Africa's digital economy is expanding at a remarkable pace. Mobile money platforms, cloud adoption, and e-commerce have opened new economic opportunities for millions across the continent. But alongside this growth comes a darker reality: Africa has become an increasingly attractive target for cybercriminals, with business email compromise (BEC) and ransomware emerging as the two most destructive threats facing organisations today. At the same time, a decisive shift is underway. Law enforcement agencies, working across borders with international partners, are mounting their most ambitious crackdowns yet. The message is clear: cybercrime on the African continent will no longer go unanswered.
Business email compromise is deceptively simple in concept and devastating in practice. Attackers infiltrate or impersonate a legitimate business email account, then manipulate victims into transferring funds or sharing sensitive data. A finance director receives what appears to be an invoice from a trusted supplier. A property buyer is redirected to a fraudulent account at the last moment. A payroll officer updates banking details on behalf of an employee who never made the request.
In South Africa, business email compromise has become one of the most financially damaging forms of cybercrime. The banking sector reported digital fraud losses approaching R1.9 billion in a single year, an 86% surge, with BEC and executive impersonation scams among the primary drivers. High-net-worth individuals and businesses are being targeted with increasingly tailored attacks, leveraging detailed research and social engineering to bypass conventional defences.
The broader picture is alarming. Globally, BEC losses reported to the FBI's Internet Crime Complaint Center reached nearly .5 billion between 2022 and 2024. While Africa-specific figures remain underreported due to gaps in incident disclosure, analysts agree the continent is heavily exposed. Rapid digitalisation, combined with inconsistent security controls across many organisations, creates precisely the conditions that BEC operators exploit.
If BEC is Africa's most financially pervasive threat, ransomware is its most operationally disruptive. Data collected between June and November 2024 by cybersecurity firm ESET revealed that South Africa accounted for more than 40% of ransomware incidents across the entire continent. That is a sobering statistic for any organisation operating in the country.
The financial toll has escalated sharply. According to Sophos' State of Ransomware in South Africa 2025 report, the median ransom demand surged from approximately R2.9 million in 2024 to R17 million in 2025. Recovery costs are even higher, averaging R24 million per incident. These are not figures that any organisation, regardless of size, can absorb without serious consequence.
Ransomware groups have also refined their tactics. Double extortion, where attackers both encrypt data and threaten to publish it publicly, has become standard practice. Critical sectors including healthcare, logistics, financial services, and government have all faced attacks. In several cases, operational disruptions lasted weeks, with downstream effects on suppliers and customers alike.
Against this backdrop, one enforcement operation stands out as a landmark moment for cybercrime enforcement in Africa. Operation Serengeti, a joint initiative between INTERPOL and AFRIPOL, ran from September to October 2024 across 19 African countries. The results were significant: 1,006 suspects arrested, 134,089 malicious networks and infrastructures dismantled, and cybercriminal activity linked to an estimated million in victim losses disrupted.
The operation targeted a broad range of cybercrime typologies, including BEC schemes, online scams, ransomware, and digital extortion. Private sector partners including Group-IB contributed threat intelligence, helping investigators identify infrastructure and trace criminal networks across borders. The coordinated nature of the operation, spanning nearly the entire continent, marked a clear departure from the fragmented, single-jurisdiction efforts of the past.
This was not an isolated action. It built on the momentum of the Africa Cyber Surge operations, which INTERPOL ran in 2022 and 2023, identifying thousands of malicious IP addresses, intercepting fraudulent domains, and disrupting criminal infrastructure across multiple member states. Each successive operation has grown larger in scope and more effective in execution, reflecting a maturing enforcement capability across the continent.
Several factors make African organisations particularly vulnerable to both BEC and ransomware. First, the pace of digitalisation has outstripped the development of cybersecurity infrastructure in many markets. Organisations that moved rapidly to adopt cloud services, digital payments, and remote working during and after the pandemic often did so without implementing commensurate security controls.
Second, BEC in particular exploits human behaviour rather than technical vulnerabilities. No firewall stops a well-crafted phishing email from convincing a finance officer to change a supplier's bank details. Without strong verification processes and ongoing staff awareness training, even technically capable organisations remain exposed.
Third, cybercriminals operating across Africa frequently exploit jurisdictional complexity. Cross-border money laundering using mobile money platforms and cryptocurrency has made tracing and recovering stolen funds extremely difficult. Coordinated operations like Serengeti are beginning to address this, but the challenge remains significant and the criminal networks adapt quickly.
The threat environment demands a proactive response. For organisations operating across Africa, several measures are non-negotiable.
Multi-factor authentication should be enabled on all email accounts and financial systems without exception. BEC attacks frequently begin with compromised credentials, and MFA remains one of the most effective barriers available. Robust email security controls, including DMARC, SPF, and DKIM configurations, reduce the likelihood that impersonation emails will reach their targets in the first place.
Payment verification protocols must require out-of-band confirmation for any banking detail changes or high-value transfers. A phone call to a known contact number, using details sourced independently rather than from the email itself, can prevent a six-figure loss. Staff at every level should receive regular training that specifically addresses BEC tactics and how to recognise social engineering attempts.
On the ransomware side, regular offline backups, network segmentation, and a disciplined patch management programme form the core of organisational resilience. Critically, organisations should have a tested incident response plan in place before an attack occurs, not after. Knowing who to call, what to isolate, and how to communicate during a ransomware incident can be the difference between a contained event and a catastrophic one.
Africa's cybercrime landscape is evolving rapidly, and the stakes have never been higher. BEC continues to drain businesses of millions through carefully constructed deception, while ransomware causes operational chaos across every sector of the economy. But the enforcement response is also evolving. Operations like Serengeti signal that African law enforcement, working in concert with international partners, is developing the capability and the will to strike back effectively.
For organisations across the continent, particularly in South Africa where exposure is greatest, the time to act is now. The threat is real, the financial costs are significant, and the tools to defend against them are available. The question is whether the investment in protection will come before or after an incident forces the issue.
