Margaret Botha (not her real name), ran a school for 31 years. She was 67, recently retired, making dinner on a Wednesday evening, when her phone rang with her bank’s number. She knew that number; she had called it herself.
What she could not have known was that her profile name, ID number, bank, account balance range and recent transaction history had been assembled by a crime syndicate. South African fraud syndicates acquire customer records through multiple channels: purchased lists from data brokers, prior phishing campaigns, and collusion with bank employees who sell customer information.
The target profile for this kind of operation is specific: older clients approaching or recently entering retirement, accounts with meaningful balances. People who have spent their lives trusting institutions. Someone like Margaret.
The number that appeared on her screen looked like the bank’s. But caller ID spoofing is cheap, widely available, and entirely unregulated. The number used was chosen to be visually similar to a legitimate bank fraud line, different by a single digit, designed to survive a quick glance.
In the 60 days around the time of her call, that number alone made nearly 5,000 outbound calls and had accumulated dozens of public reports on Truecaller, identifying it as a bank impersonation scam. The syndicate kept using it anyway.
How the scam works
The voice on the other end was calm. There had been suspicious activity on her account. Someone had tried to make a payment from a device in Durban. Had she authorised it? She had not. Good. They caught it in time. But now two more are queued. They need to act now.
The script is not improvised. It is a product, refined across thousands of prior calls, tested for the responses that close fastest and the objections that arise most often. The caller knows which words produce compliance and which produce hesitation. The opening – a transaction in progress – activates the stress response before the analytical one.
What followed was not, in any meaningful sense, a choice. The caller knew her account details, her last transaction, and the balance range across her accounts. When Margaret suggested calling the bank to verify, the caller told her not to. The fraud might be internal, he said; don’t give them warning. This is where the entire operation pivots: the one action that would end the call, made to feel like the one action that would make things worse.
She was frightened, so she did what frightened people do when they believe they are speaking to someone with authority over their crisis. She followed instructions.
Over 41 minutes, Margaret transferred R340,000 in three payments – what she experienced as a rescue operation: “Move your funds to safety, we’ll investigate, you’ll have it back by morning.”
The moment each transfer cleared, the funds moved. Not to a single account. Through a chain of mule accounts – ordinary bank accounts held by recruited intermediaries, sometimes knowing participants, sometimes people who had themselves been deceived into receiving and forwarding funds – all to fragment the trail and exhaust the reversal window. By the time Margaret understood what had happened, her money had been spread across multiple accounts, some already emptied. The trail was cold within hours.
Meanwhile, the bank’s systems had recorded three valid transactions: authenticated login on the customer’s device; the customer’s credentials; and customer-approved transfers. The record was clean. What it did not contain – and what no bank system currently captures – is any record of the 41-minute conversation that produced those approvals. The fear. The manufactured authority. The deliberate dismantling of every instinct that would otherwise have protected her.
The bank’s own fraud detection had, in fact, been prompted. An automated SMS alert was sent, and a manual call was attempted. Both went unacknowledged because Margaret was already on the other line, psychologically captured, operating inside a reality that the syndicate had built around her. When the bank called, she did not answer.
Customer carries the cost
In 2024, Sabric confirmed that every single analysed digital banking fraud case in South Africa originated from social engineering. Not a technical breach, nor a stolen password – just a conversation.
Authorised push payment (APP) fraud – where the victim is manipulated into making the transfer themselves – is specifically regulated in the UK. Since October 2024, under the Payment Systems Regulator’s mandatory reimbursement regime, a UK bank would have been required to return Margaret’s money within five business days, and her bank would have to share the costs with any receiving bank. The legal presumption is that the system failed, not the client. Only gross negligence provides an exception.
In South Africa, the framework runs in the opposite direction. The Code of Banking Practice, issued by the Banking Association of South Africa, is voluntary. The National Financial Ombud found in favour of the consumer in just one in five banking complaints in its first year. Margaret’s three transfers are on record as authorised transactions because, in a narrow technical sense, they were. The 41 minutes that preceded them are not on record anywhere.
The UK’s approach of mandatory reimbursement followed years of documented evidence that consumer awareness does not neutralise professional scripts designed to defeat it. South Africa has the same documented evidence but has not yet followed the UK practice.
Margaret filed a complaint. She was at her branch the next morning with her daughter; she reported to the police. She did everything correctly but, in a system designed to process complaints rather than reverse outcomes, she has not recovered any of her money.
The syndicate’s number, flagged on Truecaller, continued operating for months afterwards. The mule accounts were opened, used and abandoned. The same script will have been used again, but against someone else’s profile, assembled from the same sourced data, delivered by the same calm voice. Somewhere in South Africa, that call is happening right now.
Given how the fraud was assembled, prepared and already running before Margaret’s phone rang, ask yourself who, in this operation, is best placed to implement preventative measures – and to bear the cost if they are not.
Dirk de Vos is the CEO of Venture Labs and director of QED Solutions. Patrick le Roux is the founder of Venture Labs and CEO of OSINT SA. Venture Labs develops infrastructure to turn digital events into cryptographically provable, replayable truth.
ALSO READ:
- South Africa’s next big scam: APP fraud
- How AI is reshaping financial crime in South Africa
- Travel scams take off as Africa heads for the skies
Top image: Rawpixel/Currency collage.
Sign up to Currency’s weekly newsletters to receive your own bulletin of weekday news and weekend treats. Register here.
