Phishing in Senegal: a cybercriminal national sport in 2026
Phishing is the n°1 entry door (62% of incidents observed in Senegal 2024-2025). More effective than any technical attack, it directly exploits humans. The more the SME grows, the more targeted employees multiply, the larger the attack surface.
Good news: phishing is the easiest threat to significantly reduce. A well-designed program (training + simulations + technical) reduces phishing click rate from 30% to under 5% in 12 months.
I deployed this program at 8 Senegalese SMEs. Here is the complete method.
H2: Recognize a phishing email in 10 seconds
Sign 1 — Spelling or grammar error. "Your account has been compromized", "Click here to reset it". Hackers often translate from English or use approximate tools.
Sign 2 — Strange URL. Hovering over the link (without clicking) shows the real URL. Legitimate "uba-senegal.com" vs fraudulent "uba-sn.security-login.tk". Beware of .tk, .ml, .xyz, .top rarely used by banks. Also beware of misleading subdomains: "ubasenegal.com.phishingsite.com" points to phishingsite.com not ubasenegal.com.
Sign 3 — Fake urgency. "Your account will be blocked in 24h!", "Action required immediately", "Last reminder". Serious institutions give time. Urgency short-circuits reflection.
Sign 4 — Spoofed sender. "UBA Security" from "security-uba@protonmail.com" instead of @uba.sn domain. Verify exact email domain, not just displayed name.
Sign 5 — Unusual request. Your bank will NEVER ask for your password by email. The DGID will not ask you to pay by crypto. IT service will not ask for your Office 365 password by email.
Sign 6 — Suspicious attachment. .exe, .zip, .iso, macro-enabled Office files (.docm, .xlsm). Real invoices are in unprotected PDF.
Sign 7 — Generic greeting. "Dear customer", "Hello" instead of your real name. If your bank has your name, it uses it.
Sign 8 — Slightly off logo or layout. Slightly different UBA colors, blurry logo, inconsistent fonts.
Sign 9 — Recent sending domain. Online tools (whois, urlscan.io) allow checking domain age. Domain created yesterday = very suspicious.
Sign 10 — Fake legal or tax context. "Pending DGID refund", "COSEC social security reminder", "Treasury notification". Always verify via official channels.
H2: Phishing training program in 4 steps
Step 1 — Initial audit (baseline). Send phishing simulation to whole team without warning. Measure click rate. Untrained Senegalese SME median: 28-42%.
Step 2 — Initial training (1h all employees). Video module + practical workshops. Recognize the 10 signs, alert procedure (Outlook / Gmail "Report phishing" button), real Senegal examples.
Step 3 — Automated monthly simulations. Dedicated tool automatically sends fake phishing emails. If employee clicks: redirection to 5-min learning page. If correctly reports: congratulations + team statistic.
Step 4 — Reporting + continuous improvement. Quarterly dashboard: click rate, report rate, at-risk employees (reinforced training), trends by department.
H2: Tools — KnowBe4 vs Hoxhunt vs Microsoft comparison
| Tool | Price / user / year | Characteristics | Ideal for |
|---|---|---|---|
| KnowBe4 | 5,500-9,500 FCFA | World leader, huge catalog (200+ modules), automated simulations | Structured SMEs 20-500 employees |
| Hoxhunt | 9,500-15,000 FCFA | Advanced gamification, daily micro-learning, adaptive AI | Engaging teams, young employees |
| Microsoft Attack Simulator (M365 BP / E5) | included M365 BP | Basic Microsoft 365 integrated simulations | If already on M365 BP |
| Cofense PhishMe | 8,000-12,000 FCFA | Very good reporting, SOC integration | Large SMEs 100+ employees |
| Phished.io | 5,000-7,500 FCFA | European, native GDPR | SMEs with European presence |
2026 recommendation 10-50 employee SME. KnowBe4 if standard budget. Hoxhunt if young / highly engaging employee culture. Microsoft Attack Simulator if already on M365 BP (use what is included before buying).
H2: Email protection — SPF + DKIM + DMARC
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
Without these 3 protocols, anyone can send an email "from" your domain. Consequence: hackers spoof your CEO and your partners receive fake mail signed in your name.
SPF (Sender Policy Framework). DNS record listing servers authorized to send mail from your domain. TXT example: "v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all".
DKIM (DomainKeys Identified Mail). Cryptographic signature of each outgoing mail. Recipients verify signature. Configuration via DNS console + mail provider console (Google Workspace, Microsoft 365, Brevo).
DMARC (Domain-based Message Authentication, Reporting and Conformance). Application policy + reporting. You indicate what to do with mails failing SPF/DKIM: "quarantine" (spam) or "reject". TXT example: "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.sn".
Free verification tools. mxtoolbox.com (SPF + DKIM + DMARC test), dmarcian.com (DMARC report analysis), Google Postmaster Tools.
H2: Internal alert procedure — who does what when phishing suspected
If you suspect received phishing mail.
- DO NOT click links nor download attachments
- Click "Report phishing" button (Outlook / Gmail) or forward mail to phishing@yourdomain.sn
- Delete the mail
- If you clicked by mistake: immediately change concerned password + alert IT
If you provided credentials by mistake.
- Immediately change password on concerned service
- Also change password everywhere you use the same password (more reason to never reuse a password)
- Activate MFA if not already done
- Alert IT to verify recent connections and audit logs
FAQ
How long to reduce phishing click rate?
3-6 months to pass under 10%. 12 months to pass under 5%. Beyond: difficult plateau because 1-3% of humans will always click (fatigue, distraction). That's why prevention alone is not enough: combine with MFA, EDR, and incident response plan.
KnowBe4 or Hoxhunt in 2026?
KnowBe4: market reference, broader content, slightly cheaper. Hoxhunt: gamification + adaptive AI more modern, better for Y/Z generations, more expensive. Test both in 30-day free demo before purchase.
Should we fire an employee who clicks 3 times?
No. Phishing click is not a fault, it's a symptom of insufficient education. Sanction: reinforced training + individual coaching. If employee clicks 5+ times in 3 months: managerial conversation + supervised simulation.
Is MFA enough to protect from phishing?
No. Evolved phishing (Adversary-in-the-Middle, Evilginx kits) can bypass TOTP MFA. Advanced solution: passkeys (FIDO2) or YubiKey hardware key that resist phishing by design (cryptographic domain verification).
SPF DKIM DMARC: how much to deploy?
0 FCFA in licenses. Consultant time cost: 80,000-180,000 FCFA for complete SME deployment (current DNS audit, configuration, DMARC tuning period in monitoring then hardening to reject, internal IT training).
Let's talk about your case
If you want to audit your team's phishing maturity and deploy a prevention program in Senegal, we can design this mission. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.