A ‘new wave’ of bank scams is hitting SA, ombud warns – and sucks to be you if you get hit

Business Insider SA
A tan and white Chihuahua wearing a blue mask.
  • There is a "new wave" of banking scams targeted at consumers and small business, says SA's banking ombud.
  • But the methods are much the same, often relying on people to hand over OTPs or other credentials to make payments.
  • If you fall for such a scam and your bank wasn't negligent, that's your problem, says the ombud.
  • New research says technically-minded people may be even more susceptible to phising than people who aren't as tech savvy.
  • For more stories go to

South Africa is seeing a "new wave" of attacks on the bank accounts of consumers and small businesses, the Ombudsman for Banking Services said on Friday.

And those who fall for such scams may find they have to live with the losses, because it is not just up to banks to keep their money safe.

"All indicators are pointing towards the fact that there are new scams and an increasing number of the victims," said ombud Reana Steyn in a statement.

In 2021 the office recorded losses of R295 million, just in cases where account-holders complained about the conduct of the bank. The ombud investigated 2,880 individual "fraud related" cases, up 7.5% from the previous year.

Steyn highlighted an example that started with an email claiming payment was due to release a package at the Post Office. The recipient made the small payment requested – R42.50 – and then hit "approve" again when another payment authorisation request was sent to his cellphone immediately after. He noticed a reference to "Singapore" as he did so, and got in touch with his bank, but it was already too late, and he was out of pocket just over R16,000.

The victim turned to Steyn for help when the bank refused to accept liability, but found little sympathy.

"The responsibility is on customers to always remain vigilant and suspicious, especially when requested to provide their confidential banking details that they know can be used to access the funds in their accounts," said the ombud's office.

"The only time the bank will be held liable by the [ombud] is when the losses suffered by the customer were because of the bank’s negligence or wrongdoing."

That is rarely the case. In many current scams, fraudsters convince account-holders to hand over one-time passwords (OTPs) over the phone, or via online forms, despite increasingly lurid warnings from banks, and an increasing number of "are you sure" checkboxes required to authorise payments.

New research suggests a lack of technical knowledge is not the problem. Security company F-Secure this week released the results of an exercise that saw it target more than 80,000 people across four organisations with "commonly used phishing tactics". It found that people in the IT and DevOps departments – which help guard against attacks and who are familiar with the risk of phising – clicked on suspicious links as often, or even more so, than everyone else.

IT employees were also terrible at reporting phising attempts, ranking far below other departments in how suspicious they were.

(Compiled by Phillip de Wet)

Get the best of our site emailed to you every weekday.

Go to the Business Insider front page for more stories.