Quick Read:
- ESET Research has released its H2 2025 Threat Report with statistics covering the period from June through November 2025.
- Phishing accounted for 45.7% of all detected cyber threats in South Africa during the reporting period, representing a higher share than the African average.
- ESET researchers observed continued evolution in scam activity globally, including higher-quality deepfakes, signs of AI-generated phishing websites, and short-lived advertising campaigns designed to evade detection.
- While AI-powered malware emerged globally in H2 2025, ESET experts note that established social engineering techniques remain the primary attack vector affecting South Africa.
ESET Research has released its latest Threat Report summarising the threat landscape trends observed in ESET telemetry and analysed by ESET threat detection and research experts in the second half of 2025.
According to the data, in South Africa, phishing remains the highest risk category impacting users and organisations, accounting for 45.7% of detected threats compared with 32.5% in Africa.
“Phishing remains the leading initial access vector affecting South African companies,” says Tony Anscombe, chief security evangelist at ESET. “The higher proportion of phishing detections reflects both attacker focus and the continued effectiveness of social engineering. Attackers are prioritising threats that allow them a greater opportunity for monetisation.”
While phishing dominates the South African market, there has been an accelerated evolution in scam activity globally. According to the report, detections of HTML-based scam campaigns such as the Nomani investment scam, have grown by 62% over the past year.
In ESET telemetry, detections of Nomani scams grew 62% year-over-year, with the trend slowing slightly in H2 2025.
Nomani scams have recently been expanding from Meta to other platforms, including YouTube. These threats have come with improved techniques that include higher resolution deep fake videos, AI-generated phishing websites and short-lived advertising campaigns which are increasingly difficult to detect.
AI remains a pervasive threat, both locally and abroad. In the second half of 2025, ESET discovered PromptLock, the first known AI-driven ransomware capable of generating malicious scripts on-demand at speed.
While AI is primarily used for crafting convincing phishing and scam content, PromptLock is an example of a growing body of AI-driven, intelligent threats signalling a new era in cybercrime.
NFC threats are also gaining momentum, growing in both scale and sophistication, with an 87% increase in ESET telemetry and with notable upgrades and campaigns observed in the second half of 2025.
Anscombe notes that South Africa’s widespread reliance on card-based payment systems makes this class of attack more relevant than in regions where mobile money platforms dominate. These attacks rely on social engineering to persuade victims to install malicious Android applications that relay card data and PINs in real time.
Ransomware has continued its global momentum with ESET Research projecting a 40% year-on-year increase in publicly reported ransomware victims compared with 2024.
While South Africa isn’t one of the most affected countries globally, the largest number of analysed ransomware attacks were aimed at companies in the United States, followed by Spain, France, Italy and Canada, Anscombe points out that South African organisations have experienced a number of ransomware incidents during the reporting period. Two of the ransomware-as-a-service solutions dominating the market at present are Akira and Qilin, with a newcomer, Warlock, introducing innovative evasion techniques.
EDR killers are proliferating as well, underscoring the relevance of endpoint detection and response tools in mitigating the threat.
South Africa is also actively participating in efforts to counter cybercrime. The country took part in Operation Sentinel, a joint law enforcement initiative coordinated by INTERPOL and AFRIPOL, which resulted in 574 arrests and the recovery of approximately $3 million linked to cyber-enabled crimes.
