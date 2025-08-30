Nedbank has warned that fraudsters are spoofing caller ID and registering numbers with names like “Nedbank Investigations” on services like Truecaller.

It has joined Standard Bank in warning that impersonation scams are rife in South Africa, where scammers pretend to be officials from trusted sources to acquire personal information.

These social engineering attacks are perpetrated using emails, SMS, WhatsApp messages, and phone calls. Criminals use these channels to manipulate bank customers to share their personal information.

Spoofing, where attackers falsify email addresses or caller ID, is one more element fraudsters use to make themselves more convincing when impersonating trusted entities.

Nedbank highlighted the crisis in a message to clients, noting that fraudsters are posing as its fraud department.

In such attacks, the fraudsters usually begin by claiming that a suspicious debit order or large fraudulent transaction had gone off on the customer’s account.

They then try to convince the customer to do something to compromise their account under the guise of reversing the fraudulent transactions.

In Nedbank’s case, it said fraudsters ask customers to change their Nedbank ID username and password to the one the attackers provide.

Alternatively, they ask customers to provide their credentials to reverse the transaction. They may also ask customers to accept an Approve-it message or share an OTP with them.

Standard Bank has published a similar warning, saying that fraudsters were using AI-generated voices and emails to impersonate bank officials.

The bank said that the caller mimics the tone of a genuine bank interaction, often including standard security questions and disclaimers.

Scammers often reference personal details such as birth dates, addresses, or account types. Although the information might seem harmless, it is used to create credibility.

The attacker will then often claim to be calling about a service offering or to validate detected suspicious activity on the customer’s banking profile, such as unauthorised changes to contact details.

When victims panic, criminals offer fake solutions such as asking customers to transfer funds to a “safe” account, scan a QR code, click a link, or share sensitive information like OTPs or instant money voucher codes.

To avoid falling prey to such attacks, the banks warned customers to never share their online banking credentials with anyone, as bank staff would never ask for them.

They would also not offer to change them to deal with fraud, or ask customers to change them to a specific username or password.

Customers should also carefully read banking app transaction approval messages before accepting them and never share OTPs.

If the bank calls about a transaction, a customer should simply say ‘Yes. It’s mine,’ or ‘No. It’s not mine.’ They should never share any secret information.

Truecaller crackdown on AI-generated voices

Photographer: Sharaf Maksumov / Shutterstock.com

Earlier this year, Truecaller announced that it was deploying technology to counter the growing number of criminals using artificial intelligence-generated voice cloning to defraud phone users.

Truecaller CEO Rishit Jhunjhunwala said that he had seen a fake version of a CEO’s voice being used to call their firm’s finance chief to request a large transfer.

Readily accessible generative AI tools have made it easy for criminals to convincingly imitate voices, putting more people at risk of falling for fraud.

Truecaller said it built technology that scans callers’ voices to detect when they’re computer-generated.

Key to the fight against voice cloning is CallHero, an Israeli company specialising in cloud telephony that Truecaller bought in 2022. Jhunjhunwala said they would continue to explore more AI acquisitions.

Truecaller is grappling with evolving data protection laws, including in South Africa, where it is under investigation by the Information Regulator.

The company said it voluntarily implemented data protection practices worldwide that align with strict European Union rules, saying it was the “right thing to do.”