The perpetrators illegally transferred ₦11 billion ($7 million) to several accounts in April 2024, one financial services insider with direct knowledge of the incident said. A second insider claimed the amount involved was at least ₦20 billion ($13.5 million).

“As is common in the financial services industry, there will always be attempts by bad actors to
compromise the security of systems set up to protect and monitor services,” Flutterwave said in a statement to TechCabal.

“In April, we detected unauthorized activities inconsistent with usual customer behavior on one of
our platforms used by a small subset of our customer base.”

Flutterwave did not specify the amount involved but insisted that “no customer funds were lost or compromised, and the confidentiality of our customers’ data remains intact.”

However, one highly-placed person with knowledge of the incident said that the stolen funds were moved to several accounts in five financial institutions over four days. The incident likely went undetected because the perpetrators ensured the deposits remained below limits that would trigger fraud checks.

The matter has been reported to law enforcement and investigations have begun, said the same person who asked not to be named. 

Two executives in the financial services industry confirmed the incident and said Flutterwave reached out to request KYC details of the accounts involved. They also claimed that the accounts related to the incident have been temporarily restricted.

In similar system breaches, perpetrators conceal the movement of funds by sending money to the bank accounts of several hundred unsuspecting users. The details of those users are typically obtained online or using social engineering and fed into programs that automate bulk transfers.

However, April’s breach appears distinct. An organised network may have been involved in the distribution, said a highly placed staff at a financial institution. 

“The perpetrators appeared to transfer the money to random accounts but thise same accounts would also transfer money to other accounts who then sent it back to the first beneficiary account, [in a sort of round trip].” 

This closed-loop approach differs from past attempts to hide the trail using unconnected outsider accounts.

This is the fourth incident of unauthorised transfers at Flutterwave reported in the last fourteen months. In October 2023, about 6,000 account holders across 35 banks and financial institutions received ₦19 billion (*$24 million) illegally transferred through unauthorised transactions by POS merchants.

In March 2023, about 107 bank accounts in 27 banks received ₦550 million. In a February 2023 breach, ₦2.9 billion was diverted to 107 bank accounts in 27 banks, according to court documents seen by TechCabal.

Identifying the account owners involved in the latest incident may be easier than before since the Central Bank mandated all financial institutions to require all customers to provide their bank verification number (BVN) or a national identification number (NIN) for account or wallet opening by March 2024.   In February, Flutterwave received a court order—a Mareva injunction— that lets it recover the funds and assets of the identified account holders, even though they have spent the funds, with the KYC details provided by these financial institutions.  

In the last decade or more, it has been said that mobile penetration and increased internet access will usher in economic growth in Africa. But does smartphone penetration and internet connectivity automatically lead to economic growth or are there resulting digital challenges that could gravely affect economic outcomes? 

In Africa, fraudulent transactions amount to approximately $4 billion annually, with financial institutions and the telecoms sector bearing the brunt of attacks. Among others, the World Economic Forum highlighted that many African businesses are not adequately equipped to navigate cyber threats. It’s clear: the time to secure Africa’s digital future is now.

More than just the financial toll, the real cost of fraud and data breaches? Trust. When online fraudsters strike, they steal identities and opportunities, excluding countless people from participating in Africa’s digital economy. The reality is that cybercriminals are evolving faster than a chameleon changing its colours, becoming ever more cunning in their exploits; so our digital defences must be ironclad to thwart them, yet inclusive to ensure everyone can thrive in this new digital age, tech-savvy or not. 

This is the big trade-off that lies ahead and the question that propels us forward: How do we effectively guard against these threats without sidelining the good actors we’re here to serve? At pawaPass, our mission is to find the challenging balance between combating fraudsters and ensuring the digital doors remain open for everyone else. 

In a continent as diverse as Africa, more than half do not have proof of legal ID, and the majority of businesses lack the means or tools for sophisticated verification, often resorting to manual checks. This approach can result in errors, particularly if verifications happen remotely while exposing the collected personal data to vulnerabilities. Therefore, as innovators solving the cybersecurity challenge, we must deliver solutions that account for the diverse needs and realities of Africans and resist the pitfalls of a “one-size-fits-all” approach.

