Illustrative Image: Bank account (Photo: iStock) | Magnifying glass. (Image: Freepik) | Hands. (Image: iStock) | Torn paper. (Image: Freepik) | (By Daniella Lee Ming Yesca) Part 3 of a four-part Daily Maverick series.
Ask any South African who has lost money to digital bank fraud what they think happened, and a version of the same answer comes back with striking regularity: someone at the bank must have been involved.
Miranda Young, whose story we told in the second instalment of this series, wrote to Standard Bank that “whoever did this knew exactly what to do and how to do it”.
Similarly, we told of the Cape Town businesswoman whose millions vanished in two days, with payment limits lifted and beneficiaries loaded without her knowledge. Her friend Simon Mantell said this “points to internal system compromise or insider access”.
And Robert, whose bedridden wife’s dormant Absa account was drained over weeks via a debit order nobody had authorised, told Daily Maverick: “My opinion is that somebody at the bank saw an account with a substantial balance with no movement and decided to fraudulently produce a debit order.”
The banks are equally emphatic in the opposite direction.
Standard Bank said its investigations examine “every element of the incident, including how funds were moved, which systems or platforms were accessed, the credentials used, device activity, and any authentication or security events linked to the transaction”, adding that “no employee can unilaterally override security controls”.
Standard Bank further cited the South African Banking Risk Information Centre’s data: “100% of digital fraud cases analysed in 2024 resulted from customer credentials being compromised through phishing, vishing or social engineering, not unauthorised system access”.
/file/attachments/orphans/WFD_7143_247028.jpg "The Standard Bank headquarters in Simmonds Street in downtown Johannesburg. (Photo: Felix Dlangamandla)")
Absa told Daily Maverick that its “role-based access protocols and layered control frameworks prevent employees from committing fraud on customer profiles”, and that it was “the first bank in South Africa to have launched an Insider Threat Programme dedicated to monitoring for insider threats”.
Nedbank said employees “do not have unrestricted access to customer accounts” and that all access is “protected through controlled and monitored system access”. FNB said that “any unauthorised access to, or modification of, client information is strictly prohibited and constitutes serious misconduct”.
Both sides — the public conviction and the institutional denial — seem unlikely to be entirely accurate. So where does the reality lie?
The employees who did ‘the impossible’
Court records from the last few years offer at least a glimpse at a counterpoint towards the banks’ position.
In July 2025, Lusanda Gloria Qose, a former sales and service consultant at FNB's Pier 14 branch in Gqeberha, was sentenced to five years’ imprisonment for fraud, cyberfraud and the unlawful use of access credentials.
The case, according to the National Prosecuting Authority (NPA), involved a 68-year-old customer whose cellphone number Qose had changed on the bank’s system using her own employee credentials, diverting all OTP (one-time password) authorisations to herself. She then created a second bank card linked to his accounts and used it to conduct ATM withdrawals over three months, causing a total loss of R245,000. The bank ultimately refunded the customer.
Two months earlier, the Hawks had arrested 14 suspects in connection with an alleged R157-million fraud at Nedbank. The main suspect was Nicolette de Villiers, described by the NPA as a former forensic investigator in Nedbank's Group Crime, Forensic and Security division — the very unit tasked with investigating fraud.
She is alleged to have issued instructions for the unauthorised transfer of more than R157-million from Nedbank's suspense accounts, which are accounts used to hold funds already under investigation, into the accounts of alleged co-conspirators. Instead of returning blocked funds to their rightful owners, the NPA alleged, De Villiers directed them elsewhere.
/file/attachments/orphans/6I1A7167_822974.jpg "Nedbank on Rivonia Road in Sandton. (Photo: Felix Dlangamandla)")
In 2024, two former Absa employees, Florika Owusu and Abongile Tyusha, were sentenced in the Gqeberha Specialised Commercial Crime Court after using their access to the bank's electronic banking system to open accounts in the names of deceased individuals and foreign nationals, reactivate dormant accounts, and funnel more than R1-million in stolen funds.
A former Standard Bank administrator, Dorcus Nyambi, was jailed for eight years in May 2025 for reactivating a dormant account belonging to a deceased client and loading beneficiaries linked to it.
In January 2026, a former Standard Bank IT operator, Vivian Brink, appeared in the Johannesburg Magistrates’ Court, accused of improperly altering digital account settings over nearly four years to expand his overdraft facility, causing losses to the bank exceeding R1.9-million.
These are only some of the cases of bank fraud involving insiders that were detected, investigated and prosecuted in recent years. Key to their movement through the criminal justice system may be the fact that these cases involved unusually large amounts of money.
“When banking employees are involved, they usually sit in tech or on the banking side and skim cents off accounts; otherwise, it is fairly easy for the client to realise something is up and for the bank itself to investigate,” one forensic investigator, speaking on condition of anonymity, told Daily Maverick.
“Moving the money is also a problem: it leaves traces.”
North West University Business School forensic expert Albert van Zyl said that collusion between bank insiders and scammers outside is a definite issue.
