Illustrative image: Contract. (Photo: Freepik) | Magnifying glass. (Image: Freepik) | Hands. (Image: Freepik) | Torn paper. (Image: Freepik) | (By Daniella Lee Ming Yesca) Part 2 of a four-part Daily Maverick series.
So 2024 saw the highest volume of digital banking fraud recorded by the South African Banking Risk Information Centre (Sabric): 97,975 reported incidents across South African banks, amounting to gross losses of close to R1.9-billion.
Sabric’s crime statistics report is the only real window we have into the scale of this problem. As our first article in this series reported, the official police figures on commercial crime offer almost no insights.
None of the major banks would provide figures to Daily Maverick on how many fraud incidents they experience annually, or the attendant financial losses.
Investec’s response was typical in this regard: “We recognise the importance of reporting that raises awareness about an important subject within the financial services industry. However, the information requested is proprietary and, in some instances, could create security risks if disclosed. For these reasons, we are unable to share specific details.”
What Sabric’s figures show is that the majority of this fraud involves banking apps, the fraudulent activity on which nearly doubled in 2024 – from about 32,000 incidents in 2023 to around 64,000 in 2024.
Sabric, which it is important to note is the banking industry’s own crime information body, attributes every single one of these cases to social engineering: criminals manipulating customers into surrendering their credentials, rather than any technical breach of banking systems.
Each major bank repeated a version of this position to Daily Maverick.
Standard Bank confirmed Sabric’s finding that “100% of digital fraud cases analysed in 2024 resulted from customer credentials being compromised through phishing, vishing [scamming over some form of call] or social engineering, not unauthorised system access.”
Daily Maverick asked readers to send us their experiences of being victims of bank fraud. After careful analysis of scores of accounts, it appeared that in the vast majority of cases, the victims had indeed unintentionally “given away the keys to the castle”, which is a phrase fraud experts use a lot.
We filtered down to a number of cases, however, where the question of customer liability seemed far more murky – but what was less ambiguous was that their attempts at fighting back seemed to be met with institutional stonewalling.
Being entirely offline couldn’t save her
One perception we were left with after this investigation was that digital banking can very rarely be entirely risk-free.
One banking veteran speaking to Daily Maverick on condition of anonymity said that industry insiders often have two phones – “and leave the one with the banking app on it at home in a drawer”.
But what if you have never conducted any digital banking at all?
In 2023, Robert’s wife was in frail care. The husband and wife duo were old-school: they still received bank statements through the post, and when they needed to do some banking, they entered a physical branch – until Robert’s wife fell ill.
/file/attachments/orphans/WFD_7119_698624.jpg "Absa Towers West rises above the Johannesburg CBD. (Photo: Felix Dlangamandla)")
She did no internet banking, had no access to a smartphone and no ability to monitor her own Absa account, which held about R250,000 – money set aside in case further emergency funds were needed for her care. The account had been essentially dormant since she became housebound in April 2021.
The money started disappearing in early 2023, in R3,000 weekly increments via a debit order that nobody had authorised. Robert only noticed three weeks later, when a paper bank statement arrived by post. By then, R9,000 was gone. The reference on each debit read “Yenza Kwen” followed by a nine-digit number, processed through a company called Netcash.
The runaround that followed, in Robert’s telling, took weeks.
Absa’s fraud helpline directed him to a branch. The branch told him that because the fraud involved a debit order, only his wife could cancel it – and she would have to come in person to do so.
This was impossible: his wife would have required an ambulance to travel. When Robert produced an affidavit confirming his power of attorney, he was told it needed to be on his lawyer’s letterhead. When he returned with the correct version, he was told the bank also needed a doctor’s letter confirming his wife was bedridden. When he returned again with that, the customer services manager was unavailable. By the time any action was taken, another R9,000 had disappeared.
It took a public complaint on HelloPeter, a South African consumer review platform, to break the deadlock.
A bank representative contacted him the next day, and a branch visit finally produced results. The payments were reversed as far back as possible. But R24,000 – eight weeks of deductions – could not be recovered.
Robert’s own theory about what happened is unambiguous.
“My opinion is that somebody at the bank saw an account with a substantial balance with no movement and someone was advised to fraudulently produce a debit order,” he wrote to Daily Maverick. “The bank denied this.”
The assumption that certain forms of bank fraud could not take place without some degree of involvement from bank staff is one that Daily Maverick was to hear repeatedly from the public throughout this investigation, and will be returned to in the third instalment of this series.
Absa declined to comment on the specifics of the case. In its broader response to Daily Maverick’s questions, the bank noted that “creating a debit order does not require access to a customer’s online banking or their physical presence at a bank”.