In the quest for a digital future that is both secure and universally accessible, innovative solutions that merge cutting-edge security with user-friendly verification are crucial. By focusing on creating systems that enhance user experience without compromising security, such as offering biometric verification for critical transactions, we can protect users without encroaching on their digital freedom. 

Collaborations between businesses and anti-fraud platforms like pawaPass need to take into consideration the types of users that the business has to ensure the approaches are thoughtful and risk-based, so as not to harm the overall user experience. This is why, at pawaPass, having tested multiple solutions, we are currently using FaceTec’s leading biometric technology, known for its focus on security and resilience against the most cunning frauds, with their $600,000 bounty offer for whoever successfully hacks into their security system. 

At pawaPass, our current solution has been tailored to work effectively for businesses that serve a large range of users across multiple African markets. This was important to the team because the challenge doesn’t end with active verification technology only. As we strive for inclusivity, we also confront the realities of data costs, device types, user behaviour, and internet accessibility across the continent. This reality means any verification process needs to be flexible enough to accommodate low-end smartphones used by many online users in Africa. 

Our goal is clear: to make it easier to trust people online. By creating anti-fraud and verification systems that cater to every segment of society, we can help break down digital barriers for people across the continent. This vision is already coming to life through our partnership with sports and technology brand Mchezo to facilitate $2 million worth of shares to over 200,000 betPawa’s committed customer base. It’s a testament to our commitment to creating a digital ecosystem where security and inclusivity go hand in hand.

As I reflect on our path so far, it’s clear that building trust online is highly complex, and the road ahead is filled with opportunities and obstacles. But it’s obviously a journey worth taking because building secure, inclusive, and trustworthy digital infrastructure is not just about compliant transactions or safeguarding data; it is about laying the foundation for a future where every African has access to a wide range of opportunities that will enable them to prosper. 

—

Sylvia Brune is the CEO of pawaPass. She has over a decade of experience as an entrepreneur with a dynamic career trajectory that spans various sectors and industries. She has a unique blend of problem-solving, connecting the dots, and a drive to create great experiences for customers.

Leading cybersecurity company Infoprive has announced its rebrand at the just concluded Nigeria Fintech Week (NFW). The company formerly known as Infoprive will now be known as Cybervergent. 

As the world embraces digital advancements and internet accessibility grows across Africa, cybercrimes are on the rise as well. In recent times cybersecurity incidents have resulted in a loss estimated to be between $3.5 billion and $4 billion. Several banks and fintechs in Nigeria have also suffered cyber-attacks and telecoms giant MTN recently sued banks in Nigeria for losing $53 million from its mobile money service to fraud. 

This spate of cybercrimes is a result of the digital state of the modern world and it also calls for improvements in the cybersecurity industry. As threats in the digital landscape continue to evolve, cybersecurity companies must adapt and innovate to stay ahead of the curve. 

Taking this into account, Infoprive has evolved into Cybervergent to expand its security solutions to businesses and organisations. Formerly a security consulting, assessments, and remediation company, the company is now a pioneering technology company dedicated to revolutionising the cybersecurity landscape in Africa leveraging Artificial intelligence (AI) and machine learning (ML) for improved solutions. 

This innovative approach empowers businesses to fortify their digital assets, detect real-time threats, and respond swiftly to evolving cyber breaches. Cybervergent’s proprietary technology ensures seamless integration, allowing organisations to proactively protect their networks, data, and applications from malicious intrusions.

Speaking at the NFW event, CEO and Co-founder, Adetokunbo Omotosho, emphasised the importance of maintaining digital trust by securing client data. This will allow fintechs to continue to innovate freely and scale. With increasing cybersecurity threats customers will lose faith in fintechs who do not fortify their systems. He also stated that this rebrand is a proactive step to forestall massive cybersecurity losses as the continent becomes the next growth frontier in adopting the Internet of Things and e-commerce.

Cybervergent is a convergence of data privacy, security, and compliance in one automated platform. According to Adetokunbo, “Cybervergent represents not just a name change, it embodies the convergence of cutting-edge technology, visionary leadership, and our resolute commitment to safeguarding businesses in the digital age on the continent, starting from Nigeria, Africa’s largest economy. With our refreshed brand identity, Cybervergent is poised to evolve the cybersecurity landscape, offering a comprehensive suite of solutions designed to thwart cyber threats, streamline security operations, and enhance overall business resilience,” he adds.

