2025 International Phishing Benchmarks
Africa
By Anna Collard
African governments are increasingly recognizing cybersecurity as a critical issue, with more national cyber strategies and legislative frameworks being implemented. According to the Africa Center for Strategic Studies, the number of national Computer Emergency Response Teams (CERTS) grew to 37 in 2024, reflecting increased prioritization for cyber resilience and coordination across the continent. Africa’s influence in global cybersecurity policy is also expanding, with greater participation in international cybersecurity norms.
Despite this progress, limited funding, lack of government prioritization, fragmented capacity-building efforts and growing AI-empowered threats continue to weaken Africa’s cybersecurity posture. Multiple reports highlight how cybercriminals increasingly exploit human vulnerabilities across the continent, emphasizing the urgency of improving cybersecurity awareness, coordination and resilience.
This year’s KnowBe4 Phishing by Industry Benchmarking Report reveals notable trends in phishing susceptibility across organizations, showing both progress and ongoing challenges.
The initial PPP across all African organizations is 34.9%, meaning one in three employees is vulnerable to phishing before training. However, best-practice training significantly reduces risk: within 90 days, PPP drops to 21.1%, and after a year of ongoing training, it declines to 5.3%.
These results emphasize the importance of sustained security awareness training in reducing cyber risk.
The Driving Factors Behind Africa's Social Engineering Risks
Africa’s digital economy is the world’s fastest growing — driven by mobile adoption, cloud technology and increased connectivity. Initiatives like the African Union's Digital Transformation Strategy for Africa (2020-2030) aim to boost economic growth through digital innovation. With 70% of sub-Saharan Africa’s population under 30, young people are another key driver of this transformation.
International investments are accelerating this shift: projects like the World Bank's Digital Economy for Africa (DE4A) Initiative and its US$2.48 billion Inclusive Digitalization in Eastern and Southern Africa (IDEA) aim to expand internet access and digital services for 180 million people. Other international investments are strengthening digital infrastructure and supporting tech-driven businesses.
Africa’s digital expansion is transforming daily life, with a surge in mobile payments and increased online engagement, particularly on social media. Widespread mobile phone adoption — used by the majority of Africans as their primary gateway to the internet — is driving greater connectivity and access across the continent. For example, 86.2% of Nigeria’s web traffic is generated via smartphones. Africa’s internet user base is set to grow by 337.3 million (51.79%) between 2024 and 2029, reaching 1.1 billion users by 2029 and marking 15 consecutive years of expansion.
However, while this rapid digitization brings many opportunities, it also increases Africa’s cyberattack surface. Many organizations, especially small and midsize enterprises, lack cybersecurity budgets and struggle with basic cyber hygiene. Poor digital literacy and weak preparedness further expose organizations and individuals to threats.
Rising Phishing and Social Engineering Attacks
Social engineering remains a primary entry point for cybercrime, with criminals expanding their tactics with AI tools and reaching across different channels, such as chat apps and instant messaging platforms.
Interpol’s African Cyberthreat Assessment 2024 highlights a surge in BEC, ransomware attacks and online scams exploiting social engineering and human vulnerabilities. The South African Banking Risk Information Centre annual crime statistics reports growing use of:
- Email phishing and vishing (voice phishing)
- AI-generated impersonation attacks
- Social media scams and extortion
Low Cyber Awareness and Skills Gaps
Our KnowBe4 2025 Africa Cybersecurity Awareness survey showed that while 58% of African respondents are now “very concerned” about cybercrime (up from 29% in 2023), many still lack cybersecurity awareness:
- 53% do not know what ransomware is
- 37% have fallen for fake news or disinformation
- 35% have lost money due to scams
This highlights a dangerous gap between confidence and knowledge — with many people believing they can recognize threats but remaining highly vulnerable. The Dunning-Kruger effect, which is a cognitive bias where people overestimate their ability, is alive and well in cybersecurity on the continent.
AI-Driven Phishing and Disinformation
Cybercriminals are increasingly using AI to automate phishing, craft personalized scams and bypass security filters. In our 2025 Africa Cybersecurity Awareness survey, 37% of respondents said they have fallen for fake news or a disinformation campaign.
”Many organizations remain unprepared for AI-powered scams and disinformation campaigns, making them top cybersecurity priorities
Disinformation campaigns have surged nearly fourfold in Africa since 2022, particularly in the context of political and social manipulation. Coordinated disinformation campaigns, often exploiting social media to spread false narratives, mislead the public and influence elections. These campaigns further erode digital trust and complicate cybersecurity efforts by confusing end users.
As AI-driven scams and disinformation campaigns become more advanced, organizations must adapt training programs to address these emerging threats.
Public Sector Vulnerabilities and Large-Scale Attacks
Governments across Africa are prime cybercrime targets. Some of the newsworthy incidents in 2024 include South Africa’s Companies and Intellectual Property Commission (CIPC) hack, the data breach at the Government Pensions Administration Agency (GPAA), the ransomware attack against Malawi Immigration Department in February and the attack against the African Union African Union’s systems in March 2024.
Many public institutions run outdated systems, lack cybersecurity budgets and provide insufficient training, making them high-risk targets for future attacks.
Key Takeaways
- Cybersecurity training works — but must be sustained. Africa’s average phishing risk dropped from 34.9% to 5.3% after one year of training, proving the effectiveness of awareness programs.
- Mid-sized businesses require more focus. While small and large businesses showed strong improvements, mid-sized organizations (250-999 employees) still had a 9.2% phishing risk after one year.
- AI-driven social engineering and disinformation require urgent attention. Many organizations remain unprepared for AI-powered scams and disinformation campaigns, making them top priorities for 2025 cybersecurity strategies.
