Cyber Attacks as a Threat to the Rise of Fintech Platforms in Nigeria

The Central Bank of Nigeria’s decision to redesign the country’s naira notes has resulted in a cash shortage, forcing Nigerians to turn to fintech platforms such as Kuda, MoMo, Fairmoney, Flutterwave, and Vbank. However, these startups have recently become targets of cyber attacks, with hackers stealing billions of naira. MTN NG’s MoMo Payment Service Bank was the first to be hit, and now Flutterwave has reportedly lost a fortune. These incidents are undermining customers’ trust in African payment startups, especially as Nigeria moves toward a cashless policy and financial inclusion.

Although this has been a common occurrence in the financial sector, with banks almost never officially disclosing or admitting the hacks, data show that it occurs: between July and September 2020, Nigerian banks lost N3.5 billion ($9 million) to fraud, more than 534% more than the same period in 2019.

Again, according to a report by the cybersecurity firm Kaspersky, phishing attacks affected 8.7% of individuals and corporate users in Africa in 2022. The report further revealed that, South Africa had the highest percentage of users affected by phishing attacks (9.7%), followed by Kenya (8.4%) and Nigeria (7%).

Recent cyber attacks on Nigerian fintech platforms have highlighted the vulnerability of digital payment systems. Customers who embraced these platforms as a result of downtime with traditional banks are now at risk of losing their hard-earned money to hackers. While the fintech industry has enabled financial inclusion, cyber security must be a top priority for fintech startups.

The security breaches at MoMo and Flutterwave raise concerns about the safeguards in place to protect customer data and funds. This is especially important for African payment startups, where customer trust is still being established. A single breach can lead to a loss of trust and confidence that can take years to recover from.

MoMo Lost Billions to Cyber Attack

On May 27, 2022, just days after the launch of MTN’s MoMo, an email from the Nigeria Inter-Bank Settlement System (NIBSS), the digital infrastructure used by all banks in Nigeria, stated, “Please be informed that we are currently investigating a suspected fraud case involving MoMo PSB transactions. While we investigate, you are advised to closely monitor all inflows from MoMo PSB wallets/accounts for suspicious activity. We’ll provide an update as soon as we can.”

While the mail did not provide an official figure, MoMo sued 18 Nigerian banks for mobile money fraud a month after its launch. According to a lawsuit filed on May 30, 2022, MoMo claimed that $22.3 billion ($48 million) was transferred in error to 8,000 accounts maintained by customers of the 18 banks who used MoMo. The company described the loss as “customer-initiated transfers” in a statement, assuring customers that their funds were not lost and that all of their data was still secure.

Anthony Usoro Usoro, the CEO of MoMo, asserted in the lawsuit that the fraud spanned 700,000 transactions in the space of one month. To avoid further liabilities, MoMo shut down its service on May 25 after becoming aware of the fraud on May 24. The following day, service was quickly resumed.

FlutterWave Allegedly Hacked

Although Flutterwave has since denied any breach in activities, Techpoint.africa reported yesterday that hackers stole $2,949,557,867, prompting the company to freeze the accounts of several customers in various banks. Over 300 customers were said to be affected.

The report further revealed that Flutterwave’s legal counsel, Albert Onimole, reported the case to the Deputy Commissioner of Police, State Criminal Intelligence Department, Panti, Yaba, Lagos on February 19, 2023.

According to Onimole’s letter, the hack on Flutterwave’s accounts took place about two weeks ago, on February 13. According to reports, the funds were initially transferred to 28 accounts in 63 transactions. While the incident was reported to police on February 13, 2023, along with a list of accounts that had received the funds, the police were unable to freeze the funds.

Flutterwave, on the other hand, stated in a statement, “We want to reassure you that Flutterwave has not been hacked. As a financial institution, we monitor transactions using transaction monitoring systems and a 24-hour fraud desk, and we investigate any suspicious activity. To keep our ecosystem safe and secure, we work with other financial institutions and law enforcement agencies.”

During a routine check of its transaction monitoring system, the company discovered an unusual trend of transactions on user profiles.

“Our team immediately launched a review (as per our standard operating procedure), which revealed that some users who had not activated some of our recommended security settings may have been vulnerable,” Flutterwave explained.

According to the company, no users’ funds were lost. Nonetheless, some Nigerians on Twitter have complained that their banks have frozen their accounts in response to an order from Flutterwave.

How Fintech Startups can protect themselves against Cyber Attacks

In light of this new threat, since the hunter has learned to shoot without missing, the birds must learn to fly without perching; thus, fintech startups must invest in robust security measures to protect their customers’ information and funds. Collaboration with experienced cyber security firms and the implementation of multi-factor authentication and encryption protocols can help achieve this. Artificial intelligence and machine learning can also be used to monitor and detect suspicious activity on the platform.

Fintech startups must educate their customers on how to protect themselves from cyber attacks in addition to investing in security measures. This can include giving customers regular updates on the latest phishing and scam tactics, as well as advising them on how to create strong passwords and avoid sharing sensitive information.

Furthermore, regulators must play a role in ensuring that Nigerian fintech startups adhere to strict security standards. The Central Bank of Nigeria has a role to play in establishing and enforcing security standards for payment startups. This can include performing regular security audits and providing best practices guidelines for fintech startups.

Despite the recent security breaches, fintech startups still have a crucial role to play in driving financial inclusion in Nigeria. The Central Bank of Nigeria’s cashless policy has accelerated the adoption of digital payment systems, and this trend is expected to continue. As a result, fintech startups must invest in robust security measures and adhere to stringent regulatory standards to maintain their customers’ trust.