By Abdulrasaq Kamaldeen
As darkness slowly crept over the town of Sango-Ota, Ogun State, in 2021, Esther Oluwafemi, a 23-year-old sales representative at a home appliance store, was seated in her boss’s shop, waiting for customers, when her phone suddenly rang.
She rushed to pick up the call as if she were expecting it; however, when an unfamiliar number appeared on her screen, she hesitated and chose to ignore it. In fact, she did not answer the call initially because of the fear she had developed from the different stories she had heard about unfamiliar calls. But in quick succession, her phone rang over and over again, coercing her to answer the call.
“Hello, Miss Esther, this is a call from UBA Bank,” a calm voice announced from the other end of the line, introducing himself as her United Bank of Africa account manager.
Following the brief introduction, she felt at ease and listened attentively as he explained the need for her to acquire a debit card urgently, assuring her that he would help fast-track the process.
Trusting his words, Esther followed his instructions.
“He introduced himself as my account manager and confirmed my visit to the bank the previous day to get an ATM card, which I confirmed. He further asked me to call a one-time password (OTP) that would be sent to me for the completion of my account verification, as well as the digits on my ATM card, which I did,” she recounted.
A few minutes after sharing the OTP with the caller, her phone buzzed, and a debit alert of N10,000 appeared on her screen. She froze as she stared at the message in disbelief.
Before she could process what had happened, she received multiple debit alerts until the total amount withdrawn from her account reached N135,000.
“I went to the bank immediately, my account was locked, and my ATM card was changed.”
She paid dearly for an avoidable incident.
Despite reporting the incident to her bank, Esther was unable to recover the stolen money.
“After the bank locked my account, my parents had to call my boss and inform her of the unfortunate incident, and she was hell-bent on getting a refund because she never believed that something called a scam could be real.”
Esther’s boss gave her two options: either repay the full amount immediately or work without pay until the debt was cleared.
“At that time, I was earning N15,000 monthly. So, I had to work for 9 months for free.”
But Esther is not the only one facing this problem; 59 per cent of unsuspecting Nigeria’s population has also fallen into electronic banking fraud. A 2022 Consumer Digital Banking Satisfaction Index said that the populace is susceptible to different frauds, such as phishing emails, data breaches, and unauthorised access to accounts through USSD, among others.
A financial and research think-tank, Agusto & Co., mentioned the need for investment in cyber security and awareness to halt bank customers from falling victim to breaches in their accounts, as 70 per cent of the survey respondents indicated that they are not willing to switch to another bank’s digital platform.
Esther suspected that her bank data might have been shared with scammers or that someone within the bank had scammed her.
Under the Cybercrimes (Prohibition) Act, 2015 (as amended 2024), unauthorised access to computer systems or networks for fraudulent purposes constitutes an offence, punishable by imprisonment and/or fines. The Act prescribes penalties of up to five years’ imprisonment or ₦5 million in fines for unauthorised access, which increase to up to seven years’ imprisonment or ₦7 million where the offence involves obtaining computer data, commercial or industrial secrets, or classified information. The Act also criminalises the use of devices or techniques to evade detection when committing such offences.
How Safe is Nigeria’s Online Banking?
The Cybercrimes Act and the regulatory frameworks in the banking sector have not deterred bank staff from committing fraud and forgery.
Several reports have established how Nigerian bank staff dupe customers or leak their data to scammers.
The Nigeria Deposit Insurance Corporation’s 2024 annual report recorded 25,324 incidents of fraud cases in Nigerian banks in the third quarter of 2024. The most significant loss – ₦42.84 billion – was recorded in the second quarter of the year, the highest figure in five years.
Frauds and forgeries in Nigerian banks: a comparison between the first quarter of 2023 and the first quarter of 2024. Source: FITC
Similarly, the Financial Institutions Training Centre, FITC Quarter 1, 2024 report revealed that 72 staff were involved in fraud and forgery in the first quarter of 2023 and 47 in the first quarter of 2024. It also shows a 133.3% rise in terminated appointments (35) compared to the first quarter of 2023 (15).
In the fourth quarter of 2024, the number of inside staff involved in fraud and forgery increased to 91 before reducing to 63 in the first quarter of 2025.
The report further showed an increase in the total amount of money customers lost to fraud and forgery in Nigerian banks between the 2024 fourth quarter and the 2025 first quarter.
