Cybercrimes raise concerns for N30.2tr monthly e-payments
• Nigerians count losses as fraudsters get sophisticated, empty bank accounts
• Dearth of IT staff worsens recovery time in banks
• NCC has issued over nine security alerts since the beginning of 2022
• Experts seek review of Cybercrime Act 2015, kick against a plea bargain
Disturbing trends in financial fraud and cybercrimes have put at risk electronic payment or e-payment transactions, now estimated to be worth an average of N30.2 trillion monthly.
Findings show that as more Nigerians are embracing e-transactions daily, so is the surge in cybercrimes, as cybercriminals are getting adept in the clean sweep of bank accounts of unsuspecting users.
While banks are facing a dearth of IT staff to promptly respond to cyber threats, bank account compromises are expected to get worse as the festive season approaches.
Already, the Nigerian Communications Commission (NCC) has issued 10 cyber alerts to warn Nigerians about the possible danger associated with or targeted at some platforms, including Cisco and lately telegram, which these cyber criminals exploit to cause havoc.
Indeed, cybercrime has been projected to worsen as e-payment transactions gain more patronage. Statistics from the Nigeria Inter-Bank Settlement Systems (NIBSS) showed that transactions worth N32.3 trillion were performed electronically in August, a volume that has been on steady monthly growth through the NIBSS Instant Payment platform (NIP), bringing the total value of e-payment deals in the first nine months of the year to N271.5 trillion.
According to NIBSS, the value of the e-payment recorded was a reflection of the increase in the volume of deals within the month. The NIP volume rose to 448 million in August, showing a 10.6 per cent increase over 405 million recorded in the preceding month.
Activities of cybercriminals have taken a new turn, as they become more daring, and innovative and subsequently unleash more terror on their prey.
Almost on a weekly basis, bank customers complain of hacked accounts, where criminals wipe out all their life savings. The Guardian checks showed that this is not peculiar, but cuts across the entire banking sector.
Between July and September 2020, Nigerian banks, according to NIBSS, lost N3.5 billion to fraud-related incidents, representing a 534-per cent increase from the same period in 2019, when it was N552 million. Though the latest data have yet to be confirmed, stakeholders are worried that the losses would be huge compared to previous years.
In 2018, commercial banks in Nigeria lost a cumulative N15 billion ($39 million) to electronic fraud and cybercrime. This was a 537 per cent increase on the N2.37 billion loss recorded in 2017. In the same period in 2018, over 25,043 bank customers and depositors lost N1.9 billion to cyber fraud, with fraud incidents rising by 55 per cent from the previous year’s 17,600.
Nigeria’s Consumer Awareness and Financial Enlightenment Initiative (CAFEi) had projected a $6 trillion loss by 2030 to cybercrime within and outside Nigeria. These crimes are committed mostly through phishing and identity theft.
According to NIBSS, the trend from the beginning of 2020 has been that the web and mobile channels are viable mediums for exponential fraudulent gains.
For instance, in October, a customer of a leading bank claimed that she lost a lot of money to a hacker after she misplaced her wallet. The customer with the name: Dr Ola Sandra Ndukwe, recounted how the bank allegedly failed to recover N450,000 stolen from her account by fraudsters.
According to her, this happened despite availing details of the transactions, including names and bank accounts that received the stolen money.
Ndukwe narrated that she lost her ATM cards and proceeded to block online transactions on her account, using self-service codes.
She said she only depended on her mobile application for confirmation of transactions on her bank account. And according to her, when she complained to Zenith Bank customer care agents, she was told that her transaction alert was active.
Unfortunately, she said some days back, her mobile bank app was hacked during which she lost a sum of N450,000.
Similarly, another customer on Twitter, @Kuddyy said: “My own account got hacked August 31 and a total of N1.527 million was moved. My account was empty. We are still on the matter to date because I know how hard I worked for my money.”
Earlier in September, a popular news and gossip blog also reported how hackers hit a Nigerian bank, stealing over N523 million from a customer’s account.
The blog made reference to a statement issued by the Public Relations Officer (PPRO) of the Police Special Fraud Unit (PSFU) Ikoyi, Lagos, SP Eyitayo Johnson, where he revealed that suspected Internet fraudsters hacked into the server of an old-generation bank and stole a whopping N523 million from a customer’s account.
The PPRO said the hackers stole the huge sum using 18 different customers’ accounts and dissipated the same via Unified Payments Interface (UPI), cash, ATM/POS, withdrawals and e-transfers.
The PPRO said police have arrested two suspects while operatives are following other leads to apprehend the remaining members of the syndicate.
Also, police and investigators fear organised gangs of fraudsters are expanding across sub-Saharan Africa, exploiting new opportunities as a result of the pandemic and the global economic crisis to make huge sums with little risk of being caught. The growth will have a direct impact on the rest of the world, where many victims of “hugely lucrative” fraud live, senior police officials have said.
Experts attribute the surge in cybercrimes in Africa to the rapid growth of internet use at a time when police forces and criminal justice systems have been weakened by the economic consequences of a series of major challenges.
“The COVID-19 pandemic has accelerated digitalisation around the world, but as life has shifted increasingly online, cybercriminals have exploited the opportunity to attack vital digital infrastructure,” said Prof Landry Signé, a senior fellow at the Brookings Institution and author of a recent report on the problem.
“States across Africa have emerged as a favourite target of cybercriminals, with costly consequences.”
