediately if anything feels suspicious.
Image: Pexels.com
BANK fraud in South Africa has evolved into a highly sophisticated and deeply concerning threat, driven by rapid digitalisation and increasingly advanced criminal tactics. While much of the public discourse focuses on prevention, real-life cases reveal a more complex reality, one that raises serious questions about institutional responsibility, consumer vulnerability, and the adequacy of current safeguards.
Drawing from a client experience, this column examines how a fraud unfolded, where responsibility lay, how accountability was ultimately determined, and what lessons other banking customers can take from it.
The incident began on June 30, 2025, when the client received a phone call that appeared to originate directly from their bank. The caller ID displayed the bank’s logo, immediately establishing credibility. The caller identified herself as a member of the bank’s fraud department and warned that suspicious transactions were taking place across multiple cities.
Initially cautious, the client questioned the legitimacy of the call. In response, the caller escalated the interaction, transferring the client to a “supervisor” while authentic-sounding hold music played in the background. This layered deception created a highly convincing scenario. The client was then instructed to scan a QR code, allegedly to initiate a 3D Secure verification process to stop the fraud.
To reinforce trust, the fraudster provided a phone number that, when dialled, appeared to connect to the bank’s official line. This step eliminated most reasonable doubt. Believing they were cooperating with legitimate fraud prevention measures, the client followed instructions, including being told not to log into their banking profile for the remainder of the day.
Approximately R202,000 was siphoned from the client’s accounts. This included:
- An unauthorised online loan of around R30,000
- Full utilisation of credit facilities (credit card, revolving credit, debit account, and access bond)
- Consolidation of funds into a credit card account before being transferred out
Two days later, the client contacted their bank and learned that no such call had been made. The bank confirmed that this was a scam. Initially, there was a critical misstep: the bank’s fraud department indicated that the funds appeared to still be in the client’s account. This provided false reassurance. However, a later in-person review revealed that the money had already been transferred out. The matter was reported to the South African Police Service, but by then, recovery through traditional investigative means was unlikely.
Months later, on November 6, 2025, the client experienced a second breach. After contacting an airline, their phone began malfunctioning, and shortly thereafter, R3,000 was transferred out of their account. Although the bank acted quickly to freeze the account, the funds had already been spent. This second incident reinforced a critical reality, once access is compromised, criminals can act swiftly and repeatedly.
The central question in this case is whether the bank bore responsibility for the loss. At first glance, one might argue that the client voluntarily followed instructions and shared access through scanning a QR code. However, this case goes far beyond ordinary negligence.
Several factors point toward institutional responsibility:
1. Highly convincing impersonation: the fraudsters were able to:
- Spoof the bank’s caller ID
- Replicate internal processes (call transfers, hold music)
- Provide a number that appeared to connect to the bank
This level of impersonation would likely deceive even a cautious and informed customer.
2. Use of bank-like security tools: the use of a QR code framed as a legitimate security verification method is particularly significant. QR codes are commonly used by banks, and customers have no reliable way to distinguish between legitimate and malicious ones.
3. Failure to detect unusual transactions: large-scale financial movements, including a new loan, maxed-out facilities, and rapid fund transfers occurred without effective intervention. This suggests potential weaknesses in fraud detection systems.
4. Miscommunication during investigation: the initial reassurance that funds were still safe, when they were not, delayed escalation and may have reduced the chances of recovery.
5. Duty of care: banks possess significantly more technological capability and expertise than consumers. As highlighted in the broader analysis, this creates a heightened duty of care to detect, prevent, and respond to fraud effectively.
Following the incident, the bank initially offered to reimburse 25% of the loss. The client rejected this. After escalation, including formal complaints to senior leadership and government structures, the offer was increased to 75%, which was again declined. Ultimately, after continued pressure and a second escalation in early 2026, the bank reimbursed 100% of the losses from both incidents.
Although not formally adjudicated in court, the final settlement suggests that the bank implicitly acknowledged responsibility. The likely basis for this includes:
Systemic vulnerability: failure to prevent or flag abnormal transactions.
Inadequate fraud detection: delayed or ineffective response mechanisms.
Consumer protection obligations: customers pay fees and reasonably expect protection against such risks
Foreseeability of harm: given the rise of phishing and vishing, such scams are no longer unforeseeable
More broadly, the case reflects a systemic issue identified in the sector; banks often investigate themselves, creating potential conflicts of interest and inconsistencies in accountability .
This case provides powerful, practical lessons for consumers:
1. Never trust caller ID alone: even if a call appears to come from your bank, it can be spoofed.
2. Do not scan QR codes sent by a caller: banks do not use unsolicited QR codes for urgent security actions.
3. Never follow instructions to avoid logging in: fraudsters often isolate victims to prevent detection.
4. Verify independently: end the call and contact your bank using official channels.
5. Act immediately: if anything feels suspicious, check your account instantly and report it.
6. Escalate when necessary: if a bank’s response is inadequate, escalate the matter internally and externally.
7. Be alert to device compromise: unusual phone behaviour (apps failing, access issues) can signal a breach.
This case is not an isolated incident. It reflects a growing pattern in South Africa’s fraud landscape. Criminals are combining social engineering, technology, and psychological manipulation to create near-perfect illusions of legitimacy.
The key takeaway is stark; even vigilant consumers can fall victim. This shifts the conversation from individual responsibility to systemic accountability. If financial institutions cannot prevent or rapidly intercept such fraud, the burden cannot rest solely on customers.
The client’s experience illustrates both the sophistication of modern bank fraud and the gaps that still exist in consumer protection. While the eventual full reimbursement represents a positive outcome, it came only after persistence, escalation, and significant personal distress. Ultimately, combating bank fraud in South Africa will require more than awareness. It demands stronger institutional accountability, improved fraud detection systems, and possibly independent oversight mechanisms. Until then, consumers must remain cautious, but banks must do far more to ensure that caution alone is enough.
Deshnee Govender
Image: File
Deshnee Govender, BAdmin (honours) MBA
Governance, Risk, and Compliance expert
** The views expressed do not necessarily reflect the views of IOL or Independent Media.