Phishing Attacks in South Africa: How to Protect Your Team

Published: 5 May 2026  |  By AOLC

Of all the cyber threats facing South African businesses today, phishing is by far the most common — and the most successful. It does not require sophisticated malware or a zero-day exploit. All it takes is one convincing email landing in the right inbox at the wrong moment, and an attacker has everything they need: login credentials, financial access, or a foothold inside your network.

South Africa consistently ranks among the top ten most-targeted countries globally for phishing attacks. With growing digital adoption, a surge in business email use post-pandemic, and millions of employees now accustomed to receiving urgent emails about payments, deliveries, and compliance notices, the conditions are ideal for attackers. And with POPIA now in full effect, the cost of a data breach has never been higher.

The good news is that phishing is one of the most preventable cyber threats — provided your team knows what to look for and your IT environment is correctly configured. This guide covers both.

What Is a Phishing Attack?

Phishing is a form of social engineering where an attacker impersonates a trusted source — a bank, a supplier, a government body, or even a colleague — to trick a recipient into revealing sensitive information, transferring money, or downloading malware.

The name comes from the idea of "fishing" for victims: send enough convincing lures, and eventually someone bites. Modern phishing has evolved well beyond poorly written emails full of spelling errors. Attackers now use:

• Spear phishing — Targeted attacks using the recipient's name, role, or real business context to make the message more believable. A CFO might receive an invoice from a known supplier with slightly altered bank details.
• Whaling — Spear phishing aimed specifically at executives. The goal is often a large fraudulent payment or access to sensitive systems.
• Smishing — Phishing via SMS, increasingly common in South Africa with messages impersonating courier companies, banks, or SARS (the South African Revenue Service).
• Vishing — Voice phishing, where attackers call employees posing as IT support or bank fraud departments to extract credentials over the phone.

How to Spot a Phishing Email.

Even with advanced email filtering in place, some phishing emails will make it through. Knowing the warning signs is your team's last line of defence. Train your staff to pause and check for these red flags before clicking anything:

• Sender address mismatch — The display name says "FNB Security Team" but the actual email address is something like security@fnb-alerts.co. Always check the full address, not just the display name.
• Urgency or threats — "Your account will be closed in 24 hours." "Payment overdue — legal action pending." Attackers create panic to stop you thinking clearly. Legitimate businesses rarely demand immediate action without prior communication.
• Suspicious links — Hover over any link before clicking. If the URL does not match the company's real domain — or uses a lookalike like standard-bank-secure.com instead of standardbank.co.za — do not click.
• Unexpected attachments — An invoice you did not request, a delivery notification with a .zip attachment, or a "document" that requires you to enable macros. These are common delivery mechanisms for malware.
• Requests for credentials or payment changes — Your bank, SARS, and legitimate suppliers will never ask you to confirm your password by email. Any email requesting credentials, or asking you to change payment details, should be verified by phone before acting.
• Grammatical perfection is no longer a safety signal — AI-generated phishing emails are now indistinguishable from legitimate correspondence in tone and grammar. Do not rely on poor writing as your only filter.

Phishing Tactics Targeting South African Businesses.

South African businesses face several phishing campaigns that are specifically tailored to local context. Understanding what attackers commonly impersonate helps your team recognise the lure:

• SARS impersonation — Tax season triggers a wave of fake SARS notices claiming you owe a penalty, are owed a refund, or must complete a compliance form urgently. The links redirect to credential-harvesting pages designed to look like the eFiling portal.
• Bank fraud alerts — Emails mimicking major South African banks, warning of suspicious transactions or blocked accounts. The goal is to get you to log in through a fake portal and capture your internet banking credentials.
• Business Email Compromise (BEC) — An attacker compromises or spoofs the email account of a supplier, director, or colleague and requests an urgent EFT payment to a different account. South African companies lose hundreds of millions of rand to BEC each year. Always verify payment instruction changes by phone — never by replying to the same email thread.
• Load shedding and UPS scams — A uniquely South African angle: fake offers for backup power equipment, generator services, or solar deals delivered via phishing links. The urgency of load shedding makes recipients less cautious than they would otherwise be.
• POPIA compliance notices — Fake emails claiming to be from the Information Regulator, threatening fines for non-compliance and directing you to a fraudulent portal. The real Information Regulator communicates through official registered mail.
• Microsoft 365 credential theft — A fake SharePoint notification or Teams message alert redirects to a spoofed Microsoft login page. Once attackers have your M365 credentials, they have access to your email, files, and any integrated business systems.

