The email that cost 15 million FCFA

Fatou, an accountant at a Dakar-based SME, receives an email from her bank informing her that her business account has been temporarily suspended. The message is urgent, the logo is perfect, the link looks legitimate. She clicks, enters her credentials, and within 48 hours, 15 million FCFA vanishes from the company account.

This scenario plays out hundreds of times a week across Africa. And it doesn't only target large corporations — SMEs are the preferred victims.

Phishing by the numbers

The #1 threat to businesses

73% of companies hit by a cyberattack were compromised via phishing
62% of African business professionals consider cyberattacks the #1 risk for companies on the continent
1,800 cyberattacks per week in Africa, the majority of which begin with a phishing email
Phishing has increased by 150% over 3 years across the continent

The cost to SMEs

Across Africa, losses linked to cybercrime exceed $10 billion per year. For an SME, a single successful phishing incident can mean:

Direct financial loss (fraudulent wire transfer)
Theft of customer data
Business downtime lasting several days
Loss of trust from customers and partners

The 7 types of phishing targeting African SMEs

1. Classic email phishing

An email impersonating your bank, Orange Money, Wave, or a well-known service. It asks you to "verify your account," "update your information," or "confirm a transaction." The link leads to a fake site that captures your credentials.

2. Spear phishing (targeted phishing)

Unlike mass phishing, spear phishing targets a specific individual. The attacker has done their research: they know your name, your role, and your company name. The email appears to come from your manager, a colleague, or a known partner.

3. Smishing (SMS phishing)

A text message claiming to come from Wave, Orange Money, or a delivery service: "Your package is on hold, click here to confirm." The link leads to a malicious site or installs spyware on your phone.

4. Vishing (voice phishing)

A phone call from a "technician" at your bank or mobile operator asking for your access codes to "resolve an urgent technical issue." With voice deepfakes, these calls are becoming increasingly convincing.

5. WhatsApp phishing

Messages from "suppliers" with invoices attached, "order confirmation" links, or invitations to join compromised professional groups. Since WhatsApp is the primary communication tool for many African SMEs, it has become a prime attack vector.

6. Social media phishing

Fake LinkedIn profiles of "recruiters" or "potential partners" sending malicious links. Fake Facebook pages of well-known companies offering "promotions" or "partnerships."

7. BEC (Business Email Compromise)

The attacker hacks or spoofs the email of an executive or supplier to send wire transfer instructions. This is the most costly form of phishing, with average losses of several million FCFA per incident.

How to spot a phishing email

Visual warning signs

The sender's email address — check the domain after the @. "support@0range-money.com" is not "support@orange.com"
Spelling mistakes — legitimate emails from major companies are rarely riddled with errors
Suspicious links — hover over the link WITHOUT clicking to see the actual URL. If it doesn't match the official site, it's suspicious
Unexpected attachments — especially .exe, .zip, .scr files or PDFs containing macros

Behavioral warning signs

Urgency — "Your account will be closed within 24 hours," "Immediate action required"
Fear — "Suspicious activity detected," "Your account has been compromised"
Bait — "You've won," "Refund pending," "Exclusive offer"
Hierarchical pressure — "The CEO needs this done immediately"

The common sense test

Ask yourself these questions:

Was I expecting this email?
Is this request normal?
Can I verify this through another channel?

If the answer to any of these questions is "no," don't click — and verify first.

Training your team: a 4-step plan

Step 1: The awareness session (1 hour)

Bring your team together and walk them through:

Real examples of phishing (screenshots)
How to check a suspicious email (hover over links, verify the sender)
The procedure when in doubt (don't click, report to the designated contact)

Step 2: Phishing simulations

Regularly send fake phishing emails to your employees to test their reflexes. This isn't about trapping or punishing anyone — it's about training. Employees who click receive immediate micro-training on the spot.

This is exactly what RoxShield, our human cybersecurity platform, delivers — with scenarios tailored to the African context (fake Wave, fake Orange Money, fake local suppliers).

Step 3: The reporting reflex

Build a blame-free reporting culture. An employee who flags a suspicious email — even if it turns out to be a false positive — should be thanked, not criticized. Ten false alarms are far better than one successful attack that goes unreported.

