The most successful phishing tactic of 2025 isn’t a sophisticated external threat; it’s a simple e-mail disguised as an internal message from HR or IT. This is according to KnowBe4's Q2 2025 Phishing Report, which claims 98.4% of the most clicked phishing simulations were disguised this way.
KnowBe4 says HR has emerged as the top lure in SA and globally, with topics like performance reviews and policy updates, which accounted for 42.5% of all successful phishing clicks.
Another report by the company, KnowBe4’s Africa Human Risk Management Report, found that while leaders rate security awareness highly (typically 4/5), only 10% are fully confident their teams would actually report a suspicious e-mail.
This highlights a dangerous disconnect between perceived awareness and real-world readiness, according to KnowBe4.
Anna Collard, SVP content strategy and CISO advisor at KnowBe4, said: “Attackers understand that employees are conditioned to respond quickly to internal requests. The psychological sophistication behind these attacks demonstrates why human risk management must be central to cyber security strategy.”
According to Forrester, human risk management (HRM) adoption has shifted from "innovative organisations" and is now fast approaching the early majority. The trend indicates that while mass adoption has not yet been reached, the practice is gaining significant traction, with most organisations expected to adopt HRM platforms and methodologies by late 2026.
Collard added: “South Africa’s cyber industry is quite tight and well-connected, and when something makes sense then it spreads quickly. For that reason, I believe SA is catching up fast in HRM adoption, with growing recognition that these systems can strengthen culture and efficiency. The key is balancing innovation with compliance, ensuring POPIA readiness, seamless integration with legacy systems and a people-first approach so employees trust and embrace the change.”
Bigger security blind spots
KnowBe4’s 2025 Africa Human Risk Management Report reveals that as organisations scale, their human-centric security governance appears to weaken, creating significant business risk.
The company’s research shows leaders at large organisations (501+ employees) report lower confidence in their employees' ability to respond to incidents compared to smaller companies.
It also reveals the attribution of incidents to human error shows a massive variance across Africa, ranging from a median of 11%-25% in southern Africa to 51%-75% in West and Central Africa.
A one-size-fits-all approach to risk is failing, the company added.
According to KnowBe4, the top challenge for leaders is the difficulty in measuring if security training actually works. This problem intensifies at scale, leaving large enterprises investing in training without knowing if it's effective.
At a recent Cyber Security Summit hosted by SNG Grant Thornton, Kuda Charandura, head of cyber advisory at SNG Grant Thornton, emphasised the need for organisations to be fully aware of the state of their cyber security, particularly because of the number of cyber security blind spots, especially in traditional security approaches.
Charandura listed examples of these blind spots, including an over-reliance on technology, limited visibility and lack of proactive measures.
He added that security solutions tend to focus solely on technology and neglect human factors and processes, and traditional security systems often lack comprehensive visibility into all aspects of the IT infrastructure and user behaviour.
Share