The data places Nigeria at the centre of a continental problem. While Africa’s digital economy is expanding speedily, security readiness is struggling to keep pace. 

Across the continent, organisations recorded an average of 3,153 cyberattacks per week, compared with 1,963 globally, putting Africa among the most targeted regions in the world.

In Nigeria, the financial sector is the main target. Banks, payment platforms, and fintech firms continue to face heavy pressure from phishing, business email compromise, and credential theft. 

Telecoms, energy, and healthcare operators are also seeing growing exposure as cloud services, mobile platforms, and connected devices are rolled out faster than security controls can mature.

The unique part is not just volume, but method. Across Africa, 77% of organisations were affected by information disclosure incidents, meaning sensitive data was exposed through misconfigurations, weak access controls, or unsecured systems. 

Email is the most effective entry point, responsible for 80% of malicious file delivery, showing that basic weaknesses are still being exploited at scale.

Ransomware has also changed shape. The report shows that 41% of major incidents in Africa now involve data-leak extortion, where attackers steal information and threaten public exposure rather than relying solely on system encryption. 

This approach increases reputational damage and regulatory risk, even when core operations remain running.

In Nigeria, identity theft, stolen session tokens, and API abuse are now more common than traditional malware attacks. In simple terms, attackers are logging in using valid credentials instead of forcing their way through defences.

Beyond Nigeria, several African countries are facing high pressure when it comes to cyberattacks. Kenya recorded 3,758 attacks per organisation each week, while South Africa, Morocco, and other markets continue to see heavy targeting of government services, education systems, and telecom infrastructure.

The operational cost of these attacks is rising. African organisations take an average of 18 days to detect and contain a breach, six days longer than the global average. The report links this delay to skills shortages, fragmented tools, and limited incident response capacity across many sectors.

High-profile incidents in 2025 underline the risk. Data exposure at Seychelles Commercial Bank, service disruption at South African Airways, and unauthorised access to customer data at MTN South Africa all followed a similar pattern: customer-facing systems were targeted, investigations were triggered, and trust became the real casualty.

Regulation is now increasing the pressure. With Europe enforcing stricter cybersecurity regulations under the NIS2 directive, African companies that trade with EU partners are expected to prove strong cyber controls as a condition for market access. Security, the report notes, has become a commercial requirement, not a back-office concern.

From Nigeria to the rest of the continent, Africa’s digital growth is speeding up, but attackers are moving just as fast. 

Cybersecurity in Africa has gone beyond preparing for future risks. The threat is already here, and for countries like Nigeria, the cost of inaction is becoming impossible to ignore.

This insurance-ready service eliminates unpredictable costs while helping organisations strengthen cyber resilience and meet growing compliance and insurance demands.

“We’re seeing a clear shift in how organisations approach incident readiness,” says Kurt Goodall, Troye‘s technical director. “With Incident360, our clients gain full incident response coverage backed by global experts – plus the planning tools to build cyber resilience before an attack ever happens.”

Unlike traditional retainers that charge by the hour and force teams to ration IR time, the Incident360 Retainer provides end-to-end coverage for one major security incident – no matter the incident type – and includes proactive readiness resources to help organisations build stronger security foundations.

These include a dedicated incident response dashboard and secure planning portal, tailored runbooks for common attack scenarios such as ransomware and business email compromise (BEC), and a detailed Cyber Resilience Assessment that maps your posture to recognised frameworks like NIST CSF and CIS Controls.

“The platform also provides SLA-backed response times, as fast as one hour with the Rapid Response add-on, and delivers posture ratings that support insurance and compliance needs,” he explains.

One of the most significant advantages of Incident360 is cost certainty. Traditional emergency response services can lead to unpredictable and often exorbitant bills.

By contrast, Incident360 offers a flat annual fee that covers everything from initial containment through to full recovery – eliminating financial guesswork and enabling more strategic planning.

The service also delivers rapid, SLA-backed response. With a default response time of three hours – and the option to reduce that to just one hour through the Rapid Response add-on, businesses can trust that Arctic Wolf’s expert incident responders will be available exactly when they’re needed.

Crucially, Incident360 brings together global expertise and local support. Arctic Wolf’s incident response team is recognised by over 30 global cyber insurance providers and handles more than a thousand real-world incidents each year.

When delivered through Troye, this global capability is combined with hands-on South African support that understands the regional landscape and regulatory environment.

