Editor's Note
Last month, a story emerged from the South African government that deserves more attention than it received. The Compensation Fund - the entity responsible for paying workers injured on the job - was found to have lost R71 million in two financial years to fraud. Not through an elaborate cyberattack. Not through malware or ransomware.

Someone changed a bank account number.

What happened to the Compensation Fund is happening to South African businesses right now. And most of them have none of the controls in place to catch it.

SOMEONE CHANGED A BANK ACCOUNT NUMBER. R71 MILLION LATER.

What Happened at the Compensation Fund

The Compensation Fund lost R71 million over two financial years, largely linked to fraudulent changes to banking details and intercepted payments that exploited control weaknesses in legacy systems. Auditors found the system was unencrypted, without proper controls, and that payments amounting to R279 million were made to medical service providers without supporting documents. The Auditor-General has issued a disclaimer audit opinion on the fund for almost 15 years - flagging persistent financial mismanagement, weak controls, and mounting fraud risks each time.

The mechanism of the fraud was not sophisticated. A banking detail was changed in a system without adequate access controls or audit logging. Payments went to the wrong account. By the time it was detected, the money was gone.

The fund implemented biometric identity management controls in October 2025. Since then, it has reported zero incidents of fraudulent banking detail changes, and fraud losses dropped 92% - from R41 million to R3 million - in a single financial year.

The fix was not complicated. The vulnerability was the absence of it.

This Is Not a Government Problem

Business Email Compromise accounts for approximately 40% of reported cyber incidents in South Africa and is one of the most financially damaging online crimes facing local businesses. The mechanism is identical to what happened at the Compensation Fund, scaled down to the size of your business.

Here is how it typically unfolds. A criminal gains access to a supplier's email account - or creates a convincing imitation of it. They monitor communications, identifying an upcoming payment. At the right moment, they send an email to your finance team requesting that future payments go to a new banking account. The email looks legitimate. The urgency feels real. The payment is made. By the time the fraud is detected, the money is often already dispersed, and many of these scams are linked to organised cybercrime syndicates.

South African courts have been clear on where liability sits. In PSG Wealth Management, the court found that PSG had a contractual obligation to employ resources, procedures and technological systems that could reasonably be expected to eliminate the risk of financial loss through fraud - and that by ignoring its own security safeguards around banking verification, it had failed in that obligation. Negligence in your payment process is not a defence. It is a liability.

The Three Controls That Stop This

The Compensation Fund's 92% reduction in fraud losses did not come from expensive technology. It came from three changes that any business can implement.

The first is mandatory verbal verification for any banking detail change. This begins with one rule: never change supplier banking details based on an email alone. A bank detail update must be confirmed by phone using a number already stored in your records - not the number provided in the email, not a contact on a letterhead, and not treated as valid because it arrived with urgency. Urgency in a payment request is a red flag, not a reason to act quickly.

The second is dual authorisation on payments. A stronger payment process requires two levels of approval for any banking detail change or first-time payment, and a clear record of who created the supplier and who approved the change. If one person can both update a banking detail and authorise the payment, the control does not exist.

The third is audit logging. The Compensation Fund's fraud was enabled partly by the absence of proper audit trails - nobody could easily see who changed what, when, and from which account. BEC risk is measured by who can approve payments, who can change vendor banking details, and whether finance teams can verify requests outside the attacker-controlled channel. If your system does not log every change to supplier records, including who made the change and when, you cannot detect fraud that has already happened - let alone prevent it.

What to Check in Your Own Business

Run through these questions with your finance and operations teams:

Is there a written policy requiring verbal confirmation before any banking detail change is made? Does it specify which number to call, and that the number must come from your existing records, not the email?

Can a single person both update a supplier's banking details and authorise payment to that supplier? If yes, that is a gap.

Does your accounting system log changes to supplier records? Can you pull a report showing who changed a banking detail and when?

When did your finance team last receive training on how to identify a fraudulent payment instruction?

If any of those questions do not have a clear answer, the exposure is real. BEC attacks are not random. They are targeted, researched, and often executed over weeks or months - with criminals monitoring email accounts silently until a high-value payment opportunity appears. The controls that stop them are process controls, not technology controls. They cost nothing to implement and require only the discipline to enforce them consistently.

The Bottom Line

The Compensation Fund lost R71 million because a banking detail was changed in a system with no controls and no audit trail. It recovered - partially - after implementing verification and accountability measures that should have been in place from the start. Fraud losses dropped 92% once those controls were in place. The same outcome is available to every South African business that takes these three steps seriously. The question is whether you implement them before or after something goes wrong.

Aigeus Cyber Briefing

Keep Reading