Akhona Nkalitshane, Business Development Manager at Altron Arrow.
Identity fraud is no longer a marginal cyber risk in South Africa; it is a full-scale crisis. According to TransUnion, identity theft surged by an alarming 400% between April 2023 and April 2024, with nearly 43.47% of banking fraud cases now linked directly to identity-related crime.
Biometric abuse has also hit record levels worldwide, making up 16% of detected cases in a single quarter. Criminals don’t just target registration systems but rather authentication itself. Meanwhile, impersonation incidents jumped by 356% in South Africa between April 2022 and April 2023.
The message is clear: attackers are logging in as legitimate users and not just breaking into systems. This risk is amplified by work-from-anywhere models, where personal and professional device use often overlaps.
That overlap increases exposure to consumer-grade threats that can quickly extend into the enterprise. Personal devices and credentials frequently become unintended entry points and, in an era of deepfakes, identity online can’t be reliably verified by appearance, voice, or credentials alone. When these methods can be cloned, identity shifts from recognition to proof.
Instead, online identity must rely on auditable cryptographic, behavioural and contextual verification. It is built from layered signals rather than a single identifier.
Identity security is not only a technology problem just for IT departments; it’s a systemic financial risk because a single compromised credential can expose multiple services, payment networks and institutions simultaneously.
Identity can’t just rest on static attributes such as passwords, phone numbers, or how someone sounds on a call. Modern compliance requires verifiable, auditable identity supported by multi-factor authentication, biometrics, behavioural analytics and Zero Trust principles.
Organisations that cannot prove who accessed what, when and why face not just fraud losses but also regulatory penalties, reputational damage and eroded market confidence. With mandatory breach reporting frameworks in place under the Protection of Personal Information Act, there is no hiding.
It’s continuous verification that matters, not a one-time claim.
Legacy systems create security gaps
Many organisations are still in the process of moving beyond password-centred security models, as legacy systems and complex infrastructure make the transition to modern authentication approaches a gradual one. Legacy systems that were built decades ago weren’t designed for this threat landscape. Upgrading is costly and complex.
But the alternative – hoping you won’t be a victim of a cyber attack – is now statistically unlikely. When incident volume doubles in a single year, you’re not just making a probability bet, you’re managing inevitable risk.
SIM swap fraud has been significantly amplified by AI, enabling criminals to operate with greater scale, precision and sophistication. Attackers use AI-powered tools to automate data harvesting, analyse personal information, and craft highly-convincing social engineering scripts tailored to individual targets.
By the time criminals perform a SIM swap, they often already have illicitly gained the personal information they need for verification. With those details, it becomes much easier for them to pose as legitimate representatives and trick victims.
Although service providers are tightening their SIM swap processes and adding stricter checks, cyber criminals are constantly adapting, finding new ways to bypass safeguards, including harvesting the personal data used for authentication.
Multi-verification is the solution
SMS-based two-factor authentication was once considered adequate. It isn’t anymore. Traditional fraud controls – static rules, password enforcement and SMS verification – can’t scale to AI-enabled attacks that operate at machine speed.
Organisations need dynamic, AI-driven monitoring with behavioural analytics and real-time risk scoring.
But there’s a tension worth acknowledging. A “frictionless” digital experience means seamless, convenient access. Yet removing friction can also remove critical security checks. An example would be how single-sign-on makes logging in easier, but if an attacker compromises one account, they gain access to all connected services, turning convenience into a systemic risk.
The challenge is balancing convenience with security. True frictionless design doesn’t mean eliminating verification, it means embedding security intelligently. Risk-based and adaptive authentication, biometrics and continuous behavioural monitoring keep security transparent for legitimate users while detecting anomalies.
In an era where deepfakes, credential theft and large-scale fraud are eroding confidence, trust can’t be assumed; it must be proven and verifiable for audits and breach investigations. Companies that can clearly prove identity and intent will be trusted by default. Those that cannot will face regulatory friction, customer scepticism and operational risk.
Importantly, mature authentication tools are now accessible and proven, meaning organisations can uplift their security posture with achievable changes rather than aspirational goals.
In an era where trust itself is under attack, strong authentication is becoming the currency through which trust is verified, audited and demonstrated.