Lisanne Pienaar-De Gouveia, head of risk at Netcash, the debit order processor through which the debit order was processed, told Daily Maverick that a “valid debit order mandate from each customer whose bank account is debited” must be produced to Netcash.
This would include “a signed debit order mandate” from the customer as well as “confirmation of the payer’s identity and bank account details as reflected on the mandate”.
Pienaar-De Gouveia said that where fraud or misuse was identified, “the merchant is ultimately responsible for unauthorised collections” and Netcash will “immediately investigate, suspend or terminate the merchant.”
She said confirmed fraud resulting in unrecovered consumer losses represented “a very small proportion of overall transaction volumes” – but declined to provide specific figures.
Robert’s wife’s case illustrates a broader vulnerability in the debit order system.
According to a 2019 joint probe by the SA Revenue Service, the Hawks and the SAPS, fraudulent debit orders were totalling at least R1.6-billion a year at that point. The Payment Association of South Africa estimated at that stage that of the 1.5-million debit orders disputed monthly, roughly 10% were genuinely unauthorised.
Since then, the introduction of measures like DebiCheck, an authenticated debit order system endorsed by South African banks, seems to have improved the situation, but gaps remain.
The system is, by design, highly automated – and banks are not always well-placed to determine in advance whether a mandate is legitimate.
A big part of the wider problem, says forensic expert Albert van Zyl, is the trade-off between safety and convenience.
“As a consumer, I want to have my transactions processed as quickly as possible, and there are very, very high volumes of transactions that banks need to monitor.”
When millions disappear overnight
The majority of the banking fraud cases investigated by Daily Maverick involved losses of less than R200,000.
In some instances, however, consumers report upwards of R2-million transferred out of accounts without their knowledge or consent.
/file/attachments/orphans/WFD_7143_247028.jpg "The Standard Bank headquarters in Simmonds Street, Johannesburg. (Photo: Felix Dlangamandla)")
This was the situation experienced by a friend of Cape Town businessman Simon Mantell, who told Daily Maverick of his frustration in attempting to advocate for his friend to the management of Standard Bank.
In an open letter to the bank, Mantell laid out the situation, involving a female business owner who had banked with Standard Bank for 37 years.
In mid-October 2025, R2.3-million disappeared from her business banking profile in two days, paid out to five unknown beneficiaries she had not loaded, with account payment limits lifted without her authorisation. She was the only person authorised to access the account.
After she reported her losses, writes Mantell, “No effort was ever made by the fraud department of Standard Bank to check the client’s electronic devices for the purposes of ascertaining whether the fraud was due to any negligence on the part of the client.”
He adds that some nine days after reporting the incident to the bank, the five fraudulent beneficiaries mysteriously disappeared from the client’s online banking profile, again without her knowledge or approval.
“By Friday, 7 November 2025, the client had received little to no feedback from the bank’s senior management in Cape Town and was having sleepless nights as she navigated what can best be described as cruel ‘bank officialdom’,” Mantell wrote.
“On Tuesday, 11 November 2025, the client had reached breaking point from 25 cumulative days of worry and fainted and fell at home,” – in so doing, fracturing her wrist.
It appears that Mantell’s indefatigable lobbying of Standard Bank management and ultimately even bank board members may have eventually forced movement, with the matter eventually being concluded around a month after being reported on confidential terms.
Standard Bank would not comment to Daily Maverick on the specifics of the case.
Spokesperson Ross Linstrom said, however, that its investigations examine “every element of the incident, including how funds were moved, which systems or platforms were accessed, the credentials used, device activity, and any authentication or security events”.
Yet according to Mantell, no effort was made to inspect the business owner’s electronic devices at any point during the investigation.
The bank that changed its story
Miranda Young’s problems began in June 2024, when she fell victim to a phone scam and lost all her savings after scammers transferred all her Standard Bank savings account money into her credit card account and stole the lot.
“It was my fault,” Young admits freely now.
The scam was a common one: the fraudster told her he was calling from Standard Bank’s fraud department and needed various details to reverse a fraudulent transaction.
“I gave out OTP numbers and other details which I shouldn’t have,” Young says.
Because her account details had been compromised, Young closed her Standard Bank cheque and savings account – but she couldn’t close her credit card account because she still owed the bank money.
Fast forward to September 2025: Young discovered that daily ATM withdrawals totalling R33,790 had been made over the previous three months from her Standard Bank credit card account – with interest and card fees ultimately pushing this amount to R58,105.16.
The credit card in question had never left Young’s possession. Given the details Young had given to scammers two years previously, it was still possible that they could have used these to create a cloned card – except that Young’s old compromised credit card had been cancelled, and there was no indication how the scammers could have obtained the information related to the new card.
