Bank scams

You’ve been scammed: how to deal with your bank 

A staggering 83% of formal complaints were resolved in favour of the banks last year. But there are laws that can and should be used to push your case if you’ve been scammed.
July 15, 2026
5 mins read

Somehow, fraudsters have drained your bank account. What to do now? You’ve notified your bank with all the details you have. The formal response arrives within a week or two. It has a measured tone, constructed around a small number of facts: the transaction was authenticated, a known device was used, the electronic access profile limit was not breached. It concludes that there is unfortunately no bank liability in this matter; it may even include a link to a fraud-awareness page.

What is missing in the bank’s response: what the bank’s fraud-monitoring systems saw, which alerts were triggered, which interventions were attempted, what was not acted on, and why a high-risk transaction was allowed to continue. That information exists, but inside the bank’s systems. The bank controls it. The customer receives only the conclusion.

Which is small consolation given the R1.88bn South Africans lost to digital banking fraud in 2024.

Banking complaints rose 31% in 2025, and a staggering 83% of formal banking complaints were resolved in favour of the bank. Only one formal ruling was issued against a bank across that entire year. The statistics are clearly not in favour of the customer.

Red flags

The Financial Sector Conduct Authority (FSCA) Conduct Standard for Banks (No. 3 of 2020) requires them to maintain adequate systems and controls and to treat customers fairly. The Code of Banking Practice, revised July 2025, reinforces both obligations.

What do those requirements mean in operational terms?

A declined transaction immediately followed by a lower-value attempt at the same terminal within 60 seconds is a recognised indicator: a fraudster who has identified the card limit and immediately retried to stay below it. That pattern should generate a specific alert. It is a computationally simple check. Every major bank’s fraud system is capable of running it.

When a new beneficiary is added to an account and immediately paid in the same session that also included a transaction limit increase, a defensible system should apply step-up controls: a cooling-off delay, an out-of-band notification, or a verification challenge sent to a pre-registered trusted channel. These are standard practice in jurisdictions that treat authorised push payment fraud as a system design problem rather than a customer behaviour problem.

When the bank’s own fraud alert goes unanswered and a follow-up manual call is missed, the risk has not been resolved. It has escalated. If high-risk activity continues after two failed contact attempts, a reasonable system escalates to a decisive protective measure: a temporary payment hold, an external transfer block, a mandatory cooling-off period. Sending alerts and then processing the remaining transactions is just a notification followed by inaction, not an intervention.

The aggregate session activity matters as much as any individual transaction. A session involving new-beneficiary creation, limit increases, large EFT payments, rewards redemptions, cross-account staging and card-not-present authorisations across multiple channels over several hours should trigger session-level intervention on its combined pattern, regardless of whether any single transaction crosses a threshold. Instead, banks assess each transaction in isolation and each of them tells a different story from the session read as a whole.

Know your rights

That is precisely what the bank’s formal response typically avoids addressing.

Every South African bank holds records that go materially beyond the account statement. Most fraud victims never request them, and the banks certainly do not volunteer them. But they are accessible, and two pieces of legislation establish that right.

The primary instrument is the Promotion of Access to Information Act 2 of 2000 – Paia. Section 50 establishes that any person may request access to records held by a private body where those records are required to exercise or protect a right. A fraud victim disputing a repudiation decision has the right to fair treatment, to adequate complaint resolution, and to the information necessary to challenge the bank’s conclusion. That is the situation Paia was designed to address.

The mechanics are specific, too. Every bank must designate an information officer and publish a Paia manual specifying its record categories and request process. Requests are made on Form C, prescribed under the act, addressed to the information officer, and specifying the records sought and the right being exercised. The bank has 30 days to respond, which may be extended by a further 30 days on reasonable grounds. Refusal must be reasoned and can be escalated to the Information Regulator or the high court.

The other piece of legislation of relevance, section 23 of the Protection of Personal Information Act (Popia), operates alongside Paia. It entitles you to access personal information a responsible party holds about you: session data, device records, authentication logs, transaction metadata.