With this rebrand, Cybervergent repositions itself as a dynamic, all-in-one cybersecurity company set to transform the African cybersecurity and overall tech landscape. With its team of seasoned experts, the company will provide simplified, tailored, and automated solutions that ensure the protection of critical assets and data for businesses and organisations. This strategic rebrand aligns with the company’s unwavering commitment to pioneering the future of the continent’s cybersecurity through innovation, automation, and all-encompassing scaled solutions.

To learn more and connect with Cybervergent visit the website here. 

With millions of customers across digital apps and offline payment channels, these four neobanks have become customer favourites and have entrenched themselves in the financial system in the past four years. But to win over customers, they have relied on flexible account verification processes while emphasising their push to improve financial inclusion in the country. These verification processes are at the heart of a clash between these neobanks and some of Nigeria’s biggest legacy banks. 

Last week, Fidelity Bank blocked transfers to neobanks over lax anti-fraud and customer verification standards, sources with knowledge of the matter told TechCabal. The restrictions remained for two weeks, those sources said. News of the restrictions polarised users on social media with speculation that the bank was trying to slow down competition. The restrictions have since been removed by Friday, October 27, bank customers said.

Fidelity Bank did not respond to TechCabal’s request for comments regarding these actions.

Key Takeaways

• Fraud is a growing problem in Nigeria’s financial system. Nigerian financial institutions have reported ₦159 billion ($201.5 million) lost to fraud since 2020.

• Relaxed transaction rules and flexible customer verification standards are making it easier for scammers to target victims.

• Nigeria’s financial system struggles with information sharing and lacks coordination on financial fraud investigations by local law enforcement agencies.

But Fidelity is not the only bank concerned about fraud related to neobanks. At least two other major Nigerian banks have had internal conversations about blocking these upstarts from their list of financial services for consumer fund transfers, two financial services insiders, who asked for anonymity so they could speak freely, told TechCabal. 

Media reports have highlighted the scale of fraud challenges in the country. This week, BusinessDay reported that Fidelity Bank lost ₦2 billion ($2.5 million) in three attacks. Court documents posted on social media and verified by TechCabal showed that Access Bank, Nigeria’s largest bank by customer deposits, filed a lawsuit in June to recover ₦3 billion ($3.8 million) that was fraudulently withdrawn. In July, the bank filed a separate lawsuit to recover an additional ₦5 billion ($6.3 million) illegally transferred from its coffers by scammers. 

Fintech startups have also been impacted. In March, Flutterwave, Africa’s most valuable startup, reportedly lost ₦2.9 billion ($3.7 million) to a cyber attack — the fintech continues to deny the incident. The mobile money service of Nigerian telecoms company MTN also lost over ₦10.5 billion ($13.3 million) in 2022 to unauthorised transfers caused by a glitch one month after it re-launched as a payment service bank.

Overall, Nigerian financial institutions have reported ₦159 billion ($201.5 million) lost to fraud cases since 2020, according to the Financial Institutions Training Centre (FITC), a financial research and advocacy organisation operated by the Central Bank of Nigeria (CBN). During this period, the industry lost around 15.4% or ₦24.4 billion ($30.9 million) to grafts, including fraudulent activity across point of sales devices, internet banking, ATMs, mobile apps, and malicious digital loan activities.

Fraud has long been a concern in Nigeria, Africa’s largest economy. Currency devaluations and large transaction volumes in developed markets like the US have meant that Nigerian-based scammers have historically targeted foreign companies, but that’s changing. 

As the value of electronic payments in Nigeria has grown to ₦387.1 trillion ($490.7 billion) in 2022, up from ₦38.2 trillion ($48.4 billion) in 2016, scammers have increased their focus on the local market. That local market is mostly a mix of fintech startups and banking industry players working to improve financial inclusion. As part of the financial inclusion drive, transaction rules have been relaxed, and customer verification standards are now more flexible. Industry experts worry that this trend exposes customers and the industry to higher risks. 

