AI vendor fraud forces South Africa to reinvent verification: SOTRU is born in Cape Town

🕒 Published on Zendoric: July 15, 2026 · 08:41
A Cape Town startup launches SOTRU to close the gap between verifying a vendor once and trusting them forever: cryptographic credentials that persist within the email, WhatsApp and calls where AI fraud slips in today.
By TechFinancials · July 15, 2026.
SOTRU Identity and Communications, the South African platform formerly known as VERA, has officially exited beta with more than 40 active users and inbound interest from seven countries. Its premise is simple and, at the same time, uncomfortable for the compliance sector: traditional KYC and KYB verify a supplier only once, at onboarding, but fraud happens afterward—in email, on WhatsApp or on a video call—when someone impersonates that same supplier to redirect a payment. SOTRU issues cryptographically signed, reusable digital credentials validated against identity, corporate and banking sources, so that verified identity does not evaporate the moment the real commercial conversation begins. The company, founded by Max Coleman, Jack Scott-King and James Clark, is already deploying in document-heavy, high-volume sectors such as property conveyancing, construction logistics, corporate procurement and legal services, and has just won the Irish Tech Challenge South Africa 2025.
The figures that frame the launch are the ones that truly matter. Business email compromise (BEC) affected 63% of organizations worldwide in 2024, according to figures cited in the article, and the FBI's Internet Crime Complaint Center recorded $2.77 billion in losses through this channel. In South Africa, the Standard Bank data breach in April 2026 and the repeated ransomware incidents at the NHLS have shown how that stolen data ends up feeding targeted phishing, impersonation and payment-redirection scams. SABRIC, as noted in the source, places digital banking fraud as the country's dominant criminal channel, with tactics increasingly assisted by AI: automatically generated phishing, WhatsApp manipulation and deepfake-cloned voices to hijack existing commercial relationships. These figures should be read for what they are—third-party data (FBI, SABRIC) compiled by the company itself to justify its product—not as an independent audit of the problem.
SOTRU's roadmap is revealing of where fraud is moving and, therefore, where defense has to move. The company is announcing real-time identity verification during voice and video calls to neutralize cloned-voice impersonation, active credential monitoring that alerts when a counterparty's banking details or authorized representatives change, and a risk-scoring and regulatory-compliance (FICA) layer planned for the third quarter of 2026. It is, in essence, an attempt to turn verification into a continuous process rather than a stamp applied once and forgotten.
Our reading is that this launch, modest in scale—a startup in beta, a few dozen clients, no funding figures disclosed—is a useful symptom of a much broader dynamic we have already been flagging: generative AI has industrialized identity fraud (voice, video, text) faster than organizations have adapted their verification processes, which remain anchored to a single moment at onboarding. The result is an arms race in which the same capability that generates a convincing voice deepfake is now what's needed to detect it in real time within a call. It is no coincidence that SOTRU's own roadmap devotes its first priority to voice and video calls: that is exactly where fraud is shifting, as both the company itself and the industry statistics it cites acknowledge.
This fits with what we have long maintained about AI risk in the short term: the immediate danger is not a distant superintelligence, but the cheap automation of everyday deception—a forged invoice, a call with a cloned voice, a WhatsApp message that looks like it's from the usual supplier—and that risk demands practical governance now, not a decade from now. Companies like SOTRU, and the continuous-verification ecosystem they represent (identity as infrastructure, not as paperwork), are part of the honest answer to that short-term problem: they don't eliminate fraud, but they make the attack more expensive and shorten the window in which fraud goes unnoticed. In the long run, the more mature and cheaper this continuous-trust layer becomes, the easier it will be for AI-assisted commerce—agents that negotiate, invoice and pay autonomously—to operate without identity impersonation being the bottleneck it is today. The underlying paradox does not go away: we will need more AI, not less, to defend ourselves against the AI already being used to deceive.
🔗 Related on Zendoric


