The Investec Attack: What Businesses Need To Do Now

How the Investec Attack Works

The Investec attack unfolds in three stages, each designed to build on the credibility established by the last.

Stage 1: The Trigger Message

The victim receives an SMS or email that looks like a payment notification for a large, unfamiliar transaction. A fraudulent contact number is included in the message. The email, in particular, is visually convincing.

Stage 2: The Fake Call Center

Alarmed, the customer calls the number. They are greeted by an IVR that replicates Investec’s system exactly. A call center agent then tells the customer their banking portal access needs to be reset. A WhatsApp message follows with a link to complete the process.

Stage 3: Credential Harvesting

The link leads to a convincing replica of the Investec login page. It isn’t the real one. Credentials entered on this page go directly to the attacker, who uses them to access the real portal and transfer funds to accounts they control.

Why the Investec Attack Works

The Investec attack isn’t a low-effort scam. The level of detail is deliberate and considerable. The email looks legitimate. The IVR is a functional duplicate. The phishing page is indistinguishable from the real one.

Attackers have always relied on urgency and fear to override rational behavior. That dynamic hasn’t changed. What has changed is the production quality. Artificial intelligence lowers the cost and technical barrier to building convincing replicas of pages, of voices, of entire call centers. Attacks that once required significant resources can now be deployed at scale with a fraction of the effort.

The economics are straightforward: High returns, lower risk than traditional crime, and limited technical barriers.

What the Investec Attack Means for Businesses

Investec is the target in this instance. Tomorrow, it could be any financial services firm, insurer, telecom, or enterprise brand with recognizable communications.

The defense is layered, but it starts in the same place:

DMARC stops spoofing from your domain. If your organization enforces a p=reject DMARC policy, an unauthenticated email claiming to come from your domain would be blocked before reaching customers. DMARC doesn’t cover every attack vector, but it eliminates a significant one. Unauthenticated email should never reach an inbox.

Lookalike Domain Defense catches what DMARC misses. Attackers register domains that resemble trusted brands – slight misspellings, added words, different top-level domains – specifically to slip past basic checks. Identifying and monitoring those domains before they’re used in an attack is proactive defense. Sendmarc’s Lookalike Domain Defense continuously monitors for domains designed to impersonate your brand.

Unified visibility eliminates blind spots. Security and IT teams can’t protect what they can’t see. Gaining unified visibility into all SPF, DKIM, and DMARC configurations – across every sending tool, department, and region – is essential. Unauthorized or misconfigured senders create gaps that attackers are quick to exploit.

Continuous monitoring prevents policy drift. Email authentication isn’t a configuration you complete and move on from. Domains change. New tools get added. Policies drift. Stretched security teams can’t manually keep track of it all. Maintaining continuous improvements without increasing internal workload is what separates companies that stay protected from those that create openings over time.

What To Do if You’re a Customer

You don’t need to be a security professional to protect yourself. Four practices cover most of the risk.

1. Don’t trust the number in the message. If you receive an unexpected fraud alert, search for the bank’s contact number independently. Go to their website directly. Do not call the number provided in the message.
2. Check the sending domain. Look at the full email address – specifically the part after the @. If it doesn’t exactly match the bank’s official domain, it’s most likely not from them.
3. Bookmark your internet banking. Do not follow links to your bank from emails or messages. Use a bookmarked URL you’ve set up yourself. If you receive a login link from anyone, don’t use it.
4. Slow down. Urgency is a feature of the attack. Taking 30 seconds to verify a number or check a domain could prevent the loss of your savings.

Investec has published its own guidance on this attack, which you can find on its website.

Where Sendmarc Fits In

The Investec attack follows a pattern that’s becoming standard. The technical components – domain spoofing, lookalike pages, voice cloning for IVR systems – are increasingly accessible. The human element – fear, trust, urgency – has always been there.

Businesses that want to protect their customers and their brand reputation need to close technical gaps before attackers exploit them. That means enforcing DMARC, monitoring for lookalike domains, maintaining visibility across all email-sending infrastructure, and ensuring those controls stay current as environments change.

The whole attack falls apart if a customer checks the domain or independently verifies the number. But organizations can’t rely on customers catching something they were never trained to look for. That responsibility belongs to the companies sending communications.

Make it as hard as possible to impersonate you.

Sendmarc helps businesses implement and enforce DMARC, SPF, and DKIM at scale, monitor for lookalike domains, and maintain continuous control over their email authentication posture. If your organization hasn’t enforced email authentication policies, now is the right time.