Set up a simple channel: a dedicated email address (securite@votreentreprise.com) or a "Security Alerts" WhatsApp group.

Step 4: Regular reminders

Awareness is not a one-time event. Send a monthly 2-minute reminder: a tip, a recent example, a striking statistic. Repetition builds instinct.

Free tools to test and train your team

Google Phishing Quiz — an interactive quiz to learn how to spot phishing (free)
GCA Cybersecurity Toolkit — a comprehensive toolkit available in French (gcatoolkit.org)
KnowBe4 Free Tools — basic free simulation tests
Have I Been Pwned — check whether your team's email addresses have leaked in stolen databases (haveibeenpwned.com)

Technical best practices

Alongside human training, implement these technical measures:

Spam filter — enable advanced filters through your email provider
DMARC/SPF/DKIM — configure these protocols on your domain to prevent spoofing of your email address
Mandatory MFA — even if a password is stolen, the account stays protected
Password policy — minimum length, mandatory use of a password manager
Safe browsing — enable Google Safe Browsing and block known malicious sites

Conclusion: your team, your best antivirus

No software will ever replace human vigilance. A trained employee who recognizes a phishing email is more effective than the best antivirus in the world.

Investing one hour per quarter in team training is the highest-return investment in cybersecurity. It costs nothing, it's simple, and it blocks 80% of attacks.

Ready to turn your team into an anti-phishing shield? Discover RoxShield and our cybersecurity training programs tailored to the African context. Contact us.

Sources: Agence Ecofin 2026 — Cyber Risks in Africa, Orange Cyberdefense — Cybersecurity for SMEs in Africa, Kaspersky Africa Report 2025, CCarrée — SME Cybersecurity Sénégal 2026.

The email that cost 15 million FCFA

This scenario plays out hundreds of times a week across Africa. And it doesn't only target large corporations — SMEs are the preferred victims.

Phishing by the numbers

The #1 threat to businesses

73% of companies hit by a cyberattack were compromised via phishing
62% of African business professionals consider cyberattacks the #1 risk for companies on the continent
1,800 cyberattacks per week in Africa, the majority of which begin with a phishing email
Phishing has increased by 150% over 3 years across the continent

The cost to SMEs

Across Africa, losses linked to cybercrime exceed $10 billion per year. For an SME, a single successful phishing incident can mean:

Direct financial loss (fraudulent wire transfer)
Theft of customer data
Business downtime lasting several days
Loss of trust from customers and partners

The 7 types of phishing targeting African SMEs

1. Classic email phishing

2. Spear phishing (targeted phishing)

3. Smishing (SMS phishing)

A text message claiming to come from Wave, Orange Money, or a delivery service: "Your package is on hold, click here to confirm." The link leads to a malicious site or installs spyware on your phone.

4. Vishing (voice phishing)

5. WhatsApp phishing

6. Social media phishing

Fake LinkedIn profiles of "recruiters" or "potential partners" sending malicious links. Fake Facebook pages of well-known companies offering "promotions" or "partnerships."

7. BEC (Business Email Compromise)

How to spot a phishing email

Visual warning signs

The sender's email address — check the domain after the @. "support@0range-money.com" is not "support@orange.com"
Spelling mistakes — legitimate emails from major companies are rarely riddled with errors
Suspicious links — hover over the link WITHOUT clicking to see the actual URL. If it doesn't match the official site, it's suspicious
Unexpected attachments — especially .exe, .zip, .scr files or PDFs containing macros

Behavioral warning signs

Urgency — "Your account will be closed within 24 hours," "Immediate action required"
Fear — "Suspicious activity detected," "Your account has been compromised"
Bait — "You've won," "Refund pending," "Exclusive offer"
Hierarchical pressure — "The CEO needs this done immediately"

The common sense test

Ask yourself these questions:

Was I expecting this email?
Is this request normal?
Can I verify this through another channel?

If the answer to any of these questions is "no," don't click — and verify first.

