In the world of business digital transformation, small to medium-sized enterprises (SMEs) need to have a good understanding of the dangers of cybersecurity threats. Robust cybersecurity systems and practices exist to help SMEs keep their businesses and customer data safe; however, if employees don’t have training, the threat is ever-present.
According to a report by ESET, South Africa has emerged as the phishing capital of the cyber world. Data collected between November 2024 and May 2025 revealed that phishing attacks make up 52% of all cyber threats in South Africa, nearly double the global average of 28%.
These stats highlight the importance of having not only good cybersecurity systems but also cybersecurity training for employees, to avoid instances where someone clicks a link and important data is accessed by an unauthorised person.
In this article, we look at what phishing attacks are, the different types of phishing attacks and provide you with tips on how to start the process of training your staff in cybersecurity.
What is Phishing?
Phishing is a type of cyber-attack that targets individuals through email, text messages, phone calls and other forms of communication. The aim of the attack is to trick the recipient into falling for the attacker’s action, such as revealing financial information, system login credentials, or other sensitive information. These threats typically use links to exploit recipients.
Types of Phishing Attacks
Here are the different types of phishing attacks. The type of attack typically depends on the attacker’s process.
E-mail Phishing
Any malicious e-mail message sent to trick users into divulging private information. Attackers aim to steal account credentials, personally identifiable information (PII), and corporate trade secrets.
Spear Phishing
These are e-mail messages sent to specific people within a business, typically high-privilege account holders. Attackers use spear phishing to trick them into divulging sensitive data, sending the attacker money, or downloading malware.
Link Manipulation
Messages will contain a link to a malicious website that looks like that of an official business but takes recipients to an attacker-controlled server where they are persuaded to authenticate into a spoofed login page that sends credentials to an attacker.
Whaling (CEO Fraud)
These are messages sent to employees of a company to trick them into believing the CEO or other executives have requested money transfers. This type of attack is usually done on the CEO’s executive assistant.
Content Injection
This is when an attacker injects malicious content into an official website to trick users into accessing the site, show them malicious popups or redirect them to another phishing website.
Malware
A clicked link or opened attachment which might download malware onto devices. Common malware attachments include ransomware, rootkits or keyloggers. These are used to steal data and extort payments from targeted victims.
Smishing
This attack uses SMS messages, which are sent to targeted victims with a malicious link that promotes/promises discounts, rewards, or free prizes. This technique exploits the increased reliance on mobile devices and how less cautious people are when interacting with text messages.
Vishing
Attackers use voice-changing software to leave a message informing targeted victims that they must call a specific number. Typically, the attackers will pretend to be from credible institutions such as banks, insurance companies or medical facilities.
“Evil Twin” Wi-Fi
Attackers will trick users into connecting to malicious hotspots to perform man-in-the-middle exploits. This is typically done by spoofing free Wi-Fi spots.
Pharming
A two-phase attack is used to steal account credentials. Phase one installs malware on a targeted victim and redirects them to a browser and a spoofed website where they are tricked into divulging credentials. DNS poisoning is also used to redirect users to spoofed domains.
Angler Phishing
In this attack, cyber attackers will reply to social media posts as an official organisation to trick users into divulging account credentials or personal information.
Watering Hole
An attacker will identify a site that numerous users visit, exploit a vulnerability and use it to trick users into downloading malware. Once the malware is installed on the targeted users’ machines, the attacker will redirect the user to spoofed websites or deliver a payload to the local network to steal data.
Why Do Employees Need Cybersecurity Awareness Training?
Your employees need both cybersecurity awareness training and cybersecurity training. Cybersecurity awareness training is about preparing them mentally and encouraging them to stay alert to cybersecurity risks in their daily work. Cybersecurity training is more practical and teaches employees to report suspicious e-mails, securely share documents and follow safe browsing practices.
According to experts, human error is responsible for more than 90% of security breaches. Security awareness training helps minimise risks and prevent the loss of intellectual property, money or brand reputation.
Additionally, effective cybersecurity training addresses any cybersecurity mistakes employees make when using e-mail, the Internet, and improper document disposal.
Tips on Training Employees on Cybersecurity
Here are a few tips to provide your team with the tools, techniques and best practices to deal with potential cyber threats.
Tip 1: Assess Company Weaknesses
Before you can begin training employees, you need to evaluate the weak points in the business so you can focus your greatest efforts on solving them. Analyse existing security systems and possible security flaws in your business’s communication and exchange channels, such as e-mail, payment systems, cloud infrastructure, intranet, etc.
Tip 2: Create a Cybersecurity Culture
Ensure that everyone in your company is involved in the development of your cyber risk management and prevention strategy. This ensures that everyone understands the importance of paying attention to cybersecurity and what is required of them. This helps instil a culture of risk management throughout all company departments.
Tip 3: Address Cybersecurity Issues
The training you provide to employees must be holistic and address all the areas that it can affect. It should not only focus on technical protection solutions but also on psychological solutions and approaches. This means addressing issues such as malware and how it acts, or social engineering and how its dangers come with optimistic bias based on people believing they cannot be victims of cybercrime.
Tip 4: Train Employees on Digital Hygiene
Digital hygiene is a set of easy-to-follow best practices to limit devices and systems from becoming gateways for attackers. These include not clicking on suspicious links, limiting personal posts on digital platforms about information that can be used to gain your trust, learning how to detect fake URLs, etc.
Tip 5: Implement a Robust Reporting System
You need to encourage employees to promptly report any suspected irregularities in the operation of systems. You can also implement reward systems for employees who leverage their training effectively.
Tip 6: Present Attractive Content
Ensure that the training programme combines different content formats and introduces simulations of different types of attacks so employees can learn how to detect them quickly and effectively. Additionally, ensure that the training content is constantly updated to reflect new trends.
Tip 7: Effective Evaluation Processes
Once you have established a cybersecurity training strategy for your staff, ensure that there is also an evaluation process as part of it. Your evaluation process will help you see if training is effective and which areas can be improved.
