In recent years, the Nigerian banking sector has been under relentless siege from cybercriminals. From insider collusion to highly coordinated external attacks, the surge in electronic fraud has become one of the most formidable threats facing financial institutions and the millions of Nigerians who rely on them. The consequences are serious, both in financial terms and in eroding public trust.
According to the Nigeria Inter-Bank Settlement System (NIBSS), Nigeria recorded N17.67 billion in banking fraud in 2023 alone, marking a sharp increase from previous years. Alarmingly, more than 50 percent of these frauds occurred through digital platforms, with mobile and web channels serving as the primary channels.
The Central Bank of Nigeria’s (CBN) push for a cashless economy, while impressive, has unmistakably exposed the banking system to new layers of cyber risks. Since the 2014 launch of the National Financial Inclusion Strategy, banks have invested heavily in digital channels to drive adoption of electronic payment systems. However, these innovations have outpaced the corresponding security architecture.
Read also: CBN reaffirms banking sector resilience as forbearance ends
NIBSS’s 2023 Fraud Landscape Report reveals that web-based fraud accounts for 35.5 percent of all cases, while mobile-based fraud makes up over 22 percent, with a combined financial impact running into billions of naira. Phone-based fraud alone resulted in losses exceeding N1.5 billion in 2023.
Sadly, internal fraud, conducted by bank staff, is now responsible for up to 70 percent of all cyber incidents, according to a recent study by banking software provider Temenos. This internal threat is especially grave given that it is often executed by those with high-level IT system access, such as system and database administrators.
One of the most common tactics used is social engineering, the act of manipulating individuals into disclosing confidential information. In 2023 alone, over 12,000 fraud cases were linked to social engineering, according to NIBSS. Often, unsuspecting customers are tricked into revealing OTPs, PINs, or login credentials through deceptive emails, texts, or calls.
Financial technology (fintech) platforms, while accelerating inclusion, have also broadened the attack surface. These platforms tend to rely on third-party API integrations and cloud infrastructure that are not always adequately secured. Given that cloud migration is becoming the norm, financial institutions are increasingly exposed to ransomware and remote desktop protocol (RDP) vulnerabilities, key vectors for cybercriminals.
In 2023, a Lagos-based microfinance bank fell victim to a ransomware attack that temporarily froze all customer withdrawals and compromised over 10,000 user accounts. While the breach was eventually contained, customer trust was severely dented.
Beyond technical vulnerabilities, there are economic drivers too. The cost-of-living crisis and worsening unemployment (hovering at 33.3 percent, according to the National Bureau of Statistics) have created fertile ground for fraud. Disgruntled staff members, some underpaid and overexposed to sensitive data, are more likely to collaborate with external fraudsters.
In a troubling 2023 case, a junior IT staff member at a tier-2 bank in Abuja was arrested after facilitating unauthorised transfers of N650 million over six months. The employee had worked with a syndicate operating from outside the country.
The CBN, the Nigeria Deposit Insurance Corporation (NDIC), and the EFCC have ramped up oversight and enforcement. In early 2024, the CBN released an updated Risk-Based Cybersecurity Framework, mandating commercial banks to implement zero-trust architecture, conduct quarterly audits, and improve endpoint security protocols.
Similarly, the NDIC disclosed that Nigerian banks lost N15.5 billion to fraud in 2018, and those figures have only worsened with the accelerated digitisation of financial services. But regulation alone is not enough. The Nigerian banking sector must embrace a holistic cybersecurity culture.
Looking at it holistically, we advise, firstly, the use of a cloud security assessment. Banks must consistently evaluate and update their cloud infrastructure using international security benchmarks like ISO/IEC 27001. Automated tools for vulnerability management and real-time threat detection should become standard.
Also, employ strict access management. With insiders constituting the majority of threats, banks must enforce Privileged Access Management (PAM) policies. Limiting user rights and applying multi-factor authentication (MFA) can significantly reduce the risk of internal sabotage.
Encryption and data protection should be taken more seriously. All sensitive data, whether at rest or in transit, must be encrypted. Financial institutions should adopt end-to-end encryption and ensure that cryptographic keys are stored securely.
Read also: Strengthening the banking sector: NDIC and imperative of risk-minimizer deposit insurance
Meanwhile, customer awareness campaigns should be embraced. There needs to be an aggressive, nationwide campaign to educate bank customers about phishing, smishing (SMS-based fraud), and vishing (voice-based fraud), and financial literacy must include cybersecurity.
Fraud detection is increasingly powered by artificial intelligence and machine learning, which can spot unusual transaction patterns and flag potential fraud in real time, and this should be encouraged. Nigerian banks must leverage these technologies to stay ahead of criminals.
Cybersecurity is not just about prevention; it is also about preparedness. Banks must regularly test their disaster recovery and incident response plans. Routine backups and simulated drills are non-negotiable.
With the global financial industry seeing 10 percent of all data breaches linked to financial services in 2023, and breaches reported at institutions like the US Treasury and New Zealand’s Central Bank, it is clear that no one is immune.
Nigeria, with its expanding fintech ecosystem and digital-first banking model, must act swiftly. Cyber fraud is not just a banking problem; it is a national security issue, a threat to economic stability, and a deterrent to foreign investment.
If the nation is to achieve its digital and financial inclusion goals without losing billions to fraudsters, then fortifying the integrity of our digital banking infrastructure must be a top priority. For every breach avoided, there is more than money saved; it is trust preserved.