In short, Paia compels access to records needed to protect a right. Popia compels access to personal information held about you. Use them both.

A matter of record

The specific records to request are important. Authentication and session logs establish the device ID, IP address, geolocation, session token and OTP delivery records for the disputed session. Request them. A response stating “a known device was used” cites a conclusion from a record it has declined to produce. Request the record, not the conclusion.

Fraud-monitoring rule triggers used by banks record which automated rules fired, which transactions generated alerts, and what action was or was not taken. If the bank’s position is that its systems operated correctly, these records would confirm or contradict it.

New-beneficiary audit logs record when beneficiaries were created, what authentication was required, whether a cooling-off period applied, and what notification was generated. If the fraudsters created and paid beneficiaries in a single session, this record shows whether the bank’s controls were active.

Fraud intervention records document the timing and content of fraud alert SMSes, outbound calls and failed contact attempts – and what the bank did when those interventions produced no response. A bank that sent two unanswered alerts and then processed the remaining transactions has a second disclosure obligation, not merely the first.

Internal investigation case notes show what the fraud team actually reviewed before concluding there was no liability. A response repudiating a claim that cites general category policy such as: “Our position on contact crime-related fraud cases,” or “transactions made via a known device” without reference to the specific session pattern raises a legitimate question about whether an individual assessment was conducted.

As for “mule” accounts (an account used by fraudsters to transfer funds), details like the name, account number, bank and branch of the accounts your funds were transferred into are essential for co-operation with the police and the interbank freeze process. Banks routinely withhold these, but Paia compels their production where recovery is the right being protected.

It means that a bank that declines to produce the factual basis of its own repudiation decision is not in a position to claim it has treated you fairly.

Steps to take

In all of this, there is an escalation sequence. The first step is to report a banking fraud incident to the police immediately and obtain a case number. You need it for every subsequent process. Then, demand an interbank freeze on the day you discover the fraud. Call your bank, insist it contacts the receiving institution, record the name and time, and get written confirmation. The gap between your notification and the bank’s freeze request is evidence of post-notification conduct. Get a single point of contact in writing and keep a contemporaneous log of every call, name and non-response.

Submit your Paia and Popia requests simultaneously with your formal complaint and not just after the response repudiating your claim arrives. The 30-day clock runs from receipt of the request.

Once the internal processes are exhausted or six weeks have passed, lodge a complaint to the banking and credit division of the National Financial Ombud Scheme South Africa. At the same time, lodge with the FSCA under section 57 of the Financial Sector Regulation Act if the complaint raises conduct questions such as inadequate systems, non-disclosure or unfair complaint handling. The two processes address different aspects of the same institutional failure.

The banks are in the best position to tackle rampant online fraud. This is recognised in a growing number of jurisdictions around the world. In the UK, the Payment Systems Regulator’s mandatory reimbursement regime, operative since October 2024, proceeds from the premise that when an intervention fails and a customer loses their money, the institution that designed and operated that intervention has something to explain.

South Africa is not there yet. The response letter from the bank still arrives; it still cites the authentication log, and concludes no liability. That doesn’t have to be the end of the story.

ALSO READ:

Top image collage: Rawpixel; Currency.

Sign up to Currency’s weekly newsletters to receive your own bulletin of weekday news and weekend treats. Register here

Leave a Reply

Your email address will not be published.

Dirk de Vos

Dirk de Vos has a background in corporate finance and is an expert in regulatory systems. Dirk is the CEO of Venture Labs.

Patrick Le Roux

Patrick Le Roux is a fraud investigations specialist focused on complex financial and digital crime. At Venture Labs, Patrick designs advanced counter-fraud architectures that prevent, detect, and prove fraud at execution time.

Latest from Analysis

Mine and factory

Beneficiation is not a spell

There’s something to be said for moving from quarry to machine shop. But industrial value chains are built on competitive inputs, not slogans…
Subscribed to Currency

Don't Miss