First published by ISS Today

Cyberattacks have increased in Nigeria in the wake of Covid-19 restrictions and lockdowns. The country’s 2015 cybercrimes law may not be adequate to reduce the vulnerability of financial institutions, especially the banking sector, to these offences. Enabling public-private partnerships and joint task forces could hold the key.

In 2018, commercial banks in Nigeria lost a cumulative 15-billion naira (US$39-million) to electronic fraud and cybercrime. This was a 537% increase on the 2.37-billion naira loss recorded in 2017. More than 17,600 bank customers and depositors lost 1.9-billion naira to cyberfraud in 2018, with fraud rising by 55% from the previous year.

Nigeria’s Consumer Awareness and Financial Enlightenment Initiative has projected a US$6 trillion loss by 2030 to cybercrime within and outside Nigeria. These crimes are committed mostly through phishing and identity theft.

The outbreak of Covid-19 and government’s response measures have enabled more cyberattacks. Deloitte Nigeria reported a spike in phishing attacks, malicious spams and ransomware attacks. Cybercriminals are using the coronavirus as bait to impersonate brands, thereby misleading customers and employees.

Deloitte Nigeria further noted that financial institutions, corporates, state agencies and individuals are increasingly being exposed to cyberattacks and fraud. The means used include disinformation, impersonation and phishing, which enables criminals to access computers, mobile devices and the intranet unnoticed to launch cyberattacks.

Not only are businesses being targeted, the report said, but end users who download Covid-19-related applications are being tricked into downloading ransomware disguised as legitimate applications. A case in point is a Nigerian cybercrime group called SilverTerrier that has targeted organisations and workers responding to Covid-19.

Google claims to block more than 100 million phishing emails daily across the globe, about 18 million of which are related to Covid-19. However, bank customers and staff in Nigeria remain exposed to opportunistic schemes by fraudsters who exploit the uncertainty created by the pandemic.

In Nigeria, cybercrimes are perpetrated by individuals, hackers or connected networks of criminals motivated by financial interests. For instance, a gang of seven hackers stole 900 million naira (US$24,000) from a single bank via malware in Lagos on 10 March 2018, according to the Economic and Financial Crimes Commission (EFCC).

On 2 September 2020, EFCC operatives arrested 13 suspects believed to be members of an organised cybercriminal syndicate who defraud unsuspecting victims of millions of naira. How the groups work, either as networks or connected individual hackers, remains largely unknown and is still being probed by security operatives.

As a response, banks in Nigeria have taken extra measures, especially since the outbreak of Covid-19. Messages have been sent by phone and email to customers calling for caution in all online transactions and dealings. Government agencies and private corporate establishments have acted likewise.

In addition to the Consumer Awareness and Financial Enlightenment Initiative, Nigeria’s Cybercrimes (Prohibition, Prevention, etc) Act 2015 aims to reduce the country’s vulnerability to cyberattacks. The law empowers the president to designate certain computer systems, networks and information infrastructure as vital to national security or the economic and social wellbeing of Nigeria’s citizens. The act also gives financial institutions the responsibility for combating cybercrime.

Limitations in the cybercrimes legislation, however, mean that financial institutions, especially banks, remain at risk. The law – as is the practice across the world – pushes the responsibility for combating cybercrime from the state to financial institutions. Section 37(1), for example, places a duty on financial institutions such as banks to verify the identity of customers carrying out electronic financial transactions.

It is, however, difficult for banks to tackle cybercrime alone when the digital economy enables most financial transactions to take place outside banking premises and in customers’ homes. A former president of the Chartered Institute of Bankers of Nigeria, told the ENACT organised crime project that banks can only take cautionary measures, which are not enough to curtail the threat.

Partnerships between government and financial institutions are needed to deal with the problem. If responses are dominated by state security agencies, concerns are likely to be raised about abuse, accountability, access to information as well as obligations on the commercial sector to report attacks. This may cause a reluctance to report offences and a perpetuation of behaviour that increases vulnerability to cybercrimes.

Joint task forces to build confidence between the public and private sectors would be preferable. Effective collaboration between financial institutions, corporates and the Cybercrime Advisory Council would be a practical step. An amendment to the 2015 cybercrimes act will be needed to enable such partnerships and ensure a balance between the protection of privacy and law enforcement.

In the meantime, financial institutions should continue raising awareness among their customers on information security outside the office space. They also need to build institutional capacity to deal with cybercrime and keep abreast of the innovations and technology designed to disrupt the invisible yet devastating crimes that are committed with increasing frequency in Nigeria. DM

Maurice Ogbonnaya is a Senior Research Consultant, ISS Pretoria.

This article was first published by ENACT. ENACT is funded by the European Union (EU). The contents of this article are the sole responsibility of the author and can under no circumstances be regarded as reflecting the position of the EU.