As AI systems grow more capable, criminals are using them to deliver increasingly sophisticated scams. Yet even as attacks on systems grow in scope and frequency, the exploitation of human trust through social engineering remains the most common entry point to full system infiltration.
“The most common attacks we see are social engineering attempts leveraging AI to coerce users into approving legacy authentication,” said Janike Stiglingh, director of product marketing at Entersekt. An attacker might use a social engineering scam to harvest a user’s login credentials, exploit a known software misconfiguration in a secondary system and finally elevate their privileges.
Stiglingh cited an example in which an employee took a call from her frantic manager asking her to make a payment and read out the OTP while still on the line. The voice, cadence and intonation seemed authentic. They were later found to be an AI-generated deepfake. By then the money was gone.
That scenario is increasingly the shape of fraud in South Africa – though the headline numbers cut both ways. According to the South African Banking Risk Information Centre (Sabric), total financial crime losses fell from R3.3-billion to R2.7-billion in 2024, a drop of around 18% that the body attributed to stronger prevention and detection by the banks.
Digital banking fraud bucked that trend. Reported incidents jumped 86%, from 52 584 in 2023 to 97 975 in 2024, while associated losses rose 74% to R1.89-billion. Within that total, the banking app was the dominant channel, accounting for 65.3% of digital banking fraud incidents, up from 60% a year earlier. App-related cases nearly doubled to about 64 000, with losses exceeding R1.2-billion.
Social engineering
Crucially, Sabric found these were not movie-style hacks of banking platforms. They were the product of social engineering – criminals tricking people into surrendering Pins, passwords and approvals.
What AI has changed is not the nature of the crime but its scale and believability. Anna Collard, an executive at security-awareness firm KnowBe4, describes it as classic deception with a force multiplier. The technology keeps improving, but the target is unchanged: human psychology – trust, urgency, fear and emotion, she said.
Read: Hype or not, Mythos is a wake-up call for South African CISOs
“One of the biggest shifts with AI-generated scams is the scale and personalisation,” said Collard. Criminals can now produce convincing phishing e-mails, fake voices, deepfakes and scam content in minutes, often tailored to local languages, cultures and current events. “In the future, ‘seeing is believing’ no longer applies online.”
Volume and personalisation are supercharged when attack types are combined. Increasingly, criminals chain several small weaknesses together: a social-engineering scam to harvest credentials, a misconfigured secondary system, a quiet escalation of privileges.
That is what makes the new wave so hard to stop. Legacy security tools sit in silos, each watching one slice of the problem, Stiglingh said. If those tools do not talk to one another, the overall pattern never surfaces and each isolated event looks too minor to trigger a response.
The same tools that scale attacks are also being used to scale defences. Collard argued that the sophistication of AI-driven attacks is making detection harder for humans and automated systems alike, producing an AI-versus-AI contest in which defenders deploy the same technology to keep pace.
Read: South Africa ‘isn’t ready’ for AI-accelerated cyberattacks
Collard’s prescription is “digital mindfulness” – a habit of healthy scepticism in a world where audio and video can no longer be taken at face value. Stiglingh’s is architectural: assume the human will be fooled and build systems that catch what the human cannot. That means centralised visibility to correlate logs from across the digital ecosystem, she said, and context-aware analysis that can read behavioural intent and judge whether a sequence of actions adds up to something malicious. – © 2026 NewsCentral Media