Technology & Innovation

Phishing: Why trusting your gut matters

Phishing remains the most prevalent cyber threat targeting businesses. Trusting your instincts and staying vigilant are key defenses. Education can help prevent falling victim to these scams, as we discuss in this blog

Feb 12, 20267 min read Share

You might think cyber security is a sophisticated cat and mouse game between criminals and IT professionals.

Hackers sit hunched in dark rooms, staring at screens of green text and trying to penetrate the latest defences.

But that’s no longer true for the vast majority of cybercrime. At an epidemic level, criminals are targeting people.

That means you, your colleagues, your family, and your friends.

95% of all successful cyberattacks have a human element involved.

What can be done? Put simply, you need to trust your gut so that, when phishing is attempted, you know instinctively something isn’t right.

Getting to that point involves understanding the threat, and how to respond. That’s what this article is about.

Here’s what we discuss:

Businesses are ripe for phishing

Businesses are an increasingly popular target for phishing.

According to the SABRIC Annual Crime Statistics 2024, digital banking fraud remains the dominant form of cyber‑enabled crime in South Africa, accounting for 65.3% of all reported incidents.

Cases surged from 31,612 in 2023 to 64,000 in 2024, while associated losses rose from R1 billion to over R1.4 billion.

South African Banking Risk Information Centre (SABRIC) highlights that these attacks are primarily driven by social engineering techniques, including phishing emails, WhatsApp scams, impersonation fraud, and increasingly, AI‑generated content designed to deceive victims.

The report warns that criminals are now using advanced tools — such as voice‑cloned deepfakes and error‑free phishing messages — to target both individuals and organisations across the country.

Phishing remains one of the most common attack methods, affecting a large proportion of victims each year.

What is phishing?

Phishing is best understood as social engineering: criminals manipulate you into doing something you wouldn’t choose to do otherwise.

This might be clicking a link, opening an attachment, sharing a password, providing a one-time authentication code, or moving money out of your account and into that of the scammer. Often it’s all of these!

Phishing attempts can arrive by text, social media messaging, emails, or even actual physical letters that arrive at your address.

You might think you would never fall for anything like this. After all, you’re nobody’s fool, right?

Phishing relies on your belief that the message comes from someone you trust. That familiar branding is weaponised to lower your guard:

• A friend texting you having lost their mobile.
• Your boss messaging you on WhatsApp, having setup a new account.
• your bank calling you out of the blue to say your account has been hacked.
• Microsoft emailing to say your computer needs a vital security update.

In other words, phishing is fundamentally an exercise in extremely effective deception, rather than code-breaking.

Therefore, the most effective defences are human ones:

• Slowing down.
• Noticing inconsistencies.
• Listening to that “this feels off” sensation.

Why phishing is so effective

Phishing isn’t new. It’s been around since the mid-1990s, when scams like AOHell targeted AOL users by impersonating staff.

That’s when it got its name – it took the ph- prefix from an earlier form of cybercrime known as phreaking, where hackers targeted the telephone infrastructure to get free calls.

The goal back in the mid-1990s was to harvest login passwords.

What’s changed since isn’t the psychology, but the scale and polish: spoofed websites involving flawless copycat branding, urgent pretexts, and – increasingly nowadays – AI-generated voice, text, images, or even video (including live video calls).

These are known as deepfakes, and scammers are always quick to exploit the very latest technologies.

The site they send you to will look exactly like your bank.

The voicemail message you get will sound exactly like your colleague, family member or friend.

The text message will seem to authentically have come from your bank, with the correct spoofed name or number.

Sometimes the scammers won’t request money directly but will request you buy online giftcards, and share the codes with them.

But the core pitch is the same, and has been since those AOL days: “Act now before something bad happens.” Recognising that pattern is half the battle.

What a phishing scam looks like

Here’s a real-world, worked through example of what a phishing attempt on a business looks like.

1. The phishing hook

You get a text claiming to be from your business banking: “We’ve detected a suspicious payment. To secure your account, confirm here.”

There’s a link that looks right at a glance (e.g. santander-secure-bank.net).

Moments later, your phone rings. Caller ID displays your bank’s name.

The caller calmly references the text and quotes a “case ID.” They may even tell you some personal details like your address or date of birth – all harvested from vast hacker databases that are easily accessible.

2. Applying the pressure

The caller says funds are moving right now, and they need to “secure” your account.

They may steer you to a very professional login page that’s a perfect clone of the bank.

Once you login, your phone pings – even though you’re still on the phone to the “bank” – and you find a one-time passcode has arrived.

You’re asked to read it out to them, “to verify security”.

Alternatively, you might be asked simply to login to your banking using your usual link or app, and transfer money to a special “holding account” where it’ll be “secure” until the bank can fix the issue.

3. The compromise

If you enter credentials on the fake site, they’re captured instantly.

If you read out a passcode (or approve a push notification) the scammers use it in real time.

And just like that, they have control of your bank account. It’s that easy.

If you transfer money yourself from your bank account to the scammer’s account, that’s authorised push payment (APP) fraud.

This is where victims are manipulated into sending funds and it’s easily one of the most prevalent types of fraud.

4. The exit

The caller “ends the case” and thanks you for your vigilance.

You hang-up and wipe a little sweat from your brow. Wow, that was close. Glad it’s sorted, though.

Minutes or hours later you see unauthorised transactions, or find that the “safe” account was the criminal’s.

Needless to say, if this happens in real life then you should call your bank immediately. Keep reading to find out how to do so.

What you could’ve done

The right move at the first sign of doubt – that feeling in your gut that something isn’t quite right – is to disconnect and call your bank.

Ideally, dial it from a separate phone from the one you were called on. Scammers can keep the line open on landlines, for example, making you think you’ve hung up when you haven’t.

They even play fake dial tones to make you think the line is free.

Report phishing emails to your bank’s official fraud reporting address or to the South African Police Service Cybercrime Unit.

Although this won’t provide instant feedback, it can help authorities close down the scammer accounts.

Advice for avoiding phishing scams for business

Here’s some tips for keeping yourself and your business safe from phishing:

1. Pause for thought: Urgency is a red flag. If it’s really your bank, it’ll still be true after a five-minute pause while you verify through your app or by calling your bank.
2. Channel switch to verify: Don’t reply. Don’t click their link. To investigate, use a trusted route you ordinarily use, such as your banking app, your usual online baking bookmark, or the bank’s official phone number (e.g. the one on the back of debit and credit cards – but definitely not the one in the email you might’ve received!).
3. Never, ever share a one-time passcode: One-time passcodes you receive through text messages or retrieve from an authenticator app should never, ever be shared – or even spoken aloud! It’s a prime way scammers authorise their frauds. If someone’s asking for one, stop. Nobody legitimate would ever do so. Similarly, if you get an authentication request out of the blue then don’t approve it.

Ensure you and your colleagues stay informed by using the South African government’s cybersecurity guidance for small and medium‑sized organisations, available through the South African Cyber Security Hub.

It’s a reliable and accessible resource for building your cyber‑safety awareness.

But above all, never forget: We are all equipped with gut feelings, and when we listen they are a powerful defence mechanism.

Final thoughts

The online world is an amazing place, but increasingly, it’s a wild-west frontier where scammers exploit victims on a minute-by-minute basis.

Staying vigilant is key and, while this shouldn’t get in the way of your online activities, it should always be present.