Preparedness is another pillar of the Incident360 Retainer. Runbooks, tabletop exercises, incident response plan reviews, and cyber posture assessments are not afterthoughts, they are core components of the service.

This ensures that customers are not only covered in the event of an incident but are actively strengthening their defences long before one occurs.

Goodall says Incident360 is an ideal fit for organisations that need to meet cyber insurance or regulatory compliance requirements.

“It is particularly well-suited to businesses that lack a fully staffed internal SOC or incident response team, and for those looking for a reliable, globally trusted partner backed by local expertise. It also appeals to companies seeking predictable, stable security spending without sacrificing effectiveness or capability.”

The core Incident360 tier includes complete incident response coverage and foundational readiness tools like the JumpStart planning suite, with a guaranteed response SLA of three hours.

Incident360 Plus builds on this with additional proactive services, including tabletop simulations and detailed incident response plan reviews, making it the ideal choice for organisations looking to mature their IR strategy.

For high-risk environments or critical industries, the Rapid Response Add-On reduces the response time to just one hour, providing even greater assurance when every second counts.

“Cyberattacks are inevitable – how you prepare and respond is what sets resilient organisations apart. With Incident360, we’re giving our clients a faster, smarter, more cost-effective way to take control of their cybersecurity destiny,” he concludes.

This escalation has stressed the urgent need for large retail operators across the United States to be more careful and cautious, watching out for possible vulnerabilities.

In a direct alert issued on Wednesday, John Hultquist, a senior analyst at Google’s cybersecurity division, stated: “U.S. retailers should take note. These actors are aggressive, creative, and particularly effective at circumventing mature security programs.”

The warning follows a string of successful cyberattacks on British retailers, including Marks & Spencer, whose online operations have remained paralysed since April 25. These attacks have been traced back to a group linked to the cybercriminal collective known as “Scattered Spider.”

This loosely organised network is made up of hackers of varying skill levels. While the structure may seem scattered, the execution of their campaigns has been anything but. Their strategy is to target one sector, exploit its weaknesses, then move on. Right now, that sector is retail.

Scattered Spider is no newcomer to headline-making breaches. In 2023, they infiltrated U.S. casino giants like MGM Resorts International and Caesars Entertainment, causing significant financial and operational disruption. The shift to retailers suggests a deliberate and calculated evolution in their approach.

We’ve seen this before, hackers pushing through what should be solid security systems, often using creative methods like phishing, social engineering, and credential theft. The Scattered Spider-linked attackers aren’t simply opportunists, but tactically selecting targets and dismantling them with precision.

The issue isn’t just technical. Law enforcement agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), have been unable to contain the group. Their flexibility, the youth of many members, and the unwillingness of victims to cooperate have all hindered investigations. Neither the FBI nor CISA have provided public updates on the matter.

Retail industry platforms in the U.S. are taking the threat seriously. Christian Beckner, vice president at the National Retail Federation, confirmed that his organisation has been actively monitoring the UK incidents. “We’ve been closely tracking everything going on in the UK over the past few weeks,” he said. “There aren’t geographic boundaries on these threats.”

Meanwhile, the Retail & Hospitality Information Sharing and Analysis Centre (ISAC), which includes members such as Costco, McDonald’s, Lowe’s, and Albertsons, is now coordinating with Google to brief its members and strengthen defences.

Beyond a random cyber attack, we are looking at a sustained campaign targeting a specific sector with high-value data and operational exposure. If this is not resolved, we could be seeing a major escalation in the cybersecurity sector.

The report revealed that eight African countries were ranked among the top 20 most attacked nations worldwide, with Nigeria placing 13th.

Ethiopia led the African rankings, topping the global list with a Normalised Risk Index of 98.2%, while Uganda, Angola, and Ghana secured the 8th, 9th, and 11th spots, respectively. 

Nigeria followed closely with a Normalised Risk Index of 62.3%. Other African countries on the list included Kenya (17th), Mozambique (18th), and Côte d’Ivoire (20th).

The African continent is being targeted for its growth in digital technology leverage, with cybercriminals using sophisticated tactics like artificial intelligence (AI)-driven ransomware.

One of the major groups in December was FunkSec, a new ransomware-as-a-service (RaaS) group responsible for 14% of all reported ransomware attacks that month. 

