Follow Us on Google
By Rita Okoye
Cybersecurity expert, Olanrewaju Alade, says Nigeria’s cyber fraud crisis has moved beyond technology failures and evolved into a social engineering war driven by human vulnerabilities.
In an exclusive interview with The Sun, he explains why Nigeria must shift its focus from only upgrading digital systems to investing in behavioral awareness, mass sensitization, and strategic education on cyber risks.
What inspired your focus on cybersecurity awareness as a strategic tool for fraud prevention in Nigeria, and how does this relate to your earlier research on the human factor in cybersecurity?
My focus was inspired by the persistent and recurring cases of cyberfraud and cyber attack in Nigeria which have robbed many innocent citizens and foreigners of their hard-earned savings unknowingly and unexpectedly. My previous study on the human factor in cyber security revealed that advanced technology and checkmate to curb the menace of cyber attacks, could be bypassed by an employee, rendering such technology non-effective for its purpose. For instance, in the case of banking operations, a customer might unknowingly click a false link in a phishing SMS that is created under a fake portal. In this regard, the complex cyber technology created to detect fraud operations, might be bypassed making the APP non-effective. Customers fall victim to fraudsters in this way who drain the account. The human element could be exploited in this regard. So, strategic knowledge and awareness can avoid and prevent the initial attack.
From your observation, what are the most common types of cyber fraud currently affecting individuals and organizations in Nigeria?
I observed that the most common types of cyberfraud affecting individuals and organizations in Nigeria are phishing, impersonation on social media, investment/ franchise scams (ponzi schemes), love scams (catfishing), business email compromise (BEC), ransomware and insider threats. Phishing for instance usually comes when fake SMS, emails and calls are sent to an unsuspecting individual in the name of winning a financial bonus or gift. The moment such a receiver prompts to redeem such non- existing financial gain, the fraudsters strike. Franchise scams like ponzi schemes are initiated to scam and deceive the public to receive a double gain of their invested little money which literally result in deceit, financial fraud and even death of people in some instances. Many of my friends and family members have had a bitter experience of such scams like the case of ‘MMM’. Cyber fraudsters also target organizations by creating fraudulent emails to trick employees and clients in collecting their account details and monies.
You have emphasized human behavior as the weakest link in cybersecurity. How can Nigerian institutions reshape this narrative through awareness and culture change?
This narrative can be reshaped by higher authorities through other layers of authorities by shifting the blame from individuals to re-orienting and re-sensitizing people who had fallen victims or liable to be exposed to such cyber fraud. There is a need to give a public sensitization to people on the need to pay strict attention and give details to unsolicited messages, emails, and calls on their devices or social media handle pages. It helps the people to safeguard their financial transactions and communications every time. It must therefore begin from the leaders who are expected to set clear and strict examples by following genuine and secure protocols. It signals a strong message to the followers and employees. In another vein, continuous engagement and training of employees and ordinary citizens on public social media helps to avoid and detect the menace of cyber fraud. In organizations, cyber security awareness should be mandated for workers in order to avoid falling victim of cyber fraudsters or cyber- attackers.
In practical terms, what does a “strategic approach” to cybersecurity awareness look like for the Nigerian public and private sectors?
Yes, a strategic approach is meant to be continuous, tailored and measurable to both sectors in such a way that it is practicable and not a one-off event or action. It should focus on risk- based, multi- channel and consistent, localized in content and measurable. For instance, a public campaign and sensitization for market women and traders through a risk- based, could go a long way in protecting marketers, traders from mobile money fraud. The Central Bank of Nigeria (CBN) in collaboration with the Bankers’ committee can embark on an aggressive coordinated national campaign to inform and communicate the public on the need to be cautious, and alert to any appearance of cyber attacks or fraudulent activities on their media channels. The various social media handles and platforms should help educate their members on the need to carefully examine unexpected information or fraudulent activities on their devices.
How would you assess the current level of cybersecurity literacy among Nigerian internet users, especially within financial and educational institutions?
Other News
In my personal assessment, the level of cybersecurity literacy among Internet users is growing slowly with many people yet to be fully informed about cyberfraud and how to stay protected. The literacy is still low among the public giving room for cyber-frauders to perpetuate their acts and crime. For instance, many Internet users could not differentiate between “HTTP” and “https” to establish a secure website link. The financial institutions in the same vein are not doing enough to protect and safeguard junior workers in their organizations, making them vulnerable and exposed to cyberfraud. In the educational institutions, formal cybersecurity awareness and protection are still minimal which makes students and lecturers exposed to threat actors.
Social engineering remains one of the biggest threats globally. How can Nigerian organizations equip their employees to detect and resist these manipulative tactics?
Nigerian organizations can equip their employees by teaching and training them to observe red-flags in their normal working activities so that manipulative tactics and threats can be exposed early. For instance, any working activity that is clouded with fear, secrecy, urgency or anxiety should be treated as universal triggers. A job that indicates a worker to keep it a secret or should not be disclosed with people must be considered a major red flag. Sending phishing and vishing calls to employees in a managed working environment should not be taken lightly. Every issue that does not come from a right channel must be termed as dangerous and a threat to financial transactions of an organization. Organizations should likewise establish distinct and clear verification protocols to take care of sensitive data requests or financial activities. Employees should be allowed to report and speak up on unclear activity in the organization that appears suspicious.
