Over the past two quarters we have watched credential phishing against regional institutions shift from opportunistic to industrial. The kits behind current campaigns are subscription services: hosted infrastructure, templated bank and webmail portals, and reverse-proxy session capture that defeats one-time-password codes by relaying them in real time.
What has changed
Three things make this wave different. The kits now localize well, with convincing Somali, Swahili, and Amharic lures alongside English. They capture sessions rather than passwords, so SMS and app-based one-time codes no longer end the conversation. And targeting has moved from customers to staff: finance officers, core banking operators, and IT administrators, where one session is worth thousands of customer accounts.
What we recommend this quarter
First, move privileged and finance staff to phishing-resistant authentication. Hardware security keys or platform passkeys defeat reverse-proxy capture; one-time codes do not. Start with the twenty accounts that can move money or change infrastructure, not with a bank-wide rollout.
Second, instrument your identity provider for impossible travel and new-device session anomalies, and rehearse the response: who kills the session, who freezes payments, who calls the correspondent bank.
Third, brief staff on the specific lure patterns in circulation: payment confirmation requests, regulator-branded circulars, and HR portal renewals. Generic awareness training does not survive contact with a well-localized lure; specific examples do.
Institutions that want the current indicator set for blocking can request it through our advisory channel.