How to Spot a South African Cyber-Scam Before You Click “Pay”

The South African digital economy is no longer a luxury—it is our primary marketplace. E-commerce transaction values surged by a staggering 37% last year, mirrored by the rapid adoption of the PayShap ecosystem, which has already processed over R403 billion across 461 million transactions. But as access scales, so does the sophistication of the “digital heist.” Whether you are investing in a new app, buying from a social media ad, or subscribing to a streaming service, the risk of fraud is the tax on your convenience. This guide provides a professional-grade checklist to ensure your trust scales as fast as your spending.

Verify the Paperwork: Licensing and Legal Registration

In a faceless transaction, paperwork is your first line of defense. A legitimate operation must leave a paper trail with national regulators. If they aren’t on these databases, they don’t legally exist.

• CIPC “BizPortal” (bizportal.gov.za): Conduct an “Entity Search” using the company name or registration number.
  • The “Trading Name” Trap: Scammers often use a recognizable trading name that differs from their official registered name. If a search yields no results, demand the official CIPC name.
  • Status Check: Only deal with companies listed as “Active.” A “Deregistered” status means the entity has lost its legal standing, often due to non-compliance.
• FSCA Verification (fsca.co.za): For any investment or financial platform, checking the FSP number is non-negotiable.
  • The “Category” Nuance: Don’t just check if they have a license; check the Category of Advice. Scammers often obtain a license for “low-risk” products (like basic insurance) while illegally selling “complex/risky” crypto or forex schemes.
  • Direct Verification: If in doubt, call the FSCA toll-free at 0800 110 443.
• The NCC e-Services Portal: As a pro-active consumer, create a profile on the National Consumer Commission’s portal at thencc.org.za. This is the official “command center” for lodging formal CPA complaints and tracking their resolution via a unique reference number.

“There are many fraudsters operating scams, and the number is growing. South Africans lose millions of rands every year to fraudsters.” — Financial Sector Conduct Authority (FSCA)

Technical Gatekeepers: Payment Security and Site Hygiene

Visual cues like the padlock icon and https:// are the bare minimum. A secure platform employs advanced behind-the-scenes protocols to shield your data.

• Advanced Security Protocols: Reputable sites use gateways (like Peach, Yoco, or PayPal) that implement Account Verification Services (AVS) and Multi-Factor Authentication (MFA). These ensure that your sensitive details never actually sit on the merchant’s server where they could be breached.
• The Chargeback Strategy: Always prefer a credit card. Under the Shop Code of Conduct, verified merchants must offer at least one payment method that allows a consumer to recover funds without merchant consent (a chargeback). This is your ultimate “undo” button for non-delivery.
• The OTP Golden Rule: Never share a One-Time Password (OTP) or PIN. Banks will never ask for these. If a “seller” asks for an OTP to “verify” a payment, they are actually using it to drain your account.

Red Flag: Be highly suspicious of sellers requesting EFT-only payments for first-time purchases. Without a gateway, you have zero dispute path.

Transparent Terms: Reading the Fine Print

The Consumer Protection Act (CPA) mandates a “Right to Disclosure” in plain and understandable language. If the legal pages look like a generic template or contain “lorem ipsum” placeholder text, the site is a shell.

• Anti-Bundling Protection: Under the CPA’s “Right to Choose,” suppliers cannot force you to enter into additional, unrelated contracts just to get a single service.
• Plain Language Receipts: Your invoice must include the supplier’s full contact info, physical address, and VAT registration number.

Special Focus: Gaming, Streaming, and Online Casinos

The digital entertainment sector — from streaming platforms to online gaming and casino sites — is a minefield of phishing and “bait-and-switch” tactics. As more South Africans explore licensed online casino platforms, knowing your rights and spotting red flags beforehand is just as important as finding the right odds.

For those starting out, bojoko.co.za aims to provide independent comparisons of licensed, vetted platforms — a practical first step before committing any funds.

• Direct Marketing Rights: If you were targeted via direct marketing (SMS/Email), you have a 5-business-day cooling-off period to cancel without penalty. Once cancelled, the supplier must return your payment within 15 business days.
• Digital Content Trap: Be aware that under the CPA, you generally lose your right of withdrawal once the performance or streaming of digital content has begun with your express consent.
• Giveaway Scams: Be wary of links promising free crypto, free spins, or luxury items. These are almost always phishing attempts designed to harvest data for identity theft.

Red Flag: In investment or gaming “marketplaces,” beware of any request to “pay more money to have your investment or winnings returned.” This is a hallmark of a classic scam.

“Marketplace has become so popular in South Africa… users feel more assured of safety and security on the site. Unfortunately, this is often a false sense of security.” — Carey van Vlaanderen, CEO ESET South Africa

Beyond the Testimonials: The Power of Independent Reviews

On-site testimonials are marketing; third-party reviews are evidence.

• The “Three-Star” Rule: Use Google Reviews to find the truth. A site with nothing but “five-star” ratings is a red flag for manipulation. A trustworthy business usually has a healthy mix of ratings; three- and four-star reviews often provide the most authentic insights into delivery times and service quality.
• The Safe.Shop Trustmark: Look for this digital seal. It isn’t just a badge; it’s a guarantee that lawyers have audited the business against the CPA, ECTA, and POPIA.
  • Skin in the Game: Legitimate Safe.Shop members pay an annual fee of R5,225, proving they are an established entity willing to invest in their own credibility.

Domain Intelligence: The Digital “Smell Test”

Scam sites are often “pop-up” shops. Use domain intelligence to see if the site’s history matches its claims.

• WHOIS Search: Perform a lookup to check the domain’s age. If a “long-standing” brand’s domain was registered two weeks ago, walk away.
  • Expert Insight: WHOIS data only exists for root domains (e.g., co.za), not subdomains (e.g., deals.brand.co.za). Be aware that Domain Privacy Protection is a common industry standard to prevent spam and is not, by itself, a sign of a scam.
• The Lead-Time Test: Send a specific pre-purchase question, such as: “What is the delivery lead time to [Your Suburb/City]?” A legitimate business will provide a clear, specific answer. Scammers rarely bother with custom replies.

“Trust is essential for ecommerce. At EFSA we offer e-merchants the opportunity to be verified by lawyers… the e-shop pays a fee (R5,225 a year) as a guarantee that it is a trustworthy online business.” — Alastair Tempest, CEO Ecommerce Forum Africa