Cybersecurity 8 min read

Phishing in Jamaica: Why Your Staff Are the Target

Phishing in Jamaica: Why Your Staff Are the Target

A Kingston accounting clerk receives an email that appears to come from her managing partner. The subject line reads "Quick favour, are you at your desk?" The email is short, polite, signed with the partner's name, and asks her to handle a same-day wire transfer to a vendor whose details are attached. The clerk replies. A short exchange follows. By 4pm she has authorised a J$1.7 million transfer to an account she has never seen before, on the instruction of someone she has never actually spoken to.

The managing partner is on a flight at the time and has no knowledge of the email. The account is offshore. The money is gone within 48 hours.

This is not a hypothetical. Some version of this scenario plays out every week somewhere in Jamaica. The technical defences most businesses have, firewalls, antivirus, email filters, do not stop it. They do not stop it because the attack is not really aimed at the technology. It is aimed at the staff member.

This article covers the specific phishing patterns hitting Jamaican businesses right now, why they work, and what an effective response actually looks like.

Why Jamaica Specifically

Phishing targets every country, but the patterns localise. Attackers do their homework. They know what banks Jamaicans use, what utility companies bill them, what government agencies they fear, and what Jamaican corporate culture looks like. The lures are tuned to that local context, which is exactly why they work better than generic attacks.

The four patterns we see most often in 2026:

Fake bank notifications. Emails appearing to come from NCB, Scotiabank, JN Bank, or Sagicor, claiming there is a problem with the recipient's account that requires immediate action. The email links to a login page that looks identical to the real bank's site but lives at a slightly wrong domain. The recipient logs in. Their credentials are now in the attacker's hands. If the recipient is using their personal banking from a work laptop, and they often are, the attacker now has a foothold in the corporate environment as well.

Fake JPS billing notices. Emails claiming the recipient's electricity bill is overdue and disconnection is imminent unless payment is made within 24 hours. The links go to fake payment portals that capture credit card details and login credentials. JPS does email customers about bills. The fakes are designed to be indistinguishable from the real thing at a glance.

Tax authority and government impersonation. Emails from "Tax Administration Jamaica" or "the Companies Office" claiming filing deadlines have been missed and threatening penalties. Particularly effective during quarterly filing periods because the timing matches what staff are actually expecting to receive.

Executive impersonation by email and WhatsApp. The most lucrative pattern in our experience. Attackers research a target company on LinkedIn, identify the managing director or CFO, and craft an email or WhatsApp message that appears to come from them. The target is usually someone in finance or operations with the authority to move money or send sensitive information. The message creates urgency, asks for help, and provides a plausible reason the request needs to be handled immediately and quietly.

The WhatsApp version is particularly hard to detect because most Jamaican businesses use WhatsApp for legitimate internal communication. A message from a number the recipient does not recognise but that claims to be the boss travelling abroad with a new local SIM is plausible enough to slip past someone who is busy.

Why Technical Defences Are Not Enough

Email security tools catch the bulk of generic phishing. Microsoft 365 and Google Workspace, properly configured, filter out most mass phishing campaigns before they reach the inbox. Fortinet email security and similar platforms add another layer.

What these tools do not catch reliably:

Targeted attacks. A handcrafted email sent to one person, from a domain that has not been used in any prior attack, with no malware payload, no malicious link, just text. There is nothing for an automated filter to flag.

WhatsApp. The phone is outside your IT environment. Your email security cannot see what is happening on your CFO's WhatsApp.

Compromised legitimate accounts. When an attacker has already taken over the email account of a real supplier or partner, the phishing email comes from a real address with a clean reputation. The filter has no reason to block it.

Voice and SMS-based attacks. Phone calls from people claiming to be from the bank, IRS, or your own IT department. Text messages with malicious links. None of this touches your email security at all.

The technical defences are necessary. They are not sufficient. The remaining attack surface is your staff, and staff is the layer that gets neglected at most Jamaican SMBs.

What Effective Training Actually Looks Like

The annual cybersecurity briefing nobody pays attention to is not training. It is theatre. It satisfies a checkbox on a compliance form and changes nothing about how staff behave when a real attack lands in their inbox on a busy Tuesday.

Effective training has four components.

Simulated phishing tests, ongoing. Once a quarter at minimum, ideally monthly. Realistic emails sent to staff, designed to look like the actual attacks targeting Jamaican businesses. Staff who click the link or enter credentials get a brief, non-punitive teaching moment that explains what they missed. Staff who do not click are tracked too, because what you want is a baseline that improves over time.

Short, frequent video lessons. Three to five minutes, tied to current attack trends. Not a 90-minute annual course. A 4-minute video on "how to spot a fake JPS bill" delivered the week the JPS phishing wave is hitting hard. Attention spans are short. Lessons should fit the attention span available.

Clear reporting paths. Every staff member should know exactly what to do when they receive a suspicious email or message. There should be a button in their email client or a phone number they can call. The reporting should be easy and the response should be fast and supportive. If reporting a suspicious email gets you a sarcastic response from IT, nobody reports them.

Baseline metrics and tracking. You cannot manage what you do not measure. The training programme should produce numbers: click rate, report rate, time-to-report, repeat offenders. Those numbers should improve quarter over quarter. If they are not improving, the training is not working.

When done properly, simulated phishing click rates at most SMBs drop from 25 to 35 percent at baseline to 5 to 8 percent within 12 months. That is a real reduction in your business's risk, achieved through repetition and feedback rather than through any technical change.

If your business is not yet ready to run formal phishing simulations or invest in a structured training programme, CheckMiIP's Security Essentials guide is a practical free starting point — it covers the core risks your team needs to recognise and takes under an hour to work through.

What to Do If Someone Clicks

Train staff to assume they will eventually click on something. The goal is not zero clicks. The goal is fast reporting after a click happens, because the time between compromise and damage is where you can still save the situation.

Tell every staff member: if you clicked something you should not have, tell IT immediately. Not tomorrow. Not after lunch. Now. There will be no consequences for reporting fast. There will be consequences for hiding it. The window between clicking a malicious link and the attacker doing meaningful damage is often hours, sometimes days. A fast report inside that window means we can disable the affected account, force password resets, check logs, contain the situation. A late report means the attacker has had time to set up persistence, exfiltrate data, or pivot to other systems.

This is a culture question more than a technical one. Make reporting safe and fast and your incident outcomes get dramatically better.

What This Looks Like at Systems Rubix

Our Cybersecurity service includes security awareness training built specifically for Jamaican businesses. Simulated phishing campaigns use templates modelled on the actual attacks hitting the local market: NCB, Scotiabank, JPS, Tax Administration Jamaica, executive impersonation in both email and WhatsApp. Staff get short video lessons, baseline reports, and ongoing tracking. Owners get quarterly metrics showing whether the programme is actually working.

The training is currently available with a 15-day free trial, no credit card required, no contract. You see whether it fits your business before committing to anything.

If you want to talk through what would work for your team, get in touch. The first conversation is a 20-minute call where we ask about your business and tell you honestly whether security awareness training is the right priority for you right now, or whether something else in your environment needs attention first.

Questions about your IT setup?

We work with businesses across Jamaica. Start with a free Cybersecurity Checkup — we'll show you what's exposed and what to fix first.

Book My Free Checkup Talk to an Engineer