Phishing and Email Security for Botswana Businesses

Ask any IT professional how businesses actually get breached, and phishing will be at the top of the list. Not clever hacking — a convincing message that persuades a busy person to do something they shouldn't. It is cheap for criminals, it scales to millions of targets, and it works often enough to remain the number one way into organisations of every size, including in Botswana.

The encouraging part: phishing targets people, and people can be taught to spot it. A team that knows what to look for, backed by a few technical safeguards, neutralises most of the threat.

What phishing looks like

Phishing is a message — email, SMS or even WhatsApp — that impersonates someone you trust to trick you into acting against your interest. The usual goals are to make you hand over a password, open a malicious attachment, click a link to a fake login page, or make a payment.

Common forms a Botswana business will encounter:

• Fake login prompts — "Your mailbox is full, click here to verify" leading to a page that looks like Microsoft or Google and steals your password.
• Invoice and payment scams — a supplier you know, asking you to pay a new account number, or a "manager" urgently requesting a transfer.
• Delivery and bank lures — SMS or email about a parcel, a payment, or an account problem, with a link to a fake site.
• Account-takeover follow-ups — once one staff mailbox is compromised, attackers email that person's contacts from the real account, which is far harder to spot.

How to recognise it — the practical checklist

Most phishing fails one of these tests. Teach your team to pause and check:

• Urgency and pressure. "Act now or your account will be closed." Real organisations rarely demand instant action. Urgency is the scammer's main tool — it stops you thinking.
• Unexpected requests. A message asking for a password, a payment, or a change of bank details that you weren't expecting deserves suspicion, even if it looks like it's from someone you know.
• Check the actual sender address. The display name can say anything. Hover over or expand the real email address — look for subtle misspellings (micros0ft.com, apjaka1.com) and odd domains.
• Hover before you click. Point at a link (without clicking) and read where it really goes. If the address doesn't match the supposed sender, don't click.
• Generic greetings and odd language. "Dear Customer," clumsy phrasing, or a tone that's slightly off can all be signs — though well-crafted scams avoid these.
• Attachments you didn't expect. Be wary of unexpected files, especially ones that ask you to "enable content" or "enable macros."

The golden rule for anything involving money or banking details: verify through a separate, known channel. If an email asks you to change a supplier's account number, phone the supplier on a number you already have — never the number in the email.

Protect the email itself

Awareness is half the battle; technical controls are the other half.

• Multi-factor authentication (MFA) on every mailbox. Even if a password is phished, MFA usually stops the attacker logging in. This single control defuses most phishing.
• A good spam and phishing filter. Reputable email platforms (Microsoft 365, Google Workspace) filter out a large share of malicious mail before it reaches anyone — provided it's configured properly.
• Email authentication (SPF, DKIM, DMARC). These are settings on your domain that make it much harder for criminals to send email that appears to come from your company — protecting both your staff and your customers from impersonation.
• Watch for malicious mailbox rules. A common attacker trick after compromising a mailbox is to create a hidden rule that auto-deletes or forwards certain emails. Reviewing mailbox rules is part of a proper security check.

Business email compromise: the expensive one

The most costly phishing variant doesn't deploy malware at all. Business email compromise (BEC) simply convinces someone to send money. An attacker poses as a director, an accountant or a familiar supplier and requests an urgent payment or a change of banking details — often using a real, compromised account or a look-alike domain.

Because there's no malware, technical filters may not catch it. The defences are procedural: a firm rule that any change of payment details or unusual transfer is verified by phone on a known number, dual authorisation for significant payments, and a culture where staff feel safe to question an "urgent" request from the boss.

When someone clicks — respond, don't blame

Sooner or later, someone will click. How you react decides the damage. The worst outcome is a frightened employee who hides it. Build a culture where reporting a mistake is rewarded, not punished, and have a simple response ready:

1. Change the password on the affected account immediately, and anywhere it was reused.
2. Confirm MFA is enabled on that account.
3. Scan the device and check for unexpected mailbox rules, logins or forwarding.
4. Tell your IT partner so they can check for spread.
5. Watch for unusual activity over the following days.

Phishing is a people problem with a technical backstop. Get MFA on every mailbox, filter your email properly, set a verify-by-phone rule for money, and talk to your team regularly — and you remove most of the risk. If you'd like help putting those pieces in place, or training your staff to spot the real thing, that's part of what we do.