On August 7, not only did Shittu Rosheedah’s Opay’s account got hacked, but her savings also went missing.
It came as a shock to the final year student at Moshood Abiola Polytechnic, Abeokuta, Ogun State when she woke up to notice that her money was gone.
She had saved the sum of thirteen thousand naira in the online bank, and planned to save more to buy herself clothes, but the money disappeared overnight. In 2022, she joined over 15 million mobile money account users in the country.
While the hack and loss incurred by Rasheedah might seem like no big deal on the surface, over 8,600 fraud and forgeries cases were carried out in 2023 through mobile banking alone, with over N3.5 million losses.
How often does it happen?
Nigerian banks’ security protocols have weaknesses exploited by fraudulent individuals to gain unauthorized access to customer accounts just as in Rosheedah’s case below.
The student explained that her account was hacked through a USSD code she received on her phone.
She said, “I needed airtime the night before the incident, and I couldn’t log in to my account without data. So, in the process of trying to get data, I got an SMS that you can use the USSD code for purchasing airtime offline.
“I tried the USSD code and in the process, I was asked to put in my Opay login password and my withdrawal password.’’
She could not successfully buy the airtime, however.
“The next day, I could not log in to my account. I tried to retrieve it, and when I did, fortunately, my money was still intact, not until… I woke up to find out that my money was missing”, Rasheedah explained.
A cybersecurity expert, Suleiman Ibrahim explained that fraudulent loans, Computer/Web and Mobile fraud are carried out through a type of hacking known as social engineering.
For context, social engineering is the set of tactics used to manipulate, influence, or deceive a victim into divulging sensitive information or performing ill-advised actions to release personal and financial information or hand over control over a computer system.
Ibrahim, a former bank staff explained further: “They (hackers) can call or text a customer saying they are from the bank and there is an update going on, and they’ll send or text a code (to the customer) and request for the code to access the account.
“They social engineer the account of the customer they are trying to hack who thinks they are actually from the bank. Once they have access, they can change the person’s phone number or password or transfer money.”
The slack cybersecurity in financial institutions has made fraudsters perpetrate illicit acts through various payment channels, with a colossal loss of N6.2 billion in 2023, according to a report by FITC, a member of the Nigerian Bankers Committee.
The report listed various channels through which fraud takes place in the financial sector, including web-based, Automated Teller Machine (ATM) cards, mobile, Point of Sales agents and bank branches.
ATM fraud increased from 248 to 518 in the period under review.
One such case involves the illegal withdrawal of the sum of N68 million from the account of an Italy-based customer of the First Bank Nigeria, Glory Omokora.
According to Omokora who reported her loss to a popular Radio Programme, Berekete Family, as reported by Global World Vibe, the victim noticed the fraud when her ATM allegedly expired around 2021.
After back and forth on the issue, the bank admitted the fraud case in August 2023. It remains one of the yet-to-be-resolved fraud cases as an investigation is still ongoing, the report says.
However, per FITC data showing different frauds and forgeries in Nigerian banks in the first and second quarters of 2023, fraud orchestrated via the web as well as on mobile is prevalent in the period under review.
This development may hamper the Central Bank of Nigeria’s (CBN) aim to accelerate financial inclusion in the country from 64 per cent to 95 per cent by 2024.
The growth of E-payment in Nigeria
The value of money flow in industry E-payment methods, including ATM, POS, Mobile App transfer, mobile money, etc have increased exponentially from million to trillion between 2012 and 2022, according to CBN data.
At its embryo stage, the transaction done through PoS and Mobile money alone from 2012 to 2016 stood at N1.7 trillion.
By December 2022, however, the value of transactions through various E-payment methods are worth 1 quadrillion — a 15 figure — and transaction volume of 22 million.
The ubiquitousness of PoS merchants contributed to this rapid growth, but reports of agents mining data of customers and exploiting the same serves as a threat to financial inclusion, especially in urban areas where customers greatly depend on PoS agents.
According to the Nigeria Inter-Bank Settlement System (NIBSS) Plc data, a total of 2.329 million PoS machines had been registered across the country as of December 2022. PoS terminals were introduced in the country in 2012 to promote the cashless policy. Its popularity rose during the 2020 COVID-19 lockdowns, which stopped people from going to the banks.
Cyberattack: A worsening trend
The shift to internet banking has exponentially increased cyber threats across the world. In Africa, Nigeria is atop the list of countries hit by cyberattacks.
According to a global cybersecurity firm, Kaspersky, Nigeria faces the second-highest number of cyberattacks in Africa.
On a global scale, the continent’s most populous country ranked 50th for online threats — it was only behind Kenya’s 35th ranking, and third South Africa 82nd.
“Criminal attacks are mainly driven by the pursuit of financial profit, whereas advanced attacks indicate how cyber threat actors continually adapt their tactics and tools to breach security measures”, says the Head of the Global Research & Analysis Team (GReAT) for META at Kaspersky, Dr Amin Hasbini.
Although there was a noticeable reduction in fraud cases, FITC also recommended that banks strengthen their security architecture.
Dr Hasbini added: “Businesses should consider leveraging advanced technologies such as threat feeds, security information and event management systems, endpoint detection and response solutions, and tools with digital forensics and incident response features. It is vital to understand that cyber security measures are an ongoing endeavor – and that there is no universal solution to secure a corporate network or data.”