What to Do If Your Team Gets Phished.

Acting fast when a phishing attack succeeds can dramatically limit the damage. If someone on your team clicks a link, enters credentials, or opens a malicious attachment, follow these steps immediately:

• Isolate the affected device — Disconnect it from the network (unplug the cable, turn off Wi-Fi) to prevent any malware from spreading to other systems.
• Reset the compromised credentials immediately — Change passwords for any accounts the user accessed from that device or disclosed in the phishing form. Start with email, then Microsoft 365, then any financial or business systems.
• Check for mail forwarding rules — Attackers who access an email account often set up a silent forwarding rule to copy all incoming mail to an external address. Log into the account's settings and verify that no forwarding rules have been created.
• Check for unfamiliar sent items or transactions — Review the account's sent folder for emails sent on the user's behalf. Check financial systems and your bank for any unauthorised transactions initiated around the time of the incident.
• Notify your IT provider immediately — Your managed security team can review logs, assess the scope, and contain the threat. Time matters — the longer an attacker has undetected access, the more damage they can do.
• Assess POPIA obligations — If personal data of employees, customers, or third parties was potentially accessed, you may have a duty to report the breach to the Information Regulator within 72 hours and notify affected parties. Document everything.

How to Build a Phishing-Resistant Team.

Prevention is far cheaper than recovery. A business that invests in the right combination of people, process, and technology significantly reduces its risk of a successful phishing attack. Here is what a complete anti-phishing posture looks like:

• Security awareness training — Regular, engaging training that teaches employees to recognise phishing lures. The best programmes include simulated phishing exercises where employees receive realistic fake phishing emails and get immediate, constructive feedback if they click. AOLC's Cyber Awareness Training programme is designed for South African workplaces and covers the local tactics described above.
• Multi-factor authentication (MFA) on every account — Even if an attacker steals a password, MFA prevents them from using it without the second factor. Enable MFA on Microsoft 365, banking portals, VPNs, and every business system that supports it. This is the single highest-impact control you can implement.
• Email filtering and anti-phishing technology — Advanced email security tools (such as Microsoft Defender for Office 365 or Mimecast) scan incoming messages for spoofed sender addresses, malicious links, and suspicious attachments before they reach the inbox. AOLC's Cloud & Security service includes email security configuration and ongoing management.
• DMARC, SPF, and DKIM for your own domain — These email authentication protocols prevent attackers from spoofing your company's domain to send phishing emails to your customers or partners. Without these records configured correctly, anyone can send an email that appears to come from your domain.
• Clear payment verification procedures — Establish a policy that any change to banking details — from a supplier, a customer, or even a colleague — must be verified by a phone call to a number you already have on file. Not via the same email thread. This single procedural control stops most BEC attacks.
• Incident reporting culture — Make it easy and safe for employees to report suspicious emails. Many successful attacks persist because employees are too embarrassed to admit they clicked something. A blame-free reporting process means attacks get caught faster.
• Managed security monitoring — AOLC's Managed Security service provides ongoing monitoring that can detect unusual login patterns, unexpected email forwarding rules, and anomalous access — catching the signs of a successful phishing attack before it becomes a full breach.

---

What to Do Next.

Phishing is not a problem you solve once. It requires ongoing vigilance — regular training, up-to-date technical controls, and clear procedures your whole team follows. The businesses that suffer the least from phishing are the ones that treat it as a people problem as much as a technology problem.

If you are not sure where your business stands, AOLC can assess your current email security configuration, identify gaps in your defences, and build a training programme tailored to your team and industry. A security assessment is the fastest way to move from uncertainty to a clear action plan.

You can also read our Cybersecurity Checklist for South African SMEs for a broader overview of the controls every business should have in place.

← Back to Blog