Recent security breaches have impacted staff members at the SABC and eMedia due to business email compromises, resulting in the dissemination of phishing emails to various contact lists.
This phishing campaign had been ongoing at the SABC since at least Monday, initiated when a stakeholder relationships and partnerships manager’s email was compromised and used to send deceptive messages to external contacts.
The phishing email utilised a straightforward tactic: it contained a PDF attachment urging recipients to open it. Those who clicked on the attachment were greeted by a blurry image resembling a bank statement, accompanied by a prompt to click for further details.
Upon closer inspection, the PDF was discovered to merely function as a gateway to a malicious website. Engaging with the link directed victims to a site designed to capture their email credentials, further propagating the attack by sending the malicious email from the victim’s address book.
MyBroadband, a local media outlet, received a second phishing email from another SABC executive later that week. By Friday, the email account of a senior executive at eNCA was also compromised.
An eMedia spokesperson confirmed that the incident was limited to one specific email account. “The situation was contained quickly, and we found no evidence of wider compromise affecting eNCA at this time,” they reported. “The affected account was secured immediately, and our Infrastructure and Security teams acted swiftly to investigate and manage the situation.”
eMedia implemented rapid measures to fortify its IT environment and enhance security protocols.
When queried regarding the connection between the SABC and eNCA incidents, eMedia indicated a relationship between the two. “The initial email that triggered the breach came from a compromised SABC account,” they noted. “An employee from eNCA engaged with this message, which contributed to the incident and suggests a broader phishing campaign across multiple organisations.”
Cybercriminal groups have increasingly set their sights on South African businesses, government entities, and state-owned enterprises. According to a recent Interpol report, South Africa ranks as a prime target for cybercriminals on the continent.
The Africa Cyberthreat Assessment Report 2025 highlighted business email compromise (BEC) as a significant and escalating threat in the online scams landscape. The report stated, “Data from Interpol’s private sector partners indicates a considerable increase in BEC-related cybercriminal activity across Africa, both in frequency and financial repercussions.”
Currently, eleven African nations, particularly Nigeria, Ghana, Côte d’Ivoire, and South Africa, account for the majority of BEC activity. In West Africa, some criminal syndicates have matured into sophisticated, multi-million-dollar enterprises based on BEC fraud.
A notorious group, Black Axe, boasts thousands of members globally and has been linked to extensive financial scams yielding billions.
Data from Interpol’s member countries revealed that in 2024, the finance sector was the top target for cybercriminals. Organisations involved in international trade, as well as those with minimal security measures, were especially susceptible to BEC assaults. However, virtually no sector is immune; incidents have been documented across various industries, including oil and gas, pharmaceuticals, transport, and e-commerce, alongside attacks on governmental agencies and non-profits.
Accurately gauging the number of BEC incidents in Africa is complex due to widespread underreporting. Nevertheless, indicators suggest a severe issue. In 2024, 19 African nations collectively reported over 10,000 arrests related to cybercrime, implying the actual BEC cases are likely far greater, given that an estimated 65% of cybercrimes go unreported.
The attacks experienced by the SABC and eNCA resemble cybercrime-as-a-Service (CaaS), which Interpol has identified as a factor contributing to the increased sophistication of BEC attacks. “Microsoft’s Digital Crimes Unit observed a 38% rise in CaaS targeting business email accounts from 2019 to 2022,” the report noted, highlighting how readily available phishing kits streamline these malicious operations.
