Phishing is the number one cybercrime in South Africa. It's the digital equivalent of a con artist in a suit — they look legitimate, they sound legitimate, and they're after your money or your login credentials.
The bad news: phishing scams have become genuinely difficult to spot in 2026. The good news: there are still clear warning signs if you know what to look for. This guide will make you better at spotting them than the average South African.
What Is Phishing?
Phishing is when a criminal pretends to be a trusted entity — your bank, SARS, Takealot, MTN, a government department — and tricks you into handing over your personal information, passwords, or banking details.
The "phish" is the bait: a fake email, SMS, WhatsApp message, or phone call. If you bite — by clicking the link, downloading the attachment, or calling back — you've handed the attacker exactly what they need.
🔑 Key Takeaway
Phishing attacks don't hack your computer — they hack you. They rely on urgency, fear, greed, or trust to make you act before you think.
Real SA Phishing Examples (2026)
Here are actual phishing messages that have been reported by South Africans in 2026:
Fake FNB SMS
"FNB ALERT: Your account has been restricted due to suspicious activity. Verify your details immediately: fnb-verify.co.za"
Fake SARS Email
Subject: "Your SARS Tax Refund is Ready — Claim R4,127.00 Now". The link goes to sars-refunds.net (not sars.gov.za)
Fake Takealot Delivery SMS
"Takealot: Your parcel could not be delivered. Update your delivery address: takealot-delivery.co.za/track"
10 Red Flags to Spot Immediately
The URL doesn't match the real domain
FNB's real website is fnb.co.za. Not fnb-banking.co.za, fnb-secure.com, or fnb.co.za.verify.ru. Hover over any link before clicking and check the actual URL that appears.
Urgent language designed to panic you
"Your account will be suspended in 24 hours." "Immediate action required." "Final warning." Urgency is the scammer's most powerful weapon — it stops you from thinking clearly.
They're asking for your password or OTP
No legitimate South African bank, government department, or company will ever ask you for your password, PIN, or OTP. Not by email, SMS, WhatsApp, or phone call. Ever.
Generic greeting
"Dear Customer" or "Dear Account Holder" instead of your actual name is a major red flag. Your real bank knows your name.
Unexpected attachments
An "invoice", "statement" or "court notice" you weren't expecting. Especially Word documents, Excel files, or PDFs that ask you to "Enable Macros" or "Enable Content".
The sender's email doesn't match the company
A genuine FNB email comes from @fnb.co.za. Watch for variations like fnb@customer-support.co.za, fnb@banking-alerts.net, or misspellings like fnb@fnbb.co.za.
Too good to be true
You've won a competition you never entered. SARS owes you thousands. A "wealthy widow" needs your help. If it sounds unbelievably good — it isn't.
SMS from an unexpected number (not a shortcode)
Real SA banks use verified shortcodes (e.g. "FNB", "ABSA", "CAPITEC"). A banking SMS from a 10-digit number like 0614567890 is almost certainly a scam.
Website looks "almost right" but slightly off
Phishing sites copy the design of real websites but can't perfectly replicate them. Look for incorrect logos, mismatched fonts, poorly formatted text, or a slightly different colour scheme.
No padlock / HTTPS in the address bar
Legitimate sites use HTTPS (look for the padlock icon). However, be aware that many phishing sites now also use HTTPS — so a padlock doesn't guarantee safety. Check the full URL as well.
Spotting Email Phishing
Before you click any link in an email, ask yourself:
- Did I expect this email?
- Does the sender address exactly match the company's real domain?
- Does hovering over the link show the real company's domain?
- Is the email asking me to act urgently?
You can check any link safely by copying it (don't click) and pasting it into virustotal.com or urlscan.io before visiting.
Spotting SMS (Smishing) Scams
SMS phishing ("smishing") is especially dangerous because it often looks like it comes from a trusted shortcode. South African examples include:
- Fake SAPO (Post Office) delivery notifications
- Fake Edgars / Woolworths rewards SMSes
- Fake MTN / Vodacom data bundle alerts
- Fake SARS refund or penalty notices
Golden rule: If an SMS contains a link, go directly to the company's official app or website instead of clicking the link. Never trust a URL in an SMS.
Spotting WhatsApp Scams
WhatsApp scams have multiplied in SA because of how much we use the platform. Common types:
- Verification code theft: Someone in your contacts asks you to forward a 6-digit code (see WhatsApp hijacking)
- Fake job offers: Especially "data capturing" or "typing" jobs from unknown numbers
- Crypto investment groups: Fake testimonials, fake "profits," requests to deposit money
- Lottery/prize scams: "You've won R50,000 — just pay the processing fee"
🔑 Key Takeaway
Block and report any number that sends you unsolicited "opportunities" on WhatsApp. Long-press the message → Report → Block. This helps protect other South Africans too.
What to Do If You've Been Phished
Don't panic — act fast
Speed is everything. The sooner you act, the better your chances of limiting the damage.
Call your bank immediately
FNB: 087 575 9444 | Standard Bank: 0800 020 600 | Capitec: 0860 10 20 43 | Absa: 0860 557 557 | Nedbank: 0800 555 111. Ask them to freeze the account.
Change all your passwords immediately
Start with your email — because all other password resets go through email. Then change banking passwords, social media, and any other accounts.
Run a full antivirus scan
If you clicked a suspicious link or downloaded a file, run a full scan with reputable antivirus software immediately.
Report the scam
Report to SABRIC at 011 847 3000 and to SAPS. Report phishing emails to reportphishing@apwg.org. If it was a WhatsApp scam, report the number in-app.
Block Phishing Sites Automatically
NordVPN's Threat Protection feature automatically blocks known phishing domains — so even if you click, you're protected.
🔒 30-day money-back guarantee
Frequently Asked Questions
Possibly. Some sophisticated phishing sites can install malware just from a visit (a "drive-by download"), but this is less common and usually requires an outdated browser or operating system. Run a full antivirus scan to be safe. If you clicked on a mobile device, ensure your iOS or Android is fully updated.
Yes — this is called "vishing" (voice phishing). It's very common in SA. Attackers call pretending to be your bank's fraud department, often right after you've visited a phishing site. They use information you just entered to sound legitimate. Remember: hang up and call your bank's official number if you're unsure.
From data breaches (SA has had major ones at TransUnion, Dis-Chem, Liberty, and others), social media scraping, public records, bought lists on the dark web, or simply random dialling. Check haveibeenpwned.com to see if your email has been in any known breaches.
It depends. If you were a victim of SIM swap fraud (without any action on your part), banks are generally more likely to reimburse. But if you voluntarily entered your details on a fake site, most SA banks consider this "negligence" and may not refund you. Always report immediately and push for a review — outcomes vary case by case.
Yes, significantly. Modern antivirus suites like Norton 360 and Bitdefender include real-time phishing URL detection. When you try to visit a known phishing site, the software blocks it. This isn't perfect (new phishing sites launch daily), but it catches the majority. Combined with good habits, it's very effective.
