All articles

AI-Augmented Attacks in South Africa: Deepfakes, BEC and Ransomware in 2026

South Africa is the most targeted country in Africa for cyber attacks. In 2026 the attacks are no longer foreign-flavoured templates — they speak SARS, eFiling, and load-shedding. Mid-market organisations need to update their controls or accept the new loss rate.

South Africa is the most targeted country in Africa for cyber attacks, and 2026 is the year the threat stopped looking foreign. The Interpol Africa Cyberthreat Assessment places SA at the top of the continent for incident volume, and IBM’s Cost of a Data Breach research now puts the average reported SA breach above R49 million. What has changed in the past eighteen months is not just the numbers. It is the texture of the attack. Phishing lures speak SARS and eFiling. Ransom notes name the target’s clients. Voice notes carry the unmistakable cadence of the managing director — because they were trained on his Daily Investor interview. The mid-market organisations that absorbed last year’s loss rate will not survive this year’s at the same rate.

What changed in 2024-26

Voice cloning at scale. Synthesised executive voices have moved from research demos into routine fraud. A ninety-second clip is enough for production-grade synthesis, and the harvest field is the public record: industry events on YouTube, podcast appearances on Daily Maverick and Business Day TV, conference keynotes, even the LinkedIn livestream. Every South African MD with a Spotify-hosted interview is, in effect, providing the training data for the impersonation that will target their finance team.

Localised phishing and BEC. The off-the-shelf phishing kits sold on criminal forums now generate SA-flavoured lures by default. SARS-themed deadline pressure timed to the provisional tax cycle. eFiling outage notices that mirror the genuine SARS service banner. Load-shedding-related “urgent payment due to alternative supplier” wires that arrive during a real stage-six bout. The English is grammatical and idiomatic — none of the broken-syntax tells that staff have been trained to spot.

AI-augmented ransomware operations. Initial access teams now use AI-assisted reconnaissance to map external attack surface in hours rather than days. Lateral movement and privilege escalation are scripted by agentic tooling. Ransom notes are tuned to organisation context: industry, client list, regulator exposure, and likely insurance carrier are surfaced from public sources and woven into the demand. The negotiation, when it begins, is conducted by an attacker who has read more about the target than most of the target’s own board.

A composite incident — the voicemail that wasn’t from the MD

The following is a composite drawn from multiple real engagements; details are anonymised.

A finance assistant at a mid-market manufacturing organisation in Midrand receives a WhatsApp voice note at 16:42 on a Thursday. The MD’s voice — unmistakable accent, the same slightly hurried delivery she has heard in every Monday standup — instructs her to push through an urgent EFT to a new supplier on the components order. A follow-up email arrives two minutes later, on the correct domain, confirming the banking details. She runs the payment. R6.2 million leaves the account before close of business.

The forensic engagement traces the voice synthesis back to a ninety-second clip from the MD’s interview on a Daily Investor podcast, six months earlier. The follow-up email was sent from a compromised mailbox in the organisation’s own finance team — credentials harvested through an earlier SARS-themed phishing wave the organisation had not connected to the incident.

Why traditional controls miss this

Three reasons, in order of how often they cost the organisation.

First, the tone-and-style heuristics that staff training relied on for a decade no longer detect synthesised text or voice. The lure reads exactly the way the MD actually writes. The voice note carries the MD’s actual cadence. The signals the human ear and eye were trained to catch have been engineered away.

Second, the out-of-band verification policies that exist in most organisations’ finance manuals are not enforced in practice. The procedure is written. The call-back number is documented. But the EFT moves anyway because the assistant has done a hundred of these without calling back and nobody has ever objected.

Third, the channels the attack arrives through have outpaced the controls. Most mid-market organisations still treat email-based wire-instruction signoff as the controlled path. WhatsApp-based authority claims — voice notes, message threads, screenshots of “approval” — are now common attack vectors and are routinely accepted without escalation.

The controls that actually work

  1. Out-of-band verification for any EFT over a defined threshold, mandatory and audited. A written policy is not the control. Quarterly evidence that every payment above the threshold was call-back-verified is the control.
  2. Dual authorisation in the finance function for any new beneficiary. Two people. Two devices. Two independent approvals before a beneficiary is added to the payment system, before the first cent moves.
  3. Vendor-onboarding hold periods before first payment to a new beneficiary. A 48-hour wait between adding a beneficiary and paying it. The hold breaks the urgency-loop the attacker depends on.
  4. Caller-verification protocols on inbound voice or voice-note instructions. Back-channel callback to a known number from the corporate directory — not the number the message came from, and not the number embedded in the WhatsApp profile.
  5. Quarterly tabletop exercises specifically for deepfake-enabled fraud scenarios. Generic ransomware tabletops do not rehearse the WhatsApp-voice-note path. Run the exact scenario your finance team is going to face.
  6. POPIA breach-readiness for the inevitable Information Regulator notification path. Where personal information is exposed in the incident, Section 22 notification to the Regulator and to data subjects is mandatory and time-bound. The eServices Portal route has been live since April 2025; the breach-response runbook should have it pre-mapped, not researched in the first hour of an incident.

The threat statistics worth knowing

South Africa is ranked the most targeted country in Africa by the Interpol Africa Cyberthreat Assessment, and remains the regional baseline for incident volume on the continent. IBM’s Cost of a Data Breach research places the average reported SA breach above R49 million. Year-on-year ransomware activity against SA targets is up sharply, and the breach-reporting volume the Information Regulator has logged since the mandatory eServices Portal launched in April 2025 — over 1,600 reported breaches between April and September 2025, a 60 percent year-on-year rise — provides the first reliable domestic series. These are the four numbers worth quoting in a board paper.

How Rhentech helps

Rhentech provides incident response retainers for the organisations that will face this scenario this year, and tabletop exercises and readiness assessments for the organisations that want to face it on a controlled rehearsal first. The AI-augmented threat dimension is now part of every cybersecurity audit we run — including specific testing of the out-of-band verification, dual-authorisation, and voice-channel controls described above.

If you would like to walk through what your current controls would and would not have caught in the composite scenario, book a free initial consultation. If you would like to discuss a retainer that puts a defined response SLA between your organisation and the next incident, speak to a consultant.

Back to all articles
Free consultation

Ready to act on
what you've read?

Book a free consultation with a senior consultant to discuss your cybersecurity posture and next steps.

Book a free consultation