A colleague receives an email that looks like it came from SARS. It says their tax submission has a problem and they need to verify their details urgently. The email has the SARS logo, the right colours, the right tone. There is a link to click.
So they click it.
This is phishing. Not the obvious “you have won a million dollars” email from a broken English scammer. Modern phishing is sophisticated, targeted, and looks completely legitimate. It appears to come from your bank, a courier company, a government department, or even someone in your own office. And it works because it is designed to bypass the simple “does this look fake?” test.
Understanding how phishing actually works is the first step to protecting yourself and your business. The second step is knowing what to do when something slips through.
What modern phishing actually looks like
Forget the Nigerian prince emails. Those still exist, but they are not the threat anymore. Modern phishing is targeted, well-written, and uses real company branding.
SARS phishing (extremely common in South Africa)
An email that looks like it came from the South African Revenue Service. It says there is a problem with your tax return, your refund is ready, or your eFiling account needs verification. The email uses SARS branding, correct language, and a sense of urgency. The link goes to a fake site that looks identical to the real SARS login page. You enter your credentials, and the attacker now has access to your eFiling account – which contains your ID number, financial details, and banking information.
Bank notification phishing
An email or SMS that appears to come from Absa, FNB, Nedbank, Standard Bank, or Capitec. It says suspicious activity has been detected on your account, your card has been blocked, or you need to verify a transaction. The message looks legitimate – right logo, right tone, sometimes even the right sender name. The link takes you to a fake banking site that captures your login details.
Courier delivery phishing
A message saying you have a parcel waiting for collection from The Courier Guy, DPD, or another delivery service. You are not expecting a parcel, but maybe someone sent you something? The link asks you to confirm delivery details or pay a small fee. By the time you realise the delivery does not exist, your card details have been captured.
Supplier or colleague impersonation
An email that looks like it came from someone you work with regularly – a supplier, a client, or a colleague. The display name is correct. The signature looks right. The message is brief and plausible: “Can you check this invoice?” or “I need you to reset my password” or “Can you process this payment urgently?”. The attachment or link delivers malware or leads to a credential harvesting page. This is the version that leads to invoice fraud and account compromise.
The common thread: these emails do not look suspicious at first glance. They look like legitimate business communication.
How to spot a phishing email before you click
No single check catches every phishing attempt. But these together will stop most of them.
1. Check the actual sender address, not just the display name
The display name can say anything – “SARS eFiling”, “FNB Security”, “Your Manager”. But the actual email address tells the truth. Hover over the sender name (do not click, just hover) and look at the address. “sars-efiling-notifications@revenue-services.co.za” is not SARS. “security@fnb-verify.com” is not FNB. Real organisations use their real domain names.
2. Look for urgency and pressure tactics
“Your account will be suspended in 24 hours.” “Immediate action required.” “Respond within the next hour or your access will be blocked.” Legitimate organisations do not threaten you into clicking links. They send reminders. They give you time. If an email is designed to panic you into acting immediately, that is a signal.
3. Hover over links before clicking
Before you click any link, hover your mouse over it and look at the actual URL in the bottom corner of your screen. If the email claims to be from SARS but the link goes to “sars-verify-login.xyz” or a random string of numbers, do not click. Real organisations link to their real domains.
4. Check for generic greetings
“Dear Customer”, “Dear User”, “Dear Valued Client” – organisations you have an account with know your name. If your bank sends you an email and addresses you as “Dear Customer” instead of using your actual name, be suspicious. Not every generic greeting is phishing, but it is a warning sign.
5. Unexpected attachments or requests
If someone who normally sends you invoices as PDFs suddenly sends a Word document or a zip file, question it. If a colleague who has never asked you to reset their password suddenly needs you to click a link to do it, verify through another channel before acting.
6. Spelling and grammar (but do not rely on this)
Older phishing emails had obvious spelling mistakes and broken grammar. Modern ones often do not. AI-generated phishing can be flawless. So while bad spelling is a red flag, good spelling does not mean the email is legitimate.
7. Something just feels wrong
If your instinct tells you something is off – the tone is slightly different, the request is unusual, the timing is odd – trust that feeling. Forward the email to your IT support or call the sender on a known number to verify. A two-minute check is faster than recovering from a compromised account.
What to do if you clicked a link in a phishing email
If you clicked a link but did not enter any information, the risk is lower but not zero. Here is what to do immediately.
1. Disconnect from the network
If the link may have downloaded malware, disconnecting stops it from spreading to your server or other machines. Unplug your network cable or turn off WiFi. This is especially important if you are on a business network.
2. Do not enter any information on the page
If the link opened a fake login page and you have not entered anything yet, close the page immediately. Do not try to “test” whether it is real by entering fake credentials – close it and move on to step 3.
