Nigeria’s enactment of the Cybercrimes (Prohibition, Prevention, etc) Act, 2015 may not have been successful in tackling the vulnerability of financial institutions, especially the banking institutions, to cybercrimes. In 2018, commercial banks in Nigeria lost a cumulative N15 billion (US$39 million) to electronic fraud and cybercrime. This was a 537% increase on the N2.37bn loss recorded in 2017. In the same period in 2018, over 17 600 bank customers and depositors lost N1.9bn to cyber fraud, with fraud incidents rising by 55% from the previous year’s 25 043. Nigeria’s Consumer Awareness and Financial Enlightenment Initiative (CAFEi) has projected a $6 trillion loss by 2030 to cybercrime within and outside Nigeria. These crimes are committed mostly through phishing and identity theft.
The outbreak of the COVID-19 pandemic and the government’s response measures that include lockdowns and restrictions saw an escalation in the rate of cybercrimes in Nigeria. Deloitte Nigeria, a branch of the international private auditing firm Deloitte, reported a spike in phishing attacks, malicious spams and ransomware attacks. Cyber-attackers are using the coronavirus as bait to impersonate brands, thereby misleading customers, and employees.
Deloitte Nigeria further noted that financial institutions, corporate businesses, state agencies, and private individuals are increasingly being exposed to cyber-attacks and fraud through disinformation, impersonation and other mechanisms such as phishing, which enables cybercriminals to access computers, mobile devices, and the intranet unnoticed to perform cyber-attacks from the inside.
Not only are businesses being targeted, but end users who download COVID-19-related applications are also being tricked into downloading ransomware disguised as legitimate applications. A case in point is a Nigerian cybercrime group called SilverTerrier that has targeted organisations and key workers responding to COVID-19.
Google claims to block more than 100 million phishing emails daily across the globe, about 18 million of which are related to COVID-19. However, bank customers and staff in Nigeria continue to be at risk of exposure to opportunistic schemes by fraudsters who have latched on to the uncertainty created by the pandemic to perpetrate new fraud schemes.
In Nigeria, cybercrimes are perpetrated either by lone individuals or hackers, or connected networks of criminals who are motivated by financial interests. For instance, a seven-man gang of hackers stole N900 million (US$ 24 000) from a single bank via malware in Lagos on March 10, 2018, according to the Economic and Financial Crimes Commission (EFCC). On Wednesday, September 2, 2020, operatives of EFCC arrested 13 suspects believed to be members of an Organized Cyber Criminal Syndicate Network (OCCSN) who defraud unsuspecting victims of millions of Naira. How the groups work, either as networks or as connected individual hackers remain largely unknown or are still being unravelled by security operatives.
As a response, banks in Nigeria have taken extra measures, especially since the outbreak of COVID-19 pandemic, in sending electronic messages by phone and emails to customers calling for caution in the use of the cyber space. Government agencies and private corporate establishments have acted likewise.
In addition to the Consumer Awareness and Financial Enlightenment Initiative, there is a regulatory architecture aimed at strengthening the response to cybercrime. Nigeria promulgated the Cybercrimes (Prohibition, Prevention, etc) Act, 2015 to tackle its vulnerability to cybercrime. Under the Cybercrimes Act, the President has the power to designate certain computer systems, networks, and information infrastructure vital to the national security of Nigeria or the economic and social well-being of its citizens. Moreover, as part of the Critical National Information Infrastructure, financial institutions, under the act, have the responsibility for combating cybercrime.
Despite its growing awareness of the need to strengthen cyber security, the vulnerability of Nigeria’s financial institutions, especially the banking industries, to cybercrime is heightened by certain limitations in the Cybercrimes (Prohibition, Prevention, etc) Act, 2015. First, the Act, as is the practice across the world, pushes the responsibility for combating cybercrime from the state to financial institutions. For instance, Section 37(1) of the Cybercrimes Act places a duty on financial institutions such as banks to verify the identity of customers carrying out electronic financial transactions. This requires customers to present documents bearing their names, addresses and other relevant information before issuing ATM, credit or debit cards and other related electronic devices.
However, the capacity of financial institutions to singularly tackle cybercrime in an era of digital economy where most financial transactions take place outside banking premises and in the comfort of customers’ homes needs to be strengthened by the Act. In an interview with a former President of the Chartered Institute of Bankers of Nigeria (CIBN), ENACT was informed that banks do not have the powers to prosecute and at best, can only take cautionary measures, which are not enough to curtail the threat.
This, as some have suggested, calls for partnerships between state security and the financial institutions in dealing with the problem from the public and private sectors. The challenge, however, is that if the response to cybercrime becomes the prevail of state security agencies, concerns are likely to be raised about abuse, accountability, access to information as well as obligations on the commercial sector to report attacks when they happen. This context may result in a reluctance to report such crimes, and consequently the public will continue with behaviours that perpetuate their vulnerability to the range of cyber-enabled crimes.
Collaboration or joint task forces to build confidence between public-private sectors might be the more feasible for the state, the private sector, and the public. Forging effective collaboration among financial institutions, corporate organisations, and the Cybercrime Advisory Council to combat the crime may be a practical step to achieving this. An amendment to the Cybercrimes (Prohibition, Prevention, etc) Act, 2015 to give effect to this collaboration and partnership will pave the regulatory pathway for this while ensuring due consideration to privacy protection balanced with law enforcement.
In the meantime, while continuing to raise awareness among their customers around information security outside of the office space, financial institutions, will also need to build their institutional capacity to deal with cybercrime by keeping abreast of the criminal innovations and the technology designed to disrupt the invisible yet devastating crimes that are committed with increasing frequency in Nigeria.
Maurice Ogbonnaya, Senior Research Consultant, ISS Pretoria