Many fraud prevention campaigns in Nigeria focus on technology upgrades rather than behavioral training. Why do you think awareness programs often take a back seat?
Unfortunately, organizations tend to act smart and secure by ensuring that their fight and campaign against cyberfraud within the company could be detected earlier by the use of advanced technology and technology upgrades. This is not always true or effective in some areas because organizations are not addressing the behavioral aspect and training of employees as they ought thereby to underestimate it. Behavioral training when conducted on a regular basis in the organizations help put every worker on the alert and cautious of the sensitivity of their cyber influence. Several factors have positioned organizations in Nigeria to prioritize technology upgrades than behavioral training such as the influence of tangible, and justifiable of new firewall to prevent cyberfraud, checkbox mentality that cybersecurity is a compliance measure, experts are competent to work out the fraud but without behavioral psychology and lackadaisical attitude to certain threats that prompt into the system.
What role should government agencies, such as NITDA and the CBN, play in building a national cybersecurity awareness framework that goes beyond regulatory enforcement?
The concerned government agencies should act as enablers, champions and monitors. They should develop a national curriculum in collaboration with the Ministry of Education that teaches standard cybersecurity awareness and protection at all levels of educational institutions. Public service campaigns and sensitization should be funded and expanded in such a way that it will capture all existing and regular languages. A knowledge sharing forum should be created in order to give room for vast and in-depth exchange of ideas on cyber protection against cyberfraud. Where necessary, incentives should be given to whistle blowers about cyberfraud and fraudsters in society.
How can collaboration between academia, industry, and policymakers strengthen Nigeria’s resilience against cyber fraud and digital manipulation?
The sincere collaboration among these bodies can serve as a foundation for sustainable resilience through which they can all effectively perform to expectations. The academia industry should be allowed to provide Nigerian-specific cybercrime trends and develop tailored solutions. They can also produce the future workforce that will strictly major in this discipline and department in the school and office. Industry to Academia can likewise provide real-world case studies where internship opportunities, and funding for relevant research. They inform academia what skills are needed on a regular basis. The Policymakers to other collaborators can create a conducive environment through supportive policies, funding for research grants, and national frameworks that encourage this collaboration. For instance, a university research team can partner with a bank to study the psychology of victims of a new scam. Their findings are used by the bank to create a more effective customer alert message, and the findings are shared with NITDA to inform a national advisory.
In your opinion, what emerging technologies—like AI-driven monitoring or data analytics—could enhance fraud detection and response systems in Nigeria?
Both emerging technologies are good in protecting cyberspace and enhancing fraud detection in the country. As regards AI/ML for Behavioral Analytics, the AI can analyze patterns of user behavior (login times, typical transaction amounts, location) in order to validate the genuineness of the person. If a user’s behavior suddenly deviates or acts suspicious (e.g., a large transfer to a new beneficiary), the system can flag it for review or require additional authentication. Natural Language Processing (NLP) can be used to examine and scan emails in real-time to detect the linguistic patterns of phishing or BEC attempts (e.g., urgency, sender address spoofing) and quarantine them before they reach the inbox. The adoption of Biometric Authentication has prompted a great deal in the campaign against cyberfraud or fraudulent activities. In this case, a widespread adoption of fingerprints and facial recognition for mobile banking and payments adds a strong layer of security that is difficult to steal remotely. The creation of blockchain for Identity Management is also effective. It could provide a secure and decentralized way to manage digital identities, reducing the risk of identity theft and document forgery from any unknown source.
Given Nigeria’s growing digital economy, what steps should small and medium-sized enterprises take to build internal cybersecurity capacity without incurring heavy costs?
There are several viable acceptable steps available to the small and medium-sized enterprises to build internal cybersecurity capacity. SMEs can adopt a “cyber hygiene first” approach by focusing on fundamentals, regular backups of the business data, leveraging on free resources that provide guides and security tools, prioritizing spot awareness and creating incident response plans. There is a need to ensure that strong passwords are used in spaces where cyber operations are free. Business data should regularly and automatically be backed up in the system to protect them against infiltrated ransomware. On occasions where cyber interfaces are free, secure tools provided by recognized agencies should be used. In addition, prioritizing awareness on any sources should be mandated and followed strictly. Then, creating an Incident response plan is very essential because it encourages a simple, one-page document outlining on what to do and who to call if a breach is suspected like contacting your bank, reporting to the police/NCC).
Finally, what is your message to young Nigerians navigating the digital space, especially as cyber threats evolve faster than public understanding?
My message to young Nigerians is that they need to be empowered but cautious in taking any action. The digital world has become handy to us and more of a marketplace. It holds immense opportunity, but also real danger which they must not underestimate.