“What we have seen is that criminal syndicates target and deploy people to infiltrate banks. That is happening. They [banks] are supposed to do better employment screening.”
How a bank fraud investigation should be run
Understanding why the insider question is so difficult to resolve requires some grasp of how digital banking fraud actually works at a technical level.
Craig Pedersen, a forensic investigator with extensive experience in bank fraud cases, explained to Daily Maverick what a baseline investigation should examine.
“The first thing that the bank will be considering is the element of ‘how’,” he says.
“They’re going to need some time to review access logs and transactional history to see which medium was used to make the actual payment. That data is then interrogated to see whether it was a known and authenticated device that was used, how the beneficiary was loaded and ultimately how the payment happened.”
In cases where beneficiaries are added or payment limits lifted without the customer’s apparent authorisation — precisely the pattern seen in multiple cases across this series — Pedersen says the most common technical explanation involves an account takeover that occurred before the banking interaction itself.
“An attacker has typically taken control over the victim’s account by phishing or social engineering, and the beneficiary is added using a redirected OTP,” he says.
“Often, clients forget that while their cellular OTP is the first point of change, they have a fallback set to email. If a criminal has compromised their email accounts, it’s easy to authorise the new beneficiary from the email they’re in control of. The bank should be able to confirm this quite easily by checking which approval method was used for the beneficiary.”
The banks, too, all point to some version of this explanation.
FNB told Daily Maverick that “investigations frequently indicate that customer credentials were compromised through mechanisms such as social engineering, malware, SIM swap fraud, or unauthorised access to a customer’s device, rather than through internal system changes”.
/file/attachments/orphans/6I1A7213_470274.jpg "First National Bank ATM in Midrand. (Photo: Felix Dlangamandla)")
Every fraud expert Daily Maverick spoke to over the course of our investigation said that this explanation almost certainly accounts for the majority of cases.
If an employee had been responsible for some wrongdoing, Pedersen says, there would be a clear trace of this on the bank’s systems.
“There would 100% be a log entry,” he says.
Any change to OTP delivery details on a customer account, for example, “would be noted and the bank could audit that”.
In cases of genuine insider fraud, then, the evidence exists inside the bank’s own systems. The question is who gets to see it.
The audit logs that weren’t supposed to be viewed
In mid-October 2025, a South African professional — we will call her Mandisa* — discovered that more than R2-million had been transferred out of her Standard Bank business banking account across 13 transactions within a matter of hours: an experience strikingly similar to that of the Cape Town businesswoman whose story we told in the second part of this series.
Mandisa had received no OTPs for any of these transactions. She was, she stated in an affidavit seen by Daily Maverick, the sole person with authorised access to the account.
Standard Bank’s account of what happened, provided during the subsequent dispute process, was that “[Mandisa’s] online banking profile was accessed using [her] login credentials”, and that fraudsters had then used those credentials to migrate the profile to the bank’s Online Banking for Business platform: one that allowed them to manage user access, assign roles, and set payment limits. From there, payments were processed far beyond the account's previous limits.
The bank's conclusion: sophisticated external social engineering, no internal involvement.
Mandisa’s attorneys were not satisfied. They wanted to see the evidence.
In a letter to Standard Bank in December 2025, they wrote that “the bank persists in asserting ‘investigation outcomes’ while simultaneously refusing to provide the forensic investigation report it expressly undertook to furnish. In the absence of that report, assertions relating to phishing, compromised credentials or customer access are unsupported and incapable of independent evaluation”.
The bank's justification for withholding the technical records was that it was “unable to provide third parties with information that would disclose internal processes, as this could compromise the integrity of our systems”.
This is where the case takes an unexpected turn.
Standard Bank did not know that Mandisa had managed to obtain something most fraud victims never see: the account’s actual audit logs, procured through a private investigator who accessed them via separate channels.
Daily Maverick has not been able to view those logs. But we understand they may contradict the bank’s account of what happened, and that they are said to point strongly towards internal involvement rather than external social engineering.
Standard Bank declines to comment on specific cases.
The right to your own evidence
It is not just Standard Bank that refuses to supply clients with their investigative reports into fraud on clients’ own accounts, despite the fact that without access to these reports, the client has to effectively take the bank’s version of what happened on trust.
Sonia*, a chartered accountant who lost a significant sum in her personal account to bank fraud, submitted a formal Paia (Protection of Access to Information Act) application to Absa requesting the bank’s investigation report and technical logs.
Absa’s response was to inform her that forensic investigation reports are “internal confidential documents” and that she would need a Section 205 subpoena — a criminal procedure mechanism — before the bank would release anything.
When a South African Police Service (SAPS) investigating officer obtained the relevant subpoena from a judge and submitted it, the bank told the SAPS in correspondence seen by Daily Maverick that it would not supply any forensic or technical information even to the police because Sonia herself “was not under investigation”.
The Information Regulator (IR), approached by Daily Maverick for clarification, set out the legal position in terms that make the banks’ conduct in this regard appear difficult to sustain.
