Illustrative image | Matrix wall. (Photo: Unsplash) | A young woman, anxious about online banking scams and errors. (Photo: iStock) 
What seems to be the case for many victims of cellphone scams is that when they attempt to report the issue, the system fails: your cell provider might point you to the bank, the bank points you to the police, and the regulator asks for information you simply don’t have.
The frequency and scale of the problem is widespread, with Patricia (not her real name), one victim interviewed by Daily Maverick, summing it up: “I must have 10 to 15 scam calls a day.”
As almost everyone reading this is aware, she’s not alone, but even if all proper procedures are followed, there’s no guarantee of consequence.
The laws are strong on paper. The Protection of Personal Information Act (Popia) obliges institutions to inform you if your information is breached and allows the Information Regulator to enforce the law. The Independent Communications Authority of South Africa (Icasa) regulates numbering and caller ID under the Electronic Communications Act.
The Cybercrimes Act criminalises digital fraud. Rica – the Regulation of Interception of Communications and Provision of Communication-related Information Act — was meant to make phone-based crime traceable. If you own a phone or a bank account, you know that promise hasn’t translated into practice — and reporting often has no consequences.
Read more: The growing threat of impersonation scams and how South Africans are falling victim to fraud
‘I did everything right — and nothing happened’
This was the comment of another anonymous interviewee who fell victim to a highly targeted impersonation scam, whereby their CEO was impersonated, and they were successfully induced to pay a large sum of money via vouchers to the scammer.
As the Information Regulator told Daily Maverick, procedurally the matter is quite clear: “As with all security compromises, responsible parties are obliged to comply with the provisions of section 22 of the Protection of Personal Information Act. The rule of thumb is that this should be reported within 72 hours in order to place the data subjects in the best possible position to mitigate against the impact of the security compromise.”
The victim of the CEO scam interviewed by Daily Maverick did just that — and yet two years later she still has no resolution.
When she reported it to the South African Police Service (SAPS), the case died at the station door: “We don’t have computers… even if we did, we don’t have computer literacy skills,” she was told by the investigating officer, who did not follow up on the matter.
The SAPS didn’t respond to Daily Maverick’s questions on the matter.
The victim was unsuccessful in attempting to recover the money via her bank as the transactions were technically legitimate, and the vouchers she had purchased — managed by a multinational — meant that she received no success there either.
“It’s a well-known international scam… They target juniors and use urgency — ‘I need you to run an errand for me quickly’ — to stop you thinking,” she told Daily Maverick, with the benefit of hindsight.
The impersonator didn’t stop with just the CEO. The victim subsequently monitored the number constantly via WhatsApp, and the name and profile picture associated with the number regularly changed.
When she searched for those names online, as well as reverse-image searching the profile picture, she saw that the scammer was continuously pretending to be yet another person.
“Every day there was a new picture of a CEO on the profile pic… This man is still going,” said the victim.
Eventually, in frustration and anger at the lack of resolution from formal processes, she confronted the perpetrator, only to receive the emoji below, which, while not only indicating zero remorse, also illustrates a lack of fear of any consequence on behalf of the scammer:
/file/dailymaverick/wp-content/uploads/2025/08/GRAPHIC-1-1.jpg "(Source: Supplied. Note: Images have been redacted for privacy protection purposes)")
Our interviewee’s case is in no way anomalous, as the National Consumer Commission (NCC), a regulatory body aimed at protecting consumers, confirmed to Daily Maverick.
“Since 2023, we have seen an increase in scammers impersonating legitimate entities to defraud members of the public. The scale has reached the point where well-known public figures are exploited in deepfake commercials,” said National Consumer Commission spokesperson Phetho Ntaba.
In theory, this shameless scammer should have been easily traceable and the law enforced, as their SIM card should have been linked to their ID or passport number under Rica — so why didn’t this happen?
Rica: a paper mâché fortress
Rica was sold on traceability: link a SIM to a person and thus deter abuse. The intention was sound, but, as Mohamed Hassim, cellular security expert at Securi-Tech, explained to Daily Maverick: “The regulation is sound. The implementation is flawed.”
The act primarily places the burden of the implementation of Rica on telecommunications companies, and since there is no uniformity in the manner in which this is done, Hassim explained: “…there’s no standard Rica system across the board… [with some providers] you can put your name as Mickey Mouse — it accepts it”.
Because of the lack of a centralised database or implementation across all telecommunications companies, it’s very difficult to both investigate and police fraud perpetrated via cellphones. Hassim recommended a collaborative approach from providers to have a more uniform system, as well as a method of interfacing and linking Rica’d numbers to the home affairs database, as many banks have done with identity verification.
