This week, I became the victim of a fraudulent SIM swap. For a period, I lost control of a mobile number I have used for more than 20 years. The perpetrators took over my WhatsApp account and attempted to solicit money from some of my contacts. Fortunately, many recognised immediately that the messages were entirely out of character and ignored them. While the personal inconvenience has now been resolved, the experience exposed a much larger public policy question. When I engaged with the relevant institutions, it became clear that they acknowledge SIM swap fraud has become widespread and increasingly sophisticated. Yet there remains a gap between the evolving nature of cybercrime and the institutional mandates, regulatory frameworks and operational capabilities available to respond to it. This is not simply a telecommunications issue. It is a state capability issue. We often define institutions as “the rules of the game”. But institutions must also evolve as the game changes. Where regulations implementation and enforcement lag behind rapidly changing technology and organised crime, citizens are left exposed. In the attached article, I reflect on this experience as a case study in institutional adaptation, regulatory capability and the broader challenge of rebuilding state capacity in the digital age. I hope it contributes to a wider discussion about how South Africa can strengthen institutional resilience against emerging forms of cybercrime.
For many years, I have argued that South Africa’s principal challenge is not simply one of policy design but of institutional capability. We often define institutions as “the rules of the game” — the formal and informal rules that structure behaviour, allocate responsibility and reduce uncertainty. But institutions are more than statutes and regulations. They are the state’s practical capacity to anticipate risks, adapt to changing realities, and protect citizens.
My recent experience as the victim of a fraudulent SIM swap brought this lesson into sharp focus.
I received a warning SMS from my mobile network informing me that a SIM swap had been requested on my number. The message advised me to contact the network within two hours if I had not initiated the request. I had not. Yet, despite the warning, the SIM swap was completed and I lost control of a mobile number I had used for more than twenty years. For a period, I also lost access to my WhatsApp account, which was then used by criminals to solicit money from my contacts.
As I sought assistance, a more profound institutional problem became apparent.
When I reported the matter to the Independent Communications Authority of South Africa (ICASA), the Authority acknowledged that fraudulent SIM swaps have become a significant and growing problem. Indeed, ICASA explained that it is proposing amendments to the Numbering Plan Regulations that would introduce mandatory biometric verification against the Department of Home Affairs database for SIM activations, reactivations and SIM swaps. The objective is to combat fraud, identity theft and cybercrime.
Yet, in the same correspondence, ICASA advised that it presently has no jurisdiction over individual fraudulent SIM swap complaints and that such matters should instead be reported to the South African Police Service because they constitute criminal conduct.
There is an irony here that deserves careful reflection.
The regulator responsible for the numbering system acknowledges that the existing regulatory framework is inadequate, recognises the scale of the problem, proposes reforms to address it, but is unable to intervene in the meantime when citizens become victims of precisely the problem those reforms seek to solve.
This is not a criticism of individual officials. They are operating within the limits of the current legal framework. Rather, it illustrates a broader challenge facing the South African state: our institutions are frequently organised around yesterday’s risks while today’s threats evolve far more rapidly.
Cybercrime, digital identity theft and SIM swap fraud have become integral features of modern organised crime. A mobile phone number is no longer merely a telecommunications service. It has become a digital identity credential that provides access to banking, email, social media, business systems and government services.
Losing control of a mobile number can expose an individual to extensive financial and reputational harm.
This changes the policy question.SIM swap fraud should not be viewed merely as a dispute between a customer and a telecommunications provider. It is a matter of national digital security, consumer protection and public confidence in the communications system.
South Africa therefore requires a more integrated institutional response.
The police investigate crime. Telecommunications licensees secure their networks and subscriber authentication processes. The Information Regulator protects personal information. Consumer authorities address unfair business practices. ICASA regulates the communications sector.
These responsibilities should not operate in isolation. Modern cybercrime cuts across institutional boundaries. Effective governance therefore requires coordinated oversight, information sharing and regulatory agility.
This is precisely what we mean when we speak about rebuilding state capability.
Institutional reform is not simply about creating new laws. It is about ensuring that institutions evolve at the same pace as the risks confronting society.
ICASA’s proposed amendments are a welcome acknowledgement that stronger subscriber verification is required. Mandatory biometric verification linked to the Department of Home Affairs has the potential to reduce fraudulent SIM swaps significantly. However, regulatory reform should not stop there. Consideration should also be given to:
• mandatory multi-factor verification for high-risk account changes;
• real-time customer confirmation before SIM swaps are finalised;
• compulsory fraud reporting by licensees;
• minimum security standards across all mobile operators;
• coordinated protocols between telecommunications providers, banks and law enforcement agencies; and• clear regulatory accountability where systemic weaknesses expose consumers to foreseeable harm.
The public interest lies not only in prosecuting fraudsters after the fact. It also lies in preventing the fraud from occurring in the first place.
This episode reinforces a lesson that extends well beyond telecommunications.
Across many sectors, South Africa’s institutions increasingly recognise emerging risks but lack either the legal mandate or the operational capability to respond effectively in real time.
The challenge of institutional renewal is therefore not simply one of efficiency. It is one of democratic governance. Citizens expect the state not only to regulate markets but also to anticipate evolving threats and adapt its institutions accordingly.
The rules of the game must evolve with the game itself. When they do not, organised crime exploits the gap.
That gap is where institutional renewal must begin.