So far in 2025, the South African retailers are facing an unprecedented wave of cybercrime and fraud, as businesses battle a sophisticated and ever-evolving threat landscape. From organised cyber-attacks and e-commerce vulnerabilities to internal fraud, retailers face significant pressure to bolster their defences, protect their bottom line, and maintain their customers' hard-earned trust.

The repercussions of cybercrime and fraud are significant. The average cost of a data breach for a South African company is a staggering ZAR 40-million. Beyond financial losses, the legal and reputational consequences are severe, with 79% of consumers regarding the protection of their personal data as very important when choosing with whom to transact. Furthermore, cyber, financial and data security failures can result in regulatory fines, litigation and criminal charges.

In a market driven by consumer confidence, the threat of lasting brand damage has never been more palpable. For retailers, data security is no longer optional; it is a competitive differentiator.

The retail battlefront: key fraud and cyber risks

For South African retailers, the battlefront against fraud is multi-faceted, spanning online platforms, physical stores, and internal operations, all facing increasingly sophisticated threats.

The continued growth of online shopping in South Africa has brought a surge in e-commerce fraud. Retailers face fake e-commerce sites mimicking their brands to steal payments, widespread payment fraud using stolen credit card details, and account takeovers that exploit customers' stored information.

While online channels are a key battleground, traditional in-store fraud remains a persistent problem for South African retailers. This includes card skimming at point-of-sale devices and return fraud. Employee fraud is also a sensitive but critical issue. Common schemes range from direct theft of cash and inventory to more complex activities such as generating fraudulent invoices or colluding with external parties to defraud the organisation.

The rise of artificial intelligence (AI) is further complicating the battlefront. AI-powered bots can be used to execute sophisticated credential stuffing and phishing attacks on a massive scale, tricking customers and employees alike into revealing sensitive information.

Rules of engagement: legal framework 

Over and above having to grapple with an evolving threat landscape, South African retailers must be acutely aware of and comply with several key pieces of legislation. These laws create a framework for data protection, electronic transactions, and the prosecution of cyber offences, imposing significant compliance burdens on businesses that handle customer information.

The Protection of Personal Information Act 4 of 2013 (POPIA) is the most significant piece of data protection legislation in South Africa and governs how retailers process personal information. In terms of POPIA, retailers are legally obligated to secure the integrity and confidentiality of personal information in their possession. This involves implementing "appropriate, reasonable technical and organisational measures" to prevent loss, damage, and unauthorised access.

The Cybercrimes Act 19 of 2020 consolidates South Africa's laws related to cyber offences. It creates a wide range of new crimes and imposes legal obligations on businesses to assist law enforcement officials in investigations. Since consumers and employees expect retailers to take proactive steps to protect them from falling victim to cybercrimes, retailers must be familiar with the activities the Act criminalises, such as hacking, digital misrepresentation with the intention to defraud, ransomware attacks, and cyber fraud.

The Electronic Communications and Transactions Act 25 of 2002 (ECTA) provides specific protections for online shoppers. Retailers must provide detailed information about their business, the goods or services being sold, payment terms, and return policies.

Financial Intelligence Centre Act 38 of 2001 (FICA) is South Africa's primary anti-money laundering and counter-terrorist financing legislation. Its purpose is to help identify the proceeds of crime and combat illicit financial activities. While not every retailer must comply with FICA, it becomes a critical obligation for those dealing in certain high-value goods or offering specific financial services. FICA compliance forces retailers to be a frontline defence against financial fraud, requiring them to actively vet their customers and scrutinise transactions.

Non-compliance with the above statutory obligations can result in severe penalties, including fines, imprisonment, both fines and imprisonment, and transactions being voidable. Furthermore, the reputational damage and civil claims from affected customers can lead to significant financial losses.

Navigating the maze: A smarter approach to retail risk

For South African retailers, navigating the intricate demands of legislation while defending against an ever-evolving array of sophisticated fraud schemes is a monumental task. No business can build an impenetrable fortress; a determined adversary with enough resources is likely to find a crack in the digital armour. Rather than striving for perfect security, shifting focus to building resilience and adopting smart, targeted risk mitigation strategies is likely to be much more effective.

Empowering the front line: Middle management as a human firewall

The lynchpin of an effective risk strategy isn't found in a server room, but on the shop floor and in the regional offices. One of the most strategic investments a retailer can make is in empowering its middle management, the individuals who oversee daily operations and lead the frontline teams. These managers are perfectly positioned to act as a human firewall, capable of spotting anomalies and responding with an agility that centralised security teams cannot match. By equipping them with the right tools and authority, a retailer transforms a potential point of weakness into its most dynamic line of defence.

This front line should comprise four main columns:

Surveying the battlefield - Treating cybersecurity not as a burdensome cost centre, but as a crucial competitive advantage. This begins with a proactive and honest risk assessment, involving a thorough analysis of vulnerabilities from the point-of-sale systems on the shop floor to the third-party logistics partners in the supply chain. This internal analysis must then be benchmarked against industry norms and practices.

Vigilance - Managers must be equipped with practical skills to spot threats on the ground. Fostering a security-conscious culture starts with regular cybersecurity awareness sessions and simulations tailored to the specific risks of a retail environment. Managers must also understand their compliance obligations and the penalties for failing to comply so that compliance becomes a critical part of their operational decision-making. Employees should feel empowered to question unusual requests and report potential threats on an ongoing basis. The effectiveness of these measures should be validated through regular audits and penetration tests, which provide invaluable feedback to refine training and keep defences sharp against emerging threats.

Fit for purpose arsenal – Empowering middle managers to act decisively, transforms them from passive observers into a rapid response force. This empowerment is not about encouraging reckless action but about providing a clear framework for immediate and effective intervention. A manager who spots a potential breach must be guided by a well-documented incident response plan that defines response procedures, outlines exact roles and responsibilities during a crisis, and provides robust stakeholder communication protocols. This plan cannot be a static document; it must be reviewed quarterly, tested annually, and updated after every major security event. By ensuring managers know precisely what to do, what they are authorised to decide, and who to call, retailers can contain threats with urgency, significantly reducing their potential impact.

Battle playbook - Achieving compliance with South Africa's intricate legal framework can feel daunting, but a structured and proactive approach can make it manageable and sustainable business function. Practical strategies retailers can implement include:

• Conducting a comprehensive compliance gap analysis to map processes involving personal or financial information and compare them against legislative and regulatory requirements. This reveals non-compliance areas and provides a clear, prioritised roadmap for remediation.
• Engaging with legal and cybersecurity professionals who specialise in the retail sector to assist with building and maintaining a practical Compliance Toolkit.
• Moving beyond generic annual training and developing role-specific modules. For example, cashiers may need to understand POPIA rules for handling customer contact details when processing returns, whereas luxury goods sales staff must be well-versed in FICA procedures.

In the high-stakes theatre of South African retail, the dual threats of sophisticated cybercrime and a complex legal framework demand a new script. Static, technology-centric defences are no longer sufficient to protect the bottom line or maintain customer trust. The path to resilience lies in a strategic pivot towards human capital, where middle management becomes the first line of defence. This involves a continuous cycle of assessing unique risks, embedding security awareness through practical training, and equipping leaders with clear, actionable response plans. Ultimately, this strategy transforms cybersecurity from a reactive cost into a proactive investment in the interest of fostering consumer trust.

For forward-thinking retailers, robust security is no longer a defence; it is the ultimate competitive advantage.

Written by Chandni Gopal, Partner, Aaqilah Nagdee, Senior Associate & Precious Maphupha, Candidate Attorney at Webber Wentzel