“I remember when Rica was passed… It feels as though not only was it a failure, but it’s almost a broader hole than existed before,” said Hassim.
The Independent Communications Authority of South Africa did not respond to questions from Daily Maverick about their security practices and Rica enforcement measures, nor did MTN and Vodacom. Cell C acknowledged questions, but missed an extended deadline.
However, even if Rica were perfectly implemented, there remain other gaps that can be exploited.
Hold the line, scammers aren’t always on time
Caller ID — or as it’s formally known, Caller Line Identification (CLI) — is a fairly common system to safely verify cell numbers; essentially, a surety that the cell number you see dialling you is correct. If your phone then has that number as a contact, then that’s what appears on your phone.
However, there is no mandatory regulation that requires this to be encrypted in any manner. Basically, networks trust the number of an incoming call that is provided without further verification, which means that scammers with some technical know-how can still spoof a cell number, even if Rica was properly enforced.
Some publicly available Voice Over IP (Voip) calling software, similar to Skype, allows a scammer to set their own number, and South African networks are not mandated to verify it, which bypasses Rica entirely and means that a scammer can set their number to anything, including your bank.
Read More: Cybercrime’s double target — seniors and Gen Z in the firing line
Fraud: Bank on it
/file/dailymaverick/wp-content/uploads/2025/08/GRAPHIC-2-1.jpg "(Source: Supplied. Note: Images have been redacted for privacy protection purposes)")
The South African banking sector has in recent years implemented much stricter controls to combat scams and fraud, with two-factor verification, app authentication for online payments — and, since bank databases linked with Home Affairs, even allows for facial verification when required.
This places a large part of the burden of verification on consumers themselves: you’ve got to prove you’re not acting untoward, rather than the bank doing so themselves, in contrast with other markets, as Gerhard Oosthuizen, chief technology officer at Entersekt, explained to Daily Maverick.
Oosthuizen says US banks lean on back-end risk routing instead, stating “...they have really stretched more in terms of their signalling and everything goes through a risk engine, but they’re really weak on their challenge mechanisms”.
By contrast, South Africa placed much of the verification burden on the consumer.
Oosthuizen stressed it’s the fraudsters exploiting channel gaps: “The fraudsters are not working in silos like the banks are … I’ll call the call centre, I’ll try to log in here, I’ll change that there, and then I’ll come and get the OTP.”
And so we circle back to the issue of Caller ID spoofing, where your payment confirmation request call or message may not in fact be from your bank at all.
As Oosthuizen made clear, a unified approach needs to be enacted across the telecommunications and banking sector: “There’s no one silver bullet — you need to look at a holistic approach.”
Patricia, the victim of attempted banking fraud, said she received messages that requested an OTP that would have approved a major financial transaction. Having fallen victim to other scams before, she recognised the messages as suspicious and called her bank and successfully identified the process as fraudulent. The messages “looked like the bank”, she said, but “I was quicker than the crook”.
Unfortunately, not everyone is as lucky, or as suspicious, as Patricia.
Daily Maverick contacted all major banks to understand their protocols and security measures, as well as efforts to enforce them. Only Absa acknowledged our queries and did not revert with an answer.
The National Consumer Commission’s Ntaba outlined the process for dealing with such scams reported to them: “After conducting investigations and developing a reasonable suspicion of an offence… we send the matter to law enforcement and the court for further action. The commission registers a case with the SAPS against the lawbreakers and assists law enforcement throughout the investigation.”
However, given the sheer number of such scams being perpetrated, it’s somewhat unlikely that the rate of successful prosecutions would be noteworthy — the consequences certainly aren’t currently stemming the tide.
So what’s to be done?
The current fixes required are less about drafting new legislation and more about implementing what exists functionally, though slight changes to current legislation could maximise impact.
Should Icasa require South African networks to authenticate Caller ID and attach consequences if operators fail to do so, that would potentially pull the rug out from anyone spoofing cellphone numbers and remove a major tool in their arsenal.
Centralising both Rica verification and Rica scam reports would also be a massive improvement — if there was a single point at which to do so that then channelled the report to the correct institutions — the network, bank and SAPS all together, that could allow for the freezing and tracing of numbers with speed, and potentially, consequence — should the SAPS have the will and capacity to enforce it.
Lastly, should networks follow the path of banks and link SIM registrations to home affairs in some manner, with alerts whenever a new SIM is registered in your name or ID, it means potential victims might be able to take action before money starts moving.
Until those guardrails are in place, the phone will keep ringing off the hook. DM
This article has been updated to clarify technical phrasing from an interview with Entersekt’s CTO. No changes have been made to the article’s findings.