Cyberattacks have increased in Nigeria in the wake of COVID-19 restrictions and lockdowns. The country’s 2015 cybercrimes law may not be adequate to reduce the vulnerability of financial institutions, especially the banking sector, to these offences. Enabling public-private partnerships and joint task forces could hold the key.
In 2018, commercial banks in Nigeria lost a cumulative N15 billion (US $39 million) to electronic fraud and cybercrime. This was a 537% increase on the N2.37 billion loss recorded in 2017. Over 17 600 bank customers and depositors lost N1.9 billion to cyber fraud in 2018, with fraud rising by 55% from the previous year.
Nigeria’s Consumer Awareness and Financial Enlightenment Initiative has projected a US $6 trillion loss by 2030 to cybercrime within and outside Nigeria. These crimes are committed mostly through phishing and identity theft.
The outbreak of COVID-19 and government’s response measures have enabled more cyber attacks. Deloitte Nigeria reported a spike in phishing attacks, malicious spams and ransomware attacks. Cybercriminals are using the coronavirus as bait to impersonate brands, thereby misleading customers and employees.
Cyber attackers use COVID-19 as bait to impersonate brands and mislead employees and customers.
Deloitte Nigeria further noted that financial institutions, corporates, state agencies and individuals are increasingly being exposed to cyber attacks and fraud. The means used include disinformation, impersonation and phishing, which enables criminals to access computers, mobile devices and the intranet unnoticed to launch cyberattacks.
Not only are businesses being targeted, the report said, but end users who download COVID-19-related applications are being tricked into downloading ransomware disguised as legitimate applications. A case in point is a Nigerian cybercrime group called SilverTerrier that has targeted organisations and workers responding to COVID-19.
Google claims to block more than 100 million phishing emails daily across the globe, about 18 million of which are related to COVID-19. However, bank customers and staff in Nigeria remain exposed to opportunistic schemes by fraudsters who exploit the uncertainty created by the pandemic.
In Nigeria, cybercrimes are perpetrated by individuals, hackers or connected networks of criminals motivated by financial interests. For instance, a gang of seven hackers stole N900 million (US $24 000) from a single bank via malware in Lagos on 10 March 2018, according to the Economic and Financial Crimes Commission (EFCC).
Across the globe, government responses to the COVID-19 outbreak have led to more e-crimes.
On 2 September 2020, EFCC operatives arrested 13 suspects believed to be members of an organised cyber criminal syndicate who defraud unsuspecting victims of millions of Naira. How the groups work, either as networks or connected individual hackers, remains largely unknown and is still being probed by security operatives.
As a response, banks in Nigeria have taken extra measures, especially since the outbreak of COVID-19. Messages have been sent by phone and email to customers calling for caution in all online transactions and dealings. Government agencies and private corporate establishments have acted likewise.
In addition to the Consumer Awareness and Financial Enlightenment Initiative, Nigeria’s Cybercrimes (Prohibition, Prevention, etc) Act 2015 aims to reduce the country’s vulnerability to cyber attacks. The law empowers the president to designate certain computer systems, networks and information infrastructure as vital to national security or the economic and social well-being of Nigeria’s citizens. The act also gives financial institutions the responsibility for combating cybercrime.
Limitations in the cybercrimes legislation however mean that financial institutions, especially banks, remain at risk. The law – as is the practice across the world – pushes the responsibility for combating cybercrime from the state to financial institutions. Section 37(1) for example, places a duty on financial institutions such as banks to verify the identity of customers carrying out electronic financial transactions.
It is however difficult for banks to tackle cybercrime alone when the digital economy enables most financial transactions to take place outside banking premises and in customers’ homes. A former president of the Chartered Institute of Bankers of Nigeria (CIBN), told the ENACT organised crime project that banks can only take cautionary measures, which are not enough to curtail the threat.
Nigeria’s cybercrimes act makes financial institutions responsible for combating online crime.
Partnerships between government and financial institutions are needed to deal with the problem. If responses are dominated by state security agencies, concerns are likely to be raised about abuse, accountability, access to information as well as obligations on the commercial sector to report attacks. This may cause a reluctance to report offences and a perpetuation of behaviour that increases vulnerability to cybercrimes.
Joint task forces to build confidence between the public and private sectors would be preferable. Effective collaboration between financial institutions, corporates and the Cybercrime Advisory Council would be a practical step. An amendment to the 2015 cybercrimes act will be needed to enable such partnerships and ensure a balance between the protection of privacy and law enforcement.
In the meantime, financial institutions should continue raising awareness among their customers on information security outside the office space. They also need to build institutional capacity to deal with cybercrime and keep abreast of the innovations and technology designed to disrupt the invisible yet devastating crimes that are committed with increasing frequency in Nigeria.
Written by Maurice Ogbonnaya, Senior Research Consultant, ISS Pretoria.