Interpol has described online scams such as banking and credit card fraud as the most prevalent and pressing cyber threat in Africa. A major operation earlier this month coordinated by Interpol in 14 countries underlined the scale of the threat from cybercrime on the continent and beyond.
Police arrested more than 70 alleged fraudsters linked to a Nigerian criminal network known as Black Axe in South Africa, Nigeria and Ivory Coast – as well as in Europe, the Middle East, Southeast Asia and the U.S.
Almost 50 properties were searched and about $1 million was intercepted in bank accounts. A residential property, three cars, tens of thousands in cash and 12,000 SIM cards were seized.
Speaking with The Guardian, a very senior executive in one of the big banks in the country, said the cyber threat is real. “In fact, it is happening. The challenge is that no bank would come out and say, ‘I have been hacked’! But on a serious note, almost on a weekly basis, banks are attacked and this has remained a recurring phenomenon in the last two years. I must also say this; banks are investing in new technologies to tackle these criminals.
“The issue became worse for the banks because of this ‘ Japa syndrome’. Banks have lost credible, talented and tech-savvy executives. Without exaggerating, this issue cuts across the entire banking sector, as close to 600 of these guys have relocated abroad.
“They abandoned the job here for better offers outside the country and especially for security reasons. Imagine, a bank IT sector at the beginning of the year with close to 55 workers is now left with about six by October and there is no assurance that those ones won’t leave.”
The official also appealed to bank customers not to be negligent, “and they should not continue to thrust their ATM cards on every PoS terminals available at their disposal; they should be discreet with their PINs.”
A non-Executive Director, of the Central Bank of Nigeria (CBN), Prof. Mike Obadan, expressed concern over the activities of hackers. He noted that they have continued to affect the growth of the banking sector.
Obadan stated this in Benin, Edo State, where he said the threat of hackers continues to elicit deep concerns due to their negative impacts.
He noted that hackers had attacked some Nigerian banks resulting in significant financial losses. He stated that the rate, scale and complexity of the attacks were on the increase considering the report of cybercrime losses in recent times.
He said: “It is of great concern that the activities of hackers have continued to affect the growth of the banking sector. The rate, scale and complexity of the attacks are on the increase considering the report of cybercrime losses in recent times.
“However, CBN has continued to monitor and coordinate responses to cyber attacks on financial institutions in the country. Moreover, the heightened cyber security threats were moderated by CBN’s intensified surveillance and sharing of credible intelligence and remediation measures with the banks,” he added.
According to Obadan, hackers with the connivance of bank staff carried out some attacks. He urged banks, including microfinance institutions, to continuously be on the alert and build capacity including the acquisition of necessary IT equipment to respond to cyber threats.
With the threat festering, Sophos, a cyber-security as-a-service firm, has published its 2023 Threat Report, which detailed how the cyber threat landscape has reached a new level of commercialisation and convenience for would-be attackers, with nearly all barriers to entry for committing cybercrime removed through the expansion of cybercrime-as-a-service.
According to the report, criminal underground marketplaces like Genesis have long made it possible to buy malware and malware deployment services, as well as to sell stolen credentials and other data in bulk. Over the last decade, with the increasing popularity of ransomware, an entire ‘ransomware-as-a-service’ economy sprung up. Now, in 2022, the ‘as-a-service’ model has expanded, and nearly every aspect of the cybercrime toolkit, from initial infection to ways to avoid detection, is available for purchase.
Analysing the report, Principal Threat Researcher at Sophos, Sean Gallagher, said: “This isn’t just the usual fare, such as malware, scamming and phishing kits for sale. Higher-rung cybercriminals are now selling tools and capabilities that once were solely in the hands of some of the most sophisticated attackers as services to other actors.
For example, this past year, we saw advertisements for OPSEC-as-a-service where the sellers offered to help attackers hide Cobalt Strike infections, and we saw scanning-a-service, which gives buyers access to legitimate commercial tools like Metasploit so that they can find and then exploit vulnerabilities.
The commodification of nearly every component of cybercrime is impacting the threat landscape and opening up opportunities for any type of attacker with any type of skill level.”
MEANWHILE, a cyber-security engineer with Trend Micro, Toluwanimi Banji-Idowu, has called for an urgent review of the Cybercrime Act 2015 to accommodate new developments in cyberspace. This, he said has become very necessary if the rising cybercrime trend must be curtailed in Nigeria, stressing that it doubts the punitive strength of the Act.
“I doubt if it has been punitive. Between 2015 and now, so many things have changed in the online space. I don’t think the Act has been reviewed since 2015. And a lot has come into play between now and then, which ordinarily should have necessitated a review of the Act to accommodate new things,” he stated.
Banji-Idowu explained that, for instance, as a result of COVID-19, many people went remote and lots of things went into the online space.
“Because of the way things are fast evolving, we need to have a framework in place whereby these policies are reviewed regularly and new things are added as trade actors build up. Also, I think I haven’t really seen in the news where punitive measures have been taken as regards the Act. I think the government also needs to put more effort into actually abiding by the punishments that they set aside for people that are caught to serve as a deterrent to would-be offenders,” he added.
The cyber-security engineer also kicked against plea bargaining.
He said: “I feel plea bargains should not be so lenient; criminals plead guilty and then receive a lesser punishment or fine. We need to look into that seriously as a country. Punishment should be put in place that would discourage other people from doing such and not make it seem like ‘I could take the risk and when I am caught, I can opt for a plea bargain.’ The punishment should not be lenient and it should be in a way that would highly discourage other people from participating in cyber crimes.”