On 7 October 2025, Young received an email from Standard Bank giving the outcome of its investigation: as Young’s own credit card and PIN had been used for the ATM withdrawals, the bank accepted no liability.
The bank would subsequently offer a “goodwill gesture” payment of around R14,000, on condition that this concluded the matter.
Young refused the offer. She persisted in sending emails to individuals in the bank’s fraud unit demanding a fuller investigation.
She was worried that the fact that she had previously been a victim of scammers might be counting against her.
“My concern was that the initial investigation had not been done properly and they had just taken the easy way out and blamed me,” she told Daily Maverick.
Young would subsequently get an email from the manager of the bank’s complaint resolution centre giving her information which significantly changed matters.
“I confirm that the disputed transactions were processed using your [old] debit card and associated PIN. This card was linked to your credit card account,” read the email, seen by Daily Maverick.
Young had assumed that her old debit card had been unlinked from her credit card account when she closed her cheque and savings accounts two years previously. Now it appeared this had not happened as it should – potentially giving the old scammers continued access to her credit card account.
In three different letters seen by Daily Maverick, sent by Standard Bank to Young between 29 October 2025 and 18 November 2025, Standard Bank claimed that a different card had been responsible for the ATM withdrawals in each: initially Young’s credit card, then Young’s old debit card, then a further card whose numbers Young didn’t recognise at all.
But when the matter went before the National Financial Ombud in January 2026, Standard Bank was sticking to its story: the card used to make the ATM withdrawals, the bank told the Ombud in its official report, had been Young’s credit card.
There was no attempt at an explanation of how or why Young had been informed twice, once via email and once over the phone, that in fact her debit card can be used. The Ombud has yet to rule.
“Losing this money has created enormous financial pressure,” Young told Daily Maverick.
“I only teach Pilates part-time now as I have had four back fusions and a hip replacement. I live on my late son’s property and I rent out my house to get an income, which I supplement with my teaching. Emotionally, this has affected me badly. The stress is awful. The length of time this has all taken – six months now. The hours and hours I have spent on the phone and sending emails, fighting with the bank to get it properly investigated.”
The last resort that rarely works
In cases where fraud victims feel they have been wronged by the banks, the National Financial Ombud is often their last resort.
The Ombud’s latest annual report, however, makes it clear how rarely its findings are in support of bank clients as opposed to the banks: 79% of cases were found in favour of the banks, with just 21% in favour of the customers.
/file/attachments/orphans/Untitled1_917164.jpg)
/file/attachments/orphans/Graph2New_162940.jpg)
/file/attachments/orphans/Graph7NewAPostrophe_618375.jpg)
There is one avenue of complaint that has worked, at least for smaller losses.
Dr Koos Marais, a retired Pretoria dentist, told Daily Maverick of his experience losing R23,000 to Absa in 2018 from three simultaneous ATM withdrawals from different parts of the country.
When Absa refused to refund him, he used the Small Claims Court. The process required a written deposition hand-delivered to the branch manager, a 14-day waiting period, and then a summons.
Absa paid the full R23,000 before the matter came to court — above the court’s R15,000 limit.
“The Small Claims Court is a commendable institution because it protects the little guy from the big corporations. Their services are 100% free,” Marais says.
Marais now advocates for raising the Small Claims Court limit to between R50,000 and R100,000. Its R15,000 threshold covers a diminishing fraction of what fraud victims actually lose.
“I think Absa knew that I would run to social media with the story if they had been forced by the Small Claims Court to pay me,” Marais says. “I would have.”
The anonymous banking industry veteran who spoke to Daily Maverick on condition of confidentiality acknowledged this reality.
“Making a stink on social media really does work with banks, as it does for all brands,” she said.
That Robert recovered some of his money via HelloPeter, while weeks of formal engagement with the bank produced only obstruction, says something uncomfortable about where the real leverage in these disputes actually lies.
Miranda Young has not recovered her money. The Standard Bank business owner’s case ultimately reached a confidential conclusion – but only after a month of mounting stress, a hospitalisation, a fractured wrist, a meeting invitation that excluded anyone who might support her, and an open letter to the board that was apparently never forwarded to its intended recipients.
For both women, the experience of trying to obtain answers from the institution that held all the evidence was, in itself, a second ordeal.
The system, as it stands, requires fraud victims to trust institutions that will not disclose their processes, accept findings from investigations they cannot scrutinise, and navigate formal complaints channels that rule against them four times out of five. The question of why it works this way, and who is actually responsible for the losses at its centre, is where this series turns next. DM
Next: Who should ultimately take responsibility for fraud? The question at the heart of the issue.