SA has emerged as the phishing capital of the cyber world, with this type of attack making up 52% of all cyber threats in the country – higher than the 31% in Africa and almost double the global average of 28%.
This is according to the latest bi-annual Threat Report from global cyber security provider ESET, based on data between December 2024 and May 2025.
“Phishing attacks in South Africa are not only frequent but accelerating well beyond regional and global trends,” says Tony Anscombe, chief security evangelist at ESET. “Cyber criminals are profiting from the easy gains of stealing credentials and sensitive data. As long as phishing continues to deliver quick, low-effort returns, it will remain a preferred tactic. The consistently high success rate makes it clear this threat isn’t going away anytime soon.”
According to ESET, this growing risk is already playing out in a new wave of phishing scams impersonating the South African Revenue Service (SARS), timed to coincide with the start of the 2025 tax season.
Fraudulent e-mails and SMS messages, crafted to closely mimic official SARS communications, are tricking taxpayers with threats of audits, legal action or promises of tax refunds – a tactic that hits close to home in a tough economy, where many South Africans are looking for any way to stretch their money further.
The surge in targeted breaches points to a deeper, systemic issue, warns Anscombe. “South Africa’s rapid digital growth is exposing long-standing security gaps that cyber criminals are quick to exploit.
“As more services move online and our digital dependence deepens, the attack surface expands. Phishing remains especially effective, exploiting human error and gaps in cyber security awareness through sophisticated social engineering. To counter this, we must prioritise education – giving both consumers and employees the tools to identify and respond to threats. A cyber-aware culture is our best defence.”
ClickFix threat
The ESET Threat Report also highlights the meteoric rise of ClickFix, a once-obscure technique that has quickly evolved into a major global cyber threat.
“Between late 2024 and early 2025, ClickFix detections surged by 517%, making it the second most prevalent attack vector after phishing. It now accounts for nearly 8% of all blocked attacks and is one of the fastest-growing threats we’ve ever seen,” says Anscombe.
ClickFix deceives users into executing malicious PowerShell commands – a legitimate tool used to manage and automate tasks on a computer through typed instructions. The scam presents fake error messages or CAPTCHA prompts on the victim’s device, urging them to ‘fix’ the issue by pasting a provided script into PowerShell or a terminal. Once activated, it unleashes a dangerous arsenal of threats, from infostealers and ransomware to remote access trojans.
While the threat is gaining ground globally, accounting for 7.7% of cyber attacks worldwide, its footprint in Africa remains smaller, with detections at 6.8% across the continent and just 3% in SA.
However, the research also shows that confidential data was exposed in 53% of attacks and business was disrupted in 32% of attacks.
Still, SA’s relative insulation may be short-lived. As reliance on remote access and digital platforms continues to grow, the question is no longer if ClickFix will take hold, but when.
"Education is key – not just in recognising cyber threats, but in building the confidence to act before damage is done. Our goal is to foster awareness at every level, making vigilance second nature,” says Anscombe.
Dŭsan Lacika, senior detection engineer at ESET, is quoted in the research as saying: “ClickFix has quickly become one of the most prominent cyber criminal intrusion vectors. What makes this new social engineering technique effective is that it is simple enough for the victim to follow the instructions, believable enough to look like it fixes a made-up problem… It is also a good example of how threat actors quickly adopt new techniques once they prove to yield results.”
Share