FunkSec’s growth has been linked to its AI-powered double-extortion techniques, where stolen data is both encrypted and held for ransom. Although many of FunkSec’s victim reports were questioned for authenticity, the group’s rise poses a huge threat to global cybersecurity.

In addition to FunkSec, other malware families such as FakeUpdates and AgentTesla were also disturbing threats in December. FakeUpdates impacted 5% of organisations globally, while AgentTesla used keylogging and credential theft to target 3% of businesses.

Mobile devices were not spared, with banking Trojans like Anubis and Necro exploiting vulnerabilities to steal credentials and install malicious software.

The growing sophistication of cyberattacks reiterates the need for enhanced cybersecurity measures. Maya Horowitz, vice president of Research at Check Point, emphasised that organisations must stay ahead of these threats by adopting advanced security tools to defend against AI-powered ransomware and other emerging risks.

Cybercriminals are targeting high-value systems and using sophisticated encryption methods to extort businesses. 

Hence, organisations must focus on building stronger defences against ransomware groups, including RansomHub and LeakeData, as mentioned in the global threat index report, strengthening their security strategies to mitigate the risks caused by these evolving threats.

This was revealed in a report by insurance broker Howden, based on a survey conducted in September.

Financial Toll on Companies

Cyberattacks have eroded approximately 1.9% of revenue on average for affected companies. The report noted that businesses with annual revenues exceeding £100 million are at greater risk, stressing the financial vulnerabilities of larger enterprises in the face of rising cyber threats.

Leading Causes of Cyberattacks

The report identified email compromises and data theft as the primary methods used by cybercriminals. 

Compromised emails accounted for 20% of attacks, while data theft was responsible for 18%, leaving companies exposed to both financial and reputational damages.

Alarming Cybersecurity Gaps

Although there are growing risks, the survey found significant gaps in cybersecurity measures among businesses. 

Only 61% of companies reported using anti-virus software, and just 55% had network firewalls in place. Barriers such as high costs and limited internal IT resources were noted as reasons for the inadequate adoption of protective technologies.

Sarah Neild, Howden’s head of UK cyber retail, spoke on the urgency of addressing these vulnerabilities. “Cybercrime is on the rise, with malicious actors exploiting weak spots as companies increasingly depend on technology for their operations,” she said, calling for assertive measures to mitigate the growing risks.

As the world gets more digital, businesses stand the risk of facing more sophisticated cyberattacks. The combination of inadequate defences and growing reliance on technology makes organisations susceptible to sophisticated attacks.

Steps to Strengthen Cybersecurity

To counter these threats, businesses are advised to:

• Invest in Solid Defences: Allocate budgets for advanced cybersecurity tools like firewalls, anti-virus systems, and real-time monitoring.
• Enhance Workforce Preparedness: Conduct regular training sessions to help employees identify and respond to threats effectively.
• Perform Routine Security Audits: Regularly assess systems to identify vulnerabilities and implement necessary updates.

The survey, conducted by YouGov among 905 IT decision-makers in the UK’s private sector, warns businesses to prioritise cybersecurity or risk further financial and operational harm.

Organizations that paid the ransom reported an average payment of $2 million, up from $400,000 in 2023.

However, ransoms are just one part of the cost. Excluding ransoms, the survey found the average cost of recovery reached $2.73 million, an increase of almost $1 million since the $1.82 million that Sophos reported in 2023.

Despite the soaring ransoms, this year’s survey indicates a slight reduction in the rate of ransomware attacks with 59% of organizations being hit, compared with 66% in 2023.

While the propensity to be hit by ransomware increases with revenue, even the smallest organizations (less than $10 million in revenue) are still regularly targeted, with just under half (47%) hit by ransomware in the last year.

The 2024 report also found that 63% of ransom demands were for $1 million or more, with 30% of demands for over $5 million, suggesting ransomware operators are seeking huge payoffs.

Unfortunately, these increased ransom 

amounts are not just for the highest-revenue organizations surveyed. Nearly half (46%) of organizations with revenue of less $50 million received a seven-figure ransom demand in the last year.

“We must not let the slight dip in attack rates give us a sense of complacency. Ransomware attacks are still the most dominant threat today and are fueling the cybercrime economy. Without ransomware we would not see the same variety and volume of precursor threats and services that feed into these attacks. The skyrocketing costs of ransomware attacks belie the fact that this is an equal opportunity crime. The ransomware landscape offers something for every cybercriminal, regardless of skill. While some groups are focused on multi-million-dollar ransoms, there are others that settle for lower sums by making it up in volume,” said John Shier, field CTO, Sophos.

