Thabo Magubane (not his real name) had always been careful with money. The finance manager at a logistics company in Midrand, he was the kind of person who reads the fine print and calls the bank on the official number rather than the one in the email. He knew about phishing.
One morning in March, he received an SMS that appeared in the same thread as every legitimate message his bank had ever sent him. It carried the bank’s name. It sat between an OTP from six months ago and a balance notification from the previous week. It told him a new device had been linked to his account and if this wasn’t him, he should tap the link to secure it immediately. It certainly wasn’t him. He tapped the link.
What Thabo encountered was a smishing (SMS and phishing) attack. The SMS arrived in the bank’s verified thread because the sender had spoofed the bank’s alphanumeric sender ID, a capability available to anyone willing to pay a modest monthly fee to a bulk SMS platform.
The thread consolidation isn’t a flaw in his phone. It’s a feature of SMS. It’s never been fixed, because fixing it would require mobile networks to authenticate sender IDs – something they’re not required to do.
The link went to a page that looked, in every visual detail, like his bank’s login portal. The URL was close enough that on a mobile screen, with the address bar compressed, the discrepancy was invisible. The landing page wasn’t built from scratch. It was purchased. Phishing kits – pre-built, functional replicas of major bank login pages, complete with OTP interception logic – are available on criminal marketplaces for less than R800.
Some include customer support; others offer subscription services for updates whenever the real bank redesigns its interface.
R187,000 gone
Thabo entered his username and password. The page returned an error. He tried again. Another error. He closed the browser, opened his bank’s app directly, and found nothing wrong. He assumed the warning had been a mistake and went back to work.
What had happened was a credential harvest. The page had been live for 11 hours before it was taken down. By that point, it had processed several hundred customer visits from the same bank, all of whom had received the same SMS via the same spoofed thread.
Three days later, at 2.14am, someone used Thabo’s credentials to log in from a device 40km away. Correct username, correct password, correct answers to security questions harvested from his LinkedIn profile. The bank’s systems registered a legitimate session. An OTP was sent to Thabo’s number.
But Thabo was asleep – and the criminals had accounted for that. SIM-swap fraud, in which a fraudster convinces or bribes a mobile network employee to port a victim’s number to a new SIM, was first documented in South Africa in 2007. In 2021, SIM swaps were present in 87% of mobile banking fraud incidents reported to Sabric. By 2023, that figure had fallen to 58% because syndicates had diversified – some to number porting, others to forwarding exploits that redirect OTPs without the victim ever losing service. Thabo still had a full signal when his OTP was intercepted.
By 3am, R187,000 had left his account in four transfers, each one below the threshold that triggers automatic review, each one to a different mule account opened weeks earlier using identity documents purchased from the same dark web markets that had supplied Thabo’s credentials. The mule accounts were emptied and abandoned before the fraud was even reported. Thabo discovered the loss at 6.47am.
The phishing supply chain
This is the supply chain behind a single phishing event, and it is worth understanding as a system. Someone, somewhere, assembled a database of bank customers and their contact details, sourced from a data breach, a prior phishing campaign or a purchased list. Someone built or bought the fake login page. Someone registered and hosted the spoofed domain. Someone operated the bulk SMS platform that sent thousands of messages to verified bank threads. Someone that morning harvested the credentials, sorted them by bank and account type, and passed the high-value targets to a team equipped to convert the credentials into cash.
The mule accounts were obtained separately, often through fake job advertisements offering legitimate-sounding payment-processing roles. Each node in the chain is a specialist. None needs to know what the others are doing.
Generative AI has now entered this supply chain at multiple points. The poor grammar and obvious errors that once allowed a trained eye to identify phishing messages are gone. For less than $200 a month, a subscription to any of several uncensored language models available on criminal forums produces culturally fluent, locally accented, grammatically perfect phishing copy in any language – including South African English, Afrikaans or isiZulu – at volumes no human copywriter could match.
The same tools personalise messages using data from the purchased lists: your name, your bank and the last four digits of your account number.
Known weaknesses
There is a specific discomfort for banks in this account, and it deserves to be acknowledged rather than avoided. The phishing page worked because it was indistinguishable from the real one. The SMS thread was convincing because sender ID spoofing remains possible. The OTP interception succeeded because the authentication system assumes the person holding the phone is the account holder.
Each of these weaknesses is known. Each has been known for years.
Technical mitigations exist for all of them: authenticated sender IDs, device-binding for OTPs and behavioural analytics that flag login sessions at 2am from unrecognised devices. Some have been partially implemented. None has been made mandatory.
When Thabo reported the fraud the next morning, the bank’s fraud team was sympathetic but could not reverse the transactions. The login had been authenticated.
The OTP had been correctly used. The session had appeared legitimate by every measure available to their systems. But their systems did not account for the 11-hour phishing page, the purchased credential list, the 2am session from an unfamiliar device, or the four transfers timed precisely to avoid automated review. That information existed. Parts of it were available, in real time, from others who had flagged the spoofed domain hours after it went live.
The system that authenticated Thabo’s session and the system that could have questioned it were not connected. They still aren’t.
Dirk de Vos is the CEO of Venture Labs and director of QED Solutions. Patrick le Roux is the founder of Venture Labs and CEO of OSINT SA. Venture Labs develops infrastructure to turn digital events into cryptographically provable, replayable truth.
ALSO READ:
- Inside a vishing call: 41 minutes, R340,000 gone
- South Africa’s next big scam: APP fraud
- How AI is reshaping financial crime in South Africa
Top image: Rawpixel; Currency.
Sign up to Currency’s weekly newsletters to receive your own bulletin of weekday news and weekend treats. Register here.
