- A consumer lost R120 000 after she installed a fake app that let criminals access her device and banking details.
- The bank is not liable, as the unauthorised transactions were conducted using biometric authentication on the consumer’s trusted device, making it appear that the consumer herself approved the payments.
- Experts urge caution with unfamiliar apps, recommend verifying promotions through official channels, and advise strong passwords and security practices.
A consumer responded to a social media ad promoting discounted airline tickets. She submitted her phone number and email via a link, hoping to receive the advertised promo codes.
Soon after, she was contacted via WhatsApp and told to download an app from the Google Play Store. What seemed like a legitimate app was actually malicious, containing malware that could control her device remotely.
Within minutes, her phone began overheating and behaving erratically. The camera's green light switched on unexpectedly, suggesting remote tampering. When she opened her banking app, she discovered two unauthorised transactions totaling R120 000. Despite reporting the fraud to her bank and the South African Police Service just 27 minutes after the payments, the money had already vanished.
The bank denied responsibility, noting that the payments were authorised via selfie-based biometric authentication on the consumer’s trusted device. When the case was escalated to the National Financial Ombud (NFO), the office found the fraud originated from the malicious app, not a flaw in the bank’s systems.
"The loss came from the consumer’s interaction with a harmful third-party app, not from any fault of the bank," the NFO said. There was no evidence of bank negligence or security failures.
Human impact and lessons for consumers
The consumer called the experience “devastating and shocking,” underscoring how quickly scammers can exploit everyday technology. Experts warn that malware can do more than steal passwords; it can hijack devices, impersonate users, and even bypass biometric security.
The NFO urged consumers to always verify promotions on official websites or verified social media accounts, never share personal details publicly, and only download apps from trusted developers. Strong, unique passwords, two-factor authentication, reliable antivirus software, and regular account monitoring are essential.
The NFO warned, “Even with quick reporting, losses can be permanent if malware has seized control of your device. Always pause, question, and verify before installing any app or sharing personal details.”
Get your news on the go. Click here to follow the Conviction WhatsApp channel.