For the second year running, exploited vulnerabilities were the most commonly identified root cause of an attack, impacting 32% of organizations. This was closely followed by compromised credentials (29%) and malicious email (23%).

This is directly in line with recent, in-the-field incident response findings from Sophos’ most recent Active Adversary report.

Victims where the attack started with exploited vulnerabilities reported the most severe impact to their organization, with a higher rate of backup compromise (75%), data encryption (67%) and the propensity to pay the ransom (71%) than when attacks started with compromised credentials.

The surveyed organizations also had considerably greater financial and operational impact, with the average recovery cost sitting at $3.58 million compared with $2.58 million when an attack started with compromised credentials and a greater proportion of attacked organizations taking more than a month to recover.

Other notable findings from the report include:

• Less than one quarter (24%) of those that pay the ransom hand over the amount originally requested, and 44% of respondents reported paying less than the original demand
• The average ransom payment came in at 94% of the initial ransom demand
• In more than four-fifths (82%) of cases funding for the ransom came from multiple sources. Overall, 40% of total ransom funding came from the organizations themselves and 23% from insurance providers
• Ninety-four percent of organizations hit by ransomware in the past year said that the cybercriminals attempted to compromise their backups during the attack, rising to 99% in both state and local government. In 57% of instances, backup compromise attempts were successful
• In 32% of incidents where data was encrypted, data was also stolen – a slight lift from last year’s 30% – increasing attackers’ ability to extort money from their victims

“Managing risk is at the core of what we do as defenders. The two most common root causes of ransomware attacks, exploited vulnerabilities and compromised credentials, are preventable, yet still plague too many organizations. Businesses need to critically assess their levels of exposure to these root causes and address them immediately. In a defensive environment where resources are scarce, it’s time organizations impose costs on the attackers, as well. Only by raising the bar on what’s required to breach networks can organizations hope to maximize their defensive spend,” said Shier.

Sophos recommends the following best practices to help organizations defend against ransomware and other cyberattacks:

• Understand your risk profile, with tools such as Sophos Managed Risk which can assess an organization’s external attack surface, prioritize the riskiest exposures and provide tailored remediation guidance
• Implement endpoint protection that is designed to stop a range of evergreen and constantly changing ransomware techniques, such as Sophos Intercept X
• Bolster your defenses with round-the-clock threat detection, investigation and response, either through an in-house team or with the support of a Managed Detection and Response (MDR) provider
• Build and maintain an incident response plan, as well as making regular back-ups and practicing recovering data from backups

Data for the State of Ransomware 2024 report comes from a vendor-agnostic survey of 5,000 cybersecurity/IT leaders conducted between January and February 2024.

Respondents were based in 14 countries across the Americas, EMEA and Asia Pacific.

Organizations surveyed had between 100 and 5,000 employees, and revenue ranged from less than $10 million to more than $5 billion.

Read the State of Ransomware 2024 report for global findings and data by sector.

• Check Point Research (CPR) sees a surge in malware distributed through websites appearing to be related to ChatGPT
• Since the beginning of 2023,  1 out of 25 new ChatGPT-related domain was either malicious or potentially malicious
• CPR provides examples of websites that mimic ChatGPT, intending to lure users to download malicious files, and warns users to be aware and to refrain from accessing similar websites

The age of AI – Anxiety or Aid?

In December 2022, Check Point Research (CPR) started raising concerns about ChatGPT’s implications for cybersecurity.

In its previous report, CPR put a spotlight on an increase in the trade of stolen ChatGPT Premium accounts, which enable cyber criminals to get around OpenAI’s geofencing restrictions to secure unlimited access to ChatGPT. 

A surge in cyberattacks has recently been noticed by Check Point Research, leveraging websites associated with the ChatGPT brand. These attacks involve the distribution of malware and phishing attempts through websites that appear to be related to ChatGPT. 

The firm has identified numerous campaigns that mimic the ChatGPT website with the intention of luring users into downloading malicious files or disclosing sensitive information. The frequency of these attack attempts has been steadily increasing over the past few months, with tens of thousands of attempts to access these malicious ChatGPT websites. 

