top of page
  • Writer's pictureESET Expert

Online Banking Scams To Look Out For

Online Banking has revolutionised the way we transact, making it easier and more accessible than ever. Banks are continuously working to keep online banking safe and secure, employing a variety of security measures, including notifying you on your activity, one-time pins (OTPs), biometrics, and two-factor authentication to name a few.

Of course, with every innovation in banking comes the renewed tenacity of fraudsters and cyber criminals to relieve people of their finances. Fortunately, it’s relatively easy to protect your money from online scammers if you know what to look out for. So, here we have outlined the most popular online banking scams in South Africa and how to avoid falling victim to them. The first step in arming yourself against online banking scams is knowing what you’re dealing with.


MFA fatigue

Multifactor Authentication (MFA) is a safety measure that banks use to make extra sure it’s you trying to log in on your online banking application. It usually involves an OTP that is sent to you via SMS or an email, where you need to approve whatever action you’re trying to take. MFA fatigue is a method that scammers use whereby they flood you with MFA notifications, hoping you’ll approve one and give them access to your finances. 

To avoid falling victim to this online banking scam, never share an OTP with anyone (not even bank employees), and always ensure you only authenticate notifications you’re sure about. A popular scam doing the rounds involves fraudsters phoning people and posing as customer service for your bank. They’ll tell you they’re trying to block a fraudulent transaction and attempt to get you to install software that allows them to remotely control your computer and log in to your online banking profile.

Remember that banks will never ask you to download any software or enter or share your banking details.


Phishing is a method used by fraudsters to ‘fish’ for important information like your personal or banking details. They contact you via email, posing as representatives of reputable companies like a bank or insurer. They often offer some kind of reward like a discount in exchange for your information.

You can identify phishing attempts by scanning for spelling errors in the body of the email, and double checking the email address it was sent from. If the email comes from any address other than an official company email address which usually ends with, then it could potentially be scammers. It’s important to be scrupulous when checking the email address as some scammers will have an email address with a domain incredibly similar to the legitimate company with a slight variation like a hyphen or a different letter hidden within it.

When in doubt, call the company to check if the communications you’ve received are genuine.


Qishing is a form of phishing that uses QR codes. When scanning the QR code, it takes you to a scam website that either prompts you to input your details or gives the scammers access to your phone and data.  To avoid being a qishing victim, always double check the website that the QR code will take you to. When you hold your phone up to a QR code, the website URL hovers on your screen. At this point, if you click on the URL shown, your phone will open an internet page that takes you to that website. 

When the URL is hovering on your screen, before you click on it, check to see if it looks legitimate (without random letters or strange punctuations in-between the URL) and see if it’s legitimate. If the URL looks like it has nothing to do with the reason you scanned the QR code in the first place, rather don’t click on it.


Smishing is a tactic used by cyber criminals to gain access to your important information by getting you to click on a link in an SMS. The link usually takes you to a fake website that will encourage you to input your information or give them access to your phone and data.

Smishing fraudsters can also present themselves as an official company. A popular smishing scam in South Africa poses as a courier service provider and claims that you need to click on the link in the SMS to track a parcel you haven’t ordered, or it threatens that you will lose the parcel if you don’t click on the link. Smishing scams could also pose as a competition and ask you to click on the link to claim your prize. To identify smishing, look for spelling errors and consider the link itself. If the website isn’t an official company website like or then it could be smishing.

Take note if you’ve entered any competitions or lucky draws, or if you are expecting any deliveries any time soon.

The take home from all these scams is to never share your details with anyone – not via an SMS link, email, QR code, or over the phone. Banks will never ask for your banking information or an OTP, and they will never ask you to download software. Be wary when you receive communications talking about deliveries or competitions you know nothing about and always double-check the legitimacy of a link before you click on it. If you keep this in mind, you’ll have a greater chance of protecting your finances from tricksters.


bottom of page