Illustrative image | Matrix wall. (Photo: Unsplash) | Computer hacker. (Photo: Unsplash) | A South African flag. (Photo: Nic Bothma / EPA) 
In recent weeks, several members of Daily Maverick’s newsroom received WhatsApp messages from someone claiming to be a senior company figure. The name and profile picture matched perfectly. The message received by this journalist read as follows:
“I’m currently in a very critical meeting and I can’t take calls at the moment. I need you to run a very quick urgent task for me… I need you to initiate a transfer to a prospect of mine. You will be reimbursed…”
Journalists are by nature sceptics, and we quickly confirmed the sender was an impersonator, so the scam failed.
Not everyone is so lucky. Impersonation can happen via WhatsApp, email, SMS (“relative in trouble” scams), or even through intercepted invoices, where only the banking details are changed, diverting payment to a fraudster.
If you’ve fallen for one of these schemes, you’re not alone, and you’re not necessarily careless. The scale of the problem is far bigger than most of us realise.
Fraud economies of scale
The South African Fraud Prevention Service (SAFPS), a non-profit organisation that tracks scams and offers services like protective registration, has recorded a staggering rise in impersonation fraud.
Its 2024 annual report shows a 26% year-on-year increase in overall cases, but one extraordinary number leapt off the pages: between 2023 and 2024, impersonation fraud reports spiked by 356%.
As SAFPS CEO Manie van Schalkwyk put it in his introduction to the report, “Fraud has evolved and is becoming more sophisticated, more targeted and more personal. None of us can escape it.”
Not even large businesses are escaping the fraudsters. According to Mimecast’s 2023 State of Email Security report, 84% of South African organisations surveyed were targeted by phishing or impersonation attacks, placing us consistently in the top countries targeted and successfully exploited by cyberfraud and impersonation.
Read More: Cybercrime’s double target — seniors and Gen Z in the firing line
The fuel feeding this machine and fire is leaked personal data. Here, too, South Africa ranks among Africa’s top countries for data breaches. This means scammers have names, ID numbers, addresses and contact details — making their impersonations far more believable and widening the target pool.
A recent Cyberint report makes it clear that as credentials are leaked, they can circulate indefinitely on dark web markets, fuelling multiple waves of fraud long after the initial breach.
While the Information Regulator — the public body responsible for the protection and enforcement of much of our information protection regulation — is aware that such leaks are a rampant risk, it does not track the exact numbers of all specific methods of scams, and much of the time, it requires the victim of a scam to report the issue directly.
“The Information Regulator monitors and enforces compliance with the Protection of Personal Information Act, including the obligation on responsible parties to notify the Regulator and affected data subjects of any security compromise,” said Mukelani Dimba, the head of education and communication at the Information Regulator, in a written response to Daily Maverick questions.
Bigger fish
It’s not just nuisance-level fraud. The Passenger Rail Agency of South Africa (Prasa) lost R30-million to phishing and impersonation attacks, according to the Auditor-General’s 2023 report.
This is not a novel phenomenon, nor one limited to South Africa, as the chief cybersecurity expert at ESET, Tony Anscombe, said to Daily Maverick, the degree of vulnerability, even in such large institutions as Prasa, means that “if you don’t fix the infrastructure that allows the scam to happen in the first place, you’re just playing Whac-A-Mole with the criminals. They’ll keep finding new ways to exploit the same weaknesses.”
One of the most damaging methods is business email compromise (BEC), in which criminals pose as trusted insiders to request payments or sensitive information. BEC is also relatively underreported, as many victims keep quiet because they are embarrassed, while companies often prefer to avoid reputational damage.
Despite this, BEC accounts for a large percentage of reported cybercrime incidents in South Africa, according to Interpol’s Africa Cyberthreat Assessment 2023 report.
High walls, but a gate wide open
South Africa’s laws and regulatory frameworks are, on paper, strong, and should theoretically prevent the deluge of fraudulent calls causing your phone to vibrate daily.
Core legislation and enforcement bodies
- Popia (Protection of Personal Information Act): Sets data security obligations, mandates breach notifications, and restricts direct marketing.
- Icasa (Independent Communications Authority of South Africa): Oversees subscriber protection, complaint handling and number/command line interface (CLI) presentation rules.