Since the beginning of 2023 until the end of April, out of 13,296 new domains created related to ChatGPT or OpenAI, 1 out of every 25 new domains were either malicious or potentially malicious. 

Fake Domains

One of the most common techniques used in phishing schemes are lookalike or fake domains. Lookalike domains are designed to appear to be a legitimate or trusted domain at a casual glance. For example, instead of the email address boss@company.com, a phishing email may use boss@cornpany.com. The email substitutes ‘rn’ for ‘m’. While these emails may look authentic, they belong to a completely different domain that may be under the attacker’s control.

Phishers may also use fake but believable domains in their attacks. For example, an email claiming to be from Netflix may be from help@netflix-support.com. While this email address may seem legitimate, it is not necessarily owned by or associated with Netflix.

Here are some examples of the malicious websites we have identified:

• chat-gpt-pc.online
• chat-gpt-online-pc.com
• chatgpt4beta.com
• chatgptdetectors.com
• chat-gpt-ai-pc.info
• chat-gpt-for-windows.com

Once a victim clicks on these malicious links, they are redirected to these websites and potentially exposed to further attacks:

What to Do if You Suspect a Phishing Attack

If you suspect that a website or email may be a phishing attempt, take the following steps:

1. Don’t Reply, Click Links, or Open Attachments: Never do what a phisher wants. If there is a suspicious link, attachment, or request for a reply do not click, open, or send it.
2. Report the Email to IT or Security Team: Phishing attacks are commonly part of distributed campaigns, and just because you fell victim to the scam does not mean that everyone did. Report the email to IT or the security team immediately, so that they can start an investigation and perform damage control as quickly as possible.
3. Delete the Suspicious Email: After reporting, delete the suspicious email from your Inbox. This lessens the chance that you will accidentally click on it, without realizing it later.
4. Beware of lookalike and fake domains: Note the language, the spelling and content within the website you are clicking on. Note “small” mistakes in spelling and content that requires you to download files.

While awareness of common phishing tactics and knowledge of anti-phishing best practices is important, modern phishing attacks are sophisticated enough that some will always slip through.

Check Point Harmony Email & Office provides visibility and protection across email phishing techniques. To learn more, you’re welcome to request a free demo. 

Pre-Emptive User Protection

Check Point Anti-Phishing solutions eliminate potential threats before they reach users without affecting workflows or productivity.

• Click-time URL protection examines and blocks suspicious links in real time, removing the risk of URLs that are weaponized after the email has been sent
• Zero-day phishing protection identifies and blocks new and known phishing sites by analyzing the characteristics of the page and URL
• Eliminates risk from incoming email by inspecting all aspects of messages before they enter the mailbox, including attachments, links, and email text

Digitally Immune System (DIS) is a comprehensive security solution that can protect businesses from threats, reduce customer downtime, and help mitigate the risk of cyber-attacks. 

DIS utilizes advanced technologies to detect, analyze, and respond to security incidents in real-time, providing organizations with the ultimate defense against malicious threats. By implementing DIS, businesses can rest assured that their data and systems are safe, secure, and protected.

The Digitally Immune System (DIS) provides a well-rounded approach to defending organizations against malicious cyber threats.

It is an advanced security system that leverages an array of technologies to detect, prevent and respond to cyber threats. Designed to provide businesses with an all-in-one solution to reduce the risk of data breaches and customer downtime, DIS combines artificial intelligence (AI) and machine learning (ML) algorithms with network security to detect malicious activity and respond to it quickly.

This innovation protects businesses from a broad range of threats, including malware, ransomware, phishing attacks, zero-day attacks and malicious URLs. It also enables businesses to quickly respond to threats, reducing customer downtime. DIS continuously monitors network traffic and can detect suspicious activities and patterns, alerting security personnel in real-time, so they can respond quickly.

The cloud-based system works by continuously monitoring the network for malicious activity, and it can detect and respond to incidents in real-time. As soon as a threat is detected, DIS will take the necessary steps to block, contain and remediate the issue before any serious damage is done. It isolates affected systems and restores data from backups. 

DIS is an invaluable tool for tech-enabled businesses that need to protect their data and infrastructure from cyber threats. By leveraging artificial intelligence and machine learning algorithms, DIS can detect and respond to malicious attacks quickly, reducing customer downtime and minimizing the risk of data loss, among others.