Anna Collard, senior vice president of content strategy and evangelist for KnowBe4 Africa.

A new report is forewarning Africa of phishing attacks and social engineering scams, saying one in three corporate employees on the continent is vulnerable to the crimes.

This is according to KnowBe4’s 2023 Phishing by Industry Benchmarking Report for Africa, which measures organisations’ “phish-prone percentage” (PPP).

Phish-prone percentage indicates the number of employees in an organisation that are likely to fall for phishing or a social engineering scam.

KnowBe4’s report is based on data from over 12.5 million users across 35,681 organisations in 19 industries.

The results of over 32.1 million simulated phishing security tests are included.

This year’s report details international phishing benchmarks from North America, the United Kingdom and Ireland, Europe, Africa, South America, Asia, Australia and New Zealand.

In Africa, 412 organisations from South Africa, Kenya, Nigeria and Botswana participated in the phishing simulation tests, with a total of 337,937 emails sent.

The majority of these organisations (58%) were small (1-249 employees), followed by medium (26%, 250-999 employees) and large (16%, 1000+ employees) ones.

KnowBe4 – a security awareness training firm – says African business users had a lower baseline PPP than many other regions, meaning they were less likely to fall for phishing attacks before training.

However, their improvement after 90 days of training was also lower than in other regions.

After a year of ongoing training, African users achieved a 79.8% improvement in their PPP, showing the effectiveness of consistent security awareness education, says the company.

Anna Collard, senior vice president of content strategy and evangelist for KnowBe4 Africa, comments: “The report underscores the fact that while technology plays an important role in preventing and recovering from an attack, organisations cannot afford to ignore the human factor. The root cause of most data breaches can be traced to the human factor.”

The report shows that without security training 33.2% of employees across all regions and industries are likely to fall for phishing attacks or fraudulent requests.

Africa’s average was 32.8%, slightly better than the global average and much better than South America, where the average was 41.1%. Asia had the lowest rate of phishing – 30%.

Collard notes: “Africa’s baseline phishing security test results show that one out of three employees are likely to click on a suspicious link or email or comply with a fraudulent request before receiving training. This is very concerning considering that Africa has seen the fastest growth in cyber crimes in recent years, especially among small and medium-sized organisations.”

She adds: “These findings highlight the importance of ongoing, consistent cybersecurity awareness training and testing to achieve significant risk reduction. Simply warning users or having a once-off training session is not enough. Cybersecurity needs to be ingrained into the company culture.”