- Rica (Regulation of Interception of Communications and Provision of Communication-related Information Act): Requires SIM registration and supports lawful interception — but can be bypassed via caller line spoofing.
- Cybercrimes Act: Criminalises cyber fraud, impersonation, and unlawful data access.
The Information Regulator, empowered under Popia, enforces data protection rules, investigates breaches and can fine or refer matters for prosecution.
In its written response to Daily Maverick, the regulator confirmed that it “receives notifications of security compromises from responsible parties as required by section 22 of POPIA” and noted that “public awareness of these rights and obligations remains low, which hampers timely reporting by affected data subjects”.
Yet enforcement gaps remain. Icasa has no active caller line identification authentication mandate — a system that would verify the number shown on your phone matches the real origin before the call is connected, blocking most spoofed calls at the source, which is how many a cellphone scam is able to be achieved.
Icasa did not respond to queries for comment.
Investigations are mostly complaint-driven, not proactive, and there’s no systemic, real-time check on whether a displayed number is genuine.
The Financial Sector Conduct Authority (FSCA) issues public alerts about impersonation scams and coordinates with the SA Police Service (SAPS) and banks in financial fraud cases. The SAPS, the Hawks and the Financial Intelligence Centre lead criminal probes, collect evidence and attempt to freeze stolen funds.
Given the institutional challenges and wave of other criminal matters that these organisations have to investigate, it’s easier for smaller incidences of such crimes to fly under the radar.
By the time cases are opened, funds could already be laundered, SIMs discarded, and evidence scattered across borders.
The phone tech that bypasses Rica
In a legitimate call, the CLI data in the signalling tells the receiving network the true originating number — the success of Rica depends on this for traceability, which is difficult to enforce.
Scammers often break the chain using:
- VoIP header manipulation — essentially manipulating the data sent along a network accompanying a call to show any number.
- Third-party spoofing services — sold as “privacy tools” but used for fraud.
South Africa has no universal CLI authentication standard, which some countries do and which allows for stronger and easier verification of cell numbers.
Cross-border calls spoofing local numbers are almost impossible to verify on a technical level, and networks generally trust received CLI data without real-time checks.
This makes Rica’s SIM registration moot. Spoofing lets criminals display your number without ever using your SIM.
This is in addition to the fact that it is not difficult to find a pre-RICAed SIM card at almost any non-branded cellphone store for as little as R10.
The future: AI scam supercharge
If things were challenging before, the commercialisation of artificial intelligence now amplifies scams at scale. The FSCA warned in 2023 about AI-generated videos and voice clones imitating public figures and executives.
It noted in July: “We’re seeing a concerning rise in deepfakes — fake AI-generated videos and audio that seem so real, they could fool anyone.”
And indeed they are.
Common attacks include but aren’t limited to:
- Voice-cloned CEO requesting urgent payments via a spoofed call.
- Deepfake video drop-ins on live Zoom/Teams calls to approve transactions, which, with current, open-source technology that Daily Maverick has tested, can be done in real-time.
- AI-written phishing emails tailored to a company’s tone and vulnerabilities.
In this environment, voice-only and video-only verification might be obsolete. Organisations need multifactor checks, callbacks to known numbers, and visual or prearranged authentication codes.
Read More: AI scams surge — Nelson Mandela University experts warn people to adopt ‘zero trust mindset’
How do we stay protected?
Given the scale and sophistication of the ways in which scams can be conducted, as well as the accelerating role that technology plays, the reality is that there exists no single measure to stop all impersonation scams: layering defences is the strongest way forward.
- Verify all unusual requests for money, account access or data — even if from a trusted source.
- Call back on a known number saved in your contacts or published on the official site.
- Enable multifactor authentication for all of your accounts.
- Beware of urgency and secrecy — both are classic fraud markers. Take your time to verify.
- Report incidents to the relevant body — be it your employer, banking institution, etc. Chances are, you are not the only person being targeted.
Most importantly, talk about it. Many scams rely on the sense of shame or failure should one fall victim to them, but the reality is that the sheer scale of the problem can be likened to a shotgun blast, and there will always be those who get hurt.
Sharing your experience could stop the next person from falling into the same trap. DM