Training your team: a 4-step plan

Step 1: The awareness session (1 hour)

Bring your team together and walk them through:

Real examples of phishing (screenshots)
How to check a suspicious email (hover over links, verify the sender)
The procedure when in doubt (don't click, report to the designated contact)

Step 2: Phishing simulations

This is exactly what RoxShield, our human cybersecurity platform, delivers — with scenarios tailored to the African context (fake Wave, fake Orange Money, fake local suppliers).

Step 3: The reporting reflex

Set up a simple channel: a dedicated email address (securite@votreentreprise.com) or a "Security Alerts" WhatsApp group.

Step 4: Regular reminders

Awareness is not a one-time event. Send a monthly 2-minute reminder: a tip, a recent example, a striking statistic. Repetition builds instinct.

Free tools to test and train your team

Google Phishing Quiz — an interactive quiz to learn how to spot phishing (free)
GCA Cybersecurity Toolkit — a comprehensive toolkit available in French (gcatoolkit.org)
KnowBe4 Free Tools — basic free simulation tests
Have I Been Pwned — check whether your team's email addresses have leaked in stolen databases (haveibeenpwned.com)

Technical best practices

Alongside human training, implement these technical measures:

Spam filter — enable advanced filters through your email provider
DMARC/SPF/DKIM — configure these protocols on your domain to prevent spoofing of your email address
Mandatory MFA — even if a password is stolen, the account stays protected
Password policy — minimum length, mandatory use of a password manager
Safe browsing — enable Google Safe Browsing and block known malicious sites

Conclusion: your team, your best antivirus

No software will ever replace human vigilance. A trained employee who recognizes a phishing email is more effective than the best antivirus in the world.

Investing one hour per quarter in team training is the highest-return investment in cybersecurity. It costs nothing, it's simple, and it blocks 80% of attacks.

Ready to turn your team into an anti-phishing shield? Discover RoxShield and our cybersecurity training programs tailored to the African context. Contact us.

Sources: Agence Ecofin 2026 — Cyber Risks in Africa, Orange Cyberdefense — Cybersecurity for SMEs in Africa, Kaspersky Africa Report 2025, CCarrée — SME Cybersecurity Sénégal 2026.

Phishing in the workplace: why your team is your biggest vulnerability

The email that cost 15 million FCFA

Phishing by the numbers

The #1 threat to businesses

The cost to SMEs

The 7 types of phishing targeting African SMEs

1. Classic email phishing

2. Spear phishing (targeted phishing)

3. Smishing (SMS phishing)

4. Vishing (voice phishing)

5. WhatsApp phishing

6. Social media phishing

7. BEC (Business Email Compromise)

How to spot a phishing email

Visual warning signs

Behavioral warning signs

The common sense test

Training your team: a 4-step plan

Step 1: The awareness session (1 hour)

Step 2: Phishing simulations

Step 3: The reporting reflex

Step 4: Regular reminders

Free tools to test and train your team

Technical best practices

Conclusion: your team, your best antivirus

Also worth reading

Kali365: the $250/month phishing tool that bypasses Microsoft multi-factor authentication

Ransomware in Africa: 400 businesses attacked every day

Deepfakes & AI: the new weapon of cybercriminals in Africa

Phishing in the workplace: why your team is your biggest vulnerability

The email that cost 15 million FCFA

Phishing by the numbers

The #1 threat to businesses

The cost to SMEs

The 7 types of phishing targeting African SMEs

1. Classic email phishing

2. Spear phishing (targeted phishing)

3. Smishing (SMS phishing)

4. Vishing (voice phishing)

5. WhatsApp phishing

6. Social media phishing

7. BEC (Business Email Compromise)

How to spot a phishing email

Visual warning signs

Behavioral warning signs

The common sense test

Training your team: a 4-step plan

Step 1: The awareness session (1 hour)

Step 2: Phishing simulations

Step 3: The reporting reflex

Step 4: Regular reminders

Free tools to test and train your team

Technical best practices

Conclusion: your team, your best antivirus

Also worth reading

Kali365: the $250/month phishing tool that bypasses Microsoft multi-factor authentication

Ransomware in Africa: 400 businesses attacked every day

Deepfakes & AI: the new weapon of cybercriminals in Africa