Source: FITC Report 2025
Calls of Doom: Many started with brr brr
Countless Nigerians have endured far harsher fates like Esther and Oladeinde Oluwaferanmi, who might have joined their ranks, if not for the timely intervention of a friend.
Like many victims, she was convinced the caller was from her bank after disclosing sensitive details about her account that suggested insider access.
The scammer requested her account number and access PIN to complete a supposed transaction. What saved her was that the account was new and she had not yet received a PIN.
“I had just opened my bank account. I thought he (the scammer) was one of the bankers, especially when he said I had a problem with my account. I was scared. He asked for my full name, account number, and PIN. I told him I haven’t been given the PIN. Ignorantly, I told him I would send him my PIN whenever I get it.”
Her friend, who overheard the call, intervened and stopped her from sharing the information.
Like many Nigerians, another bank customer, Olanrewaju Oluwaferanmi Joy, received a similar call but declined to comply when asked to share a PIN sent to her phone.
“The person said he was calling from my bank… but I remembered that a lot of people usually say banks don’t call customers. I realised he was trying to play me.”
According to Olanrewaju, prior exposure to a similar incident saved her from being duped.
The NDIC 2024 annual report shows a constant annual increase in fraud and forgery cases perpetrated by bank staff from 2021 to 2024, suggesting that banks should strengthen their internal control measures and risk management processes.
Total Number of Deposit Money Bank’s Staff Involved in Frauds and Forgeries (2020-2024). Source: NDIC
There are outsiders involved.
The FITC and NDIC reports showed that people outside the banks are more involved in fraud and forgery than bank staff. For instance, the 2025 FITC report shows that over 10,000 outsiders were involved in fraud and forgery in Nigerian banks, as against less than 100 bank staff.
A study disclosed that several methods commonly used by fraudsters to defraud bank customers in Nigeria, most of which rely on deception, identity theft, and unauthorised access to customers’ financial data.
It identified SIM swap and SIM cloning as major tools, where fraudsters trick telecom operators or customers into transferring a phone number to a new SIM, allowing them to intercept bank alerts and one-time passwords. Phishing, through phone calls, text messages, and emails impersonating banks, is also widely used to obtain customers’ PINs, passwords, Bank Verification Numbers (BVN), and card details.
Other methods are debit card skimming, where devices are used to capture card information during transactions; site cloning, which involves creating fake websites that mimic legitimate banking platforms; and lost or stolen card fraud, where misplaced cards are used for unauthorised transactions.
The study pointed to online transaction fraud, ATM fraud, and unauthorised messages requesting account updates as common tactics. In addition, fraudsters exploit network downtimes, weak data protection, and malware infections to gain access to sensitive information.
According to the paper, scammers increasingly combine these methods with social engineering, using information gathered from victims’ social media profiles or prior interactions to impersonate them convincingly and bypass security checks.
Are our Data safe with Banks?–98% of Bank Data is leaked on Darkweb
Experts alleged that customers’ data can also be illegally leaked through rogue staff or third parties like fintech partners, agents, and they use techniques like SIM Swap, guessing the BVN-linked name, and more to access confidential data.
Scammers do not obtain the information of customers directly from the bank, but banks, including the Central Bank of Nigeria (CBN), expose customers’ official data on the dark web, said Timothy Avele, a cybersecurity expert and Certified Cyber Warfare Defence Operator (CCDO).
According to Avele, “98% of all banks in Nigeria, including CBN itself, have thousands of leaked official data in the Darkweb.”
Despite the security measures put in place to secure customers’ data by banks, he said that scammers still bypass this security through human error, insider threats, poor customer awareness, and third-party integrations.
The cybersecurity expert explained that customers can be protected from scammers if they do not share their OTP, Automated Teller Machine (ATM) PIN, BVN, and desist from installing unknown apps and verify any call by calling the official bank number.
While noting the need for banks to protect customers’ data from fraud, Avele stressed that monitoring staff and agent access logs should be strengthened to enforce strict penalties for insider data abuse and reduce unnecessary staff access to customer data.
He further added that banking institutions should run continuous advanced staff Cyberwarfare training in an era of AI-assisted hacking, stressing that these institutions should delete and clean up official data, such as emails and passwords, from the dark web (including Telecom leaked official data).
