Phishing remains the highest risk category for users and organisations in South Africa, accounting for 45.7% of detected threats.
According to ESET Research’s latest Threat Report, this compares with a significantly lower 32.5% in Africa. The report summarises the threat landscape trends observed in ESET telemetry and analysed by ESET threat detection and research experts in the second half of 2025.
“Phishing remains the leading initial access vector affecting South African companies,” says Tony Anscombe, chief security evangelist at ESET. “The higher proportion of phishing detections reflects both attacker focus and the continued effectiveness of social engineering. Attackers are prioritising threats that allow them a greater opportunity for monetisation.”
While phishing dominates the South African market, there has been an accelerated evolution in scam activity globally. According to the report, detections of HTML-based scam campaigns such as the Nomani investment scam, have grown by 62% over the past year. In ESET telemetry, detections of Nomani scams grew 62% year-over-year, with the trend slowing slightly in H2 2025. Nomani scams have recently been expanding from Meta to other platforms, including YouTube. These threats have come with improved techniques that include higher resolution deep fake videos, AI-generated phishing websites and short-lived advertising campaigns which are increasingly difficult to detect.
AI remains a pervasive threat, both locally and abroad. In the second half of 2025, ESET discovered PromptLock, the first known AI-driven ransomware capable of generating malicious scripts on-demand at speed. While AI is primarily used for crafting convincing phishing and scam content, PromptLock is an example of a growing body of AI-driven, intelligent threats signalling a new era in cybercrime.
NFC threats are also gaining momentum, growing in both scale and sophistication, with an 87% increase in ESET telemetry and with notable upgrades and campaigns observed in the second half of 2025. Anscombe notes that South Africa’s widespread reliance on card-based payment systems makes this class of attack more relevant than in regions where mobile money platforms dominate. These attacks rely on social engineering to persuade victims to install malicious Android applications that relay card data and PINs in real time.
Ransomware has continued its global momentum with ESET Research projecting a 40% year-on-year increase in publicly reported ransomware victims compared with 2024. While South Africa isn’t one of the most affected countries globally – the largest number of analysed ransomware attacks were aimed at companies in the United States, followed by Spain, France, Italy and Canada – Anscombe points out that South African organisations have experienced a number of ransomware incidents during the reporting period.
Two of the ransomware-as-a-service solutions dominating the market at present are Akira and Qilin, with a newcomer, Warlock, introducing innovative evasion techniques. EDR killers are proliferating as well, underscoring the relevance of endpoint detection and response tools in mitigating the threat.
South Africa is also actively participating in efforts to counter cybercrime. The country took part in Operation Sentinel, a joint law enforcement initiative coordinated by Interpol and Afripol, which resulted in 574 arrests and the recovery of approximately $3-million linked to cyber-enabled crimes.
- For more information, see the ESET Threat Report H2 2025 on WeLiveSecurity.com.