3. Notify your IT support
Tell them what happened: which email you clicked, what link you followed, and what you saw. They can check whether anything was downloaded to your machine and whether the link is part of a wider attack targeting your organisation.
4. Run a security scan
Your IT team should run a full scan of your machine to check for malware. Do not assume that because you did not download anything intentionally, nothing was installed. Some phishing links trigger drive-by downloads.
5. Watch for follow-up attacks
Clicking a phishing link sometimes confirms to the attacker that your email address is active and monitored. You may receive more phishing attempts over the following days. Stay alert.
What to do if you entered your credentials on a phishing site
This is more serious. If you entered your username and password (or any other credentials) on a fake page, assume the attacker now has that information. Act immediately.
1. Change your password everywhere you use it
This is the real danger of phishing – password reuse. If you use the same password for your email, your banking, and your business accounts, the attacker can try it everywhere. Change the compromised password on every service where you used it. Use a unique password for each account going forward.
2. Enable multi-factor authentication (MFA) immediately
If the compromised account does not have MFA enabled, turn it on now. Multi-factor authentication means that even if someone has your password, they cannot access your account without the second verification step. This stops the attack in its tracks.
3. Check for unusual account activity
Look at your email sent folder. Check your bank transactions. Review recent logins to any accounts that may have been compromised. Attackers move fast – if they have your credentials, they may have already accessed your account by the time you realise what happened.
4. Notify your IT support and your bank
Your IT provider needs to know which account was compromised so they can check for wider impact (has the attacker accessed your files, sent emails as you, reset other passwords?). If you entered banking credentials, call your bank’s fraud line immediately.
5. Watch for secondary attacks
A compromised email account gives attackers access to your contacts, your email history, and the ability to send emails as you. They may use this to target your colleagues or clients with invoice scams or further phishing. Your IT team should monitor your account for unusual activity over the following days.
6. Under POPIA, you may need to notify affected parties
If the compromised account contained personal information about clients or staff, and that information may have been accessed, you have a legal obligation under POPIA to notify the Information Regulator and affected individuals. Your IT provider can help determine what data may have been exposed.
How to protect your business from phishing
Phishing is not going away. It is getting more sophisticated. But there are layers of protection that make it significantly harder to succeed.
Email filtering
A good email security system blocks known phishing emails before they reach your inbox. It scans attachments, checks links against databases of known malicious sites, and flags suspicious senders. This catches the bulk automated phishing campaigns before anyone sees them.
Multi-factor authentication (MFA)
MFA is the safety net for when phishing succeeds. If someone steals your password through a fake login page, MFA stops them from using it. According to Microsoft, MFA blocks over 99% of account compromise attacks. This is the single most effective protection you can enable.
Staff awareness (not formal training)
Your team does not need a certification in cybersecurity. They need to know five things: check the actual sender address, do not click links in emails that create urgency, hover before you click, verify unexpected requests through another channel, and report anything suspicious rather than ignoring it. A five-minute conversation is more effective than an hour-long compliance video.
Endpoint protection
Modern endpoint security does more than scan for viruses. It monitors what programs are doing on your machines and can isolate a device automatically if malware behaviour is detected. If someone clicks a phishing link that downloads ransomware, endpoint protection can stop it from spreading across your network.
DMARC to prevent your domain being used to phish others
Here is the part most businesses miss: even if you protect your staff from phishing, someone could be sending fake emails that look like they come from YOUR domain to YOUR clients. Without email authentication, there is nothing stopping an attacker from sending an email that says it is from yourcompany@yourdomain.co.za.
Three DNS records – SPF, DKIM, and DMARC – tell receiving mail servers which emails from your domain are legitimate and which are fake. With DMARC set to “reject”, spoofed emails claiming to come from your domain get blocked before they reach anyone.
This is what our BEACON platform monitors. It shows you who is sending email using your domain (both legitimate services and fraudulent attempts), checks your authentication records are correct, and alerts you when something needs fixing. From R150 per month. Because protecting your clients from phishing is just as important as protecting your own staff.
Not sure where your phishing protection stands?
If you are not certain whether your email filtering is working, whether MFA is enabled across your accounts, or whether your domain is protected from spoofing, we can check. A quick review takes minutes and often reveals gaps you did not know existed.
Talk to us about your email security
Or get in touch directly:
Call: 087 820 5005
WhatsApp: 081 526 1626
Want to see your full security setup? Our security solutions cover email filtering, endpoint protection, MFA, and monitoring. And if you want to protect your domain from being used in phishing attacks, check your email authentication with BEACON.
0 Comments