IR spokesperson Nomzamo Zondi told Daily Maverick that under Section 50(1) of Paia, a requester must be granted access to a record if the record is needed for the exercise or protection of any rights, the procedural requirements have been met, and the record does not fall within the specific grounds for refusal laid out elsewhere in the Act.
In a bank’s case, these grounds for refusal might include other customers’ details, employee identities, or information related to criminal syndicates.
Critically, however, Zondi said that even where a ground for refusal does apply, Section 59 of Paia requires the bank to sever or redact the protected portions and release the rest.
Zondi also cited Section 70 of Paia — the public interest override — which requires records to be released even where grounds for refusal apply, if their disclosure “would reveal evidence of a substantial contravention of the law or failure to comply with the law” and “the public interest in the disclosure of the record clearly outweighs the harm contemplated”.
In cases where fraud victims suspect insider involvement, the IR’s analysis suggests that this threshold deserves serious consideration.
The Protection of Personal Information Act (Popia), Zondi added, is “in perfect alignment with Paia” on this point: a bank can only deny a person access to their own personal information on the same Chapter 4 grounds available under Paia.
In practice, in other words, banks appear to be routinely refusing access to fraud investigation records in ways that the Information Regulator's own legal analysis suggests may not be compliant with the law.
The silence that settlements buy
Standard Bank maintained to Mandisa that it had no liability for her fraud losses, but in late November 2025, it offered to reimburse her for the amount stolen from her account — as long as she agreed not to tell anybody.
In the settlement offer letter, the bank wrote: “The terms of this offer and its acceptance are to be kept strictly confidential. [Mandisa and her employees] shall not disclose the existence or contents of this letter to any person, except its professional advisors or as required by law or court order, without the bank’s consent. Any breach of this confidentiality undertaking will entitle the bank to claim damages, without prejudice to its other rights in law.”
Mandisa’s daughter described the offer to Daily Maverick succinctly: “It’s shut-up money.”
The family rejected the settlement.
“We want to know what happened,” Mandisa’s daughter said. “Then we can discuss the money.”
The confidentiality clause has become a standard fixture of bank fraud settlements, and its effect on the public record is quietly corrosive.
Many fraud victims do accept those terms, understandably, just relieved to have their money back. But the practical consequence is that the details of what happened — and critically, how it happened — vanish from the public record entirely, their only trace contained in the Financial Intelligence Centre’s annual reports on the numbers of STRs: Suspicious Transaction Reports.
The gagging of reimbursed fraud victims in this manner also prevents the media from being able to accurately trace or report on the scale of the problem.
The National Financial Ombud (NFO) records the settlements that are offered after clients begin the NFO process as “goodwill payments”.
/file/attachments/orphans/Graph3New_472758.jpg)
None of the major banks would tell Daily Maverick precisely what criteria determine whether a fraud victim receives a goodwill payment, or how large it will be.
FNB said that goodwill payments “are discretionary, do not constitute an admission of liability, and are considered on a case-by-case basis”. Nedbank said factors include “the vulnerability and tenure of the client, as well as the conduct of accounts held with us”. Absa declined to answer questions on the subject at all, beyond the statement that “each fraud case is reviewed on its own merits”.
The NFO confirmed to Daily Maverick that it does not direct or determine goodwill payments: these remain entirely within the bank’s discretion.
NFO spokesperson Priya Rajah noted that “each bank applies its own internal policies to guide when a gesture of goodwill may be offered. These policies vary across institutions and are discretionary in nature”.
The question that nobody has to answer
Daily Maverick asked the NFO whether banks are required to disclose when staff members were disciplined or dismissed as a result of a case under investigation. The answer was no.
“Matters relating to internal disciplinary action are between the bank and its employees and fall outside the scope of our mandate,” said Rajah.
Asked whether it was possible that banks could be uncovering evidence of criminal wrongdoing by employees without sharing that with the NFO, she replied somewhat mysteriously: “It may be possible; however, in our experience, this has not occurred.”
The NFO also confirmed it keeps no formal statistics on the percentage of cases where complainants allege employee involvement — though Rajah noted that “this concern is often raised”.
The NPA, meanwhile, told Daily Maverick it did not have any easily accessible records on the number of bank employees prosecuted for insider fraud.
Rendani Singo, managing director of MK Fraud Insights, frames the difficulty candidly.
“There are cases across the industry where patterns strongly suggest some level of insider facilitation, even if this is difficult to prove conclusively,” he says.
But, Singo also cautions, “In many investigations, what initially appears to be insider involvement can later be explained by the sophistication of external actors who have developed a deep understanding of systems, processes, and even staff behaviours”.
Ultimately, the public’s instinct that insider involvement is more common than banks acknowledge may or may not be statistically accurate.
What is unarguable is that the system as currently structured makes it close to impossible to find the truth. DM
*Name changed to protect identity.
Next: What would meaningful reform actually look like? The gaps, the fixes, and the one South African bank that has never had a single fraud case.