Phishing has become widespread, with fake social media handles posing as verified handles of local banks to collect customer information and fraudulently move monies from their accounts. It has forced GTBank, Nigeria’s most profitable bank, to fix a banner at the top of its website warning customers to “be mindful” of sites impersonating its brand.

Two sources at traditional banks suggested that the verification and identity management process at banks and digital challengers was inadequate, making them susceptible to bad actors. Between April and June 2023, scammers created and operated several bank accounts, which defrauded the industry ₦5.5 billion ($6.9 million) in fraudulent loans, according to a FITC report. 

A 2022 KPMG Nigeria study found that only 30% of local banks have fully implemented KYC and anti-fraud measures. “Banks do not investigate sudden inflows or outflows against accounts without prior notice. When issues become frauds, the banks claim not to be able to reach customers,” a KYC expert told TechCabal.

The country’s financial system continues to struggle with issues around information sharing, international collaborations and lack of coordination on financial fraud investigations by local law enforcement agencies, said the Financial Action Task Force (FATF), the Paris-based global anti-fraud watchdog group. In February, FATF placed Nigeria on its grey list over “identified strategic deficiencies.”

Although the country has moved swiftly to fix some of these deficiencies, Muhammed Jiya, a director at the Nigerian Financial Intelligence Unit (NFIU), warned that Nigeria could be placed on the FATF blacklist by January 2025. The black list risks cutting Nigeria from the global financial system, making it difficult for the West African country to do business with other economies or access international financing, Jiya explained on an industry webinar in March.

Policing fraud continues to face obstacles due to the uncooperative nature of several companies, industry sources explained. Traditional banks tend to work closely with one another to curtail illicit fund transfers and suspected accounts while fund recovery processes proceed. Startups are yet to catch up with such arrangements, the people claimed. 

Companies have also historically been hesitant to share data on fraud activity and cyber breaches with other companies and the government despite a 2015 cybersecurity law mandating that they do so. Deposit-taking institutions are concerned about their reputation and how such timely disclosure could impact their business in Nigeria’s low-trust environment. 

In March, fintech startups began talks to create a fraud database, codenamed Project Radar, to share data and other information on individuals and groups that had attempted or made fraudulent transactions. But these talks have stalled, said a source involved in those conversations.

As financial fraud increases, urgency is building for Nigerian financial services to move beyond various gaps and collaborate on a robust anti-fraud framework to protect the industry and customers.

Editor’s note: The exchange rate used in this article is $1 = ₦788.9.

Late one night in September 2022, Ebube, a 23-year-old law professional, flew into Lagos from Abuja and, unable to get an Uber, booked a trip on Rida, another popular ride-hailing app in Nigeria. After several failed transactions, she discovered the next day that she’d paid him three times the fare. She contacted the driver, a man called Kehinde Ladi, for a refund, which he promised to send. What Ebube got instead was several months of constant calls and messages on WhatsApp from different numbers every other day. Ladi, who soon left Nigeria, uses new numbers to call Ebube several times despite her forgoing the money. Blocking him hasn’t stopped him. Complaining to Rida did not help the situation. A full year later, Ebube still gets WhatsApp messages from Ladi.

This is just one of many examples of cyberstalking that female passengers are subjected to after booking and going on trips with ride-hailing apps. These experiences affect the way women interact with these apps. Binyelum*, a 28-year-old lawyer who lives in Lagos and has been using ride-hailing apps for five years, has had to change her name on all the apps to a generic one because she was constantly harassed in-ride due to her unusual name. She changed her name on ride-hailing apps to avoid being stalked on social media by drivers. For Bola*, a student at the University of Lagos, this fear became a reality as a driver from Bolt used several Instagram accounts to hound and sexually harass her. Jessica* also faced the same problem after an Uber ride home from her office in Lagos, with the driver physically stalking her at work. 

Data protection lawyer Victoria Oloni, explained that Nigeria’s Cybercrimes Act of 2015 establishes criminal liability for various forms of cyberstalking, such as persistently sending offensive, indecent, obscene, or menacing messages via public electronic communication networks, which the activities of the ride-hailing drivers fall within. “Sending false messages, and causing annoyance, inconvenience, or anxiety to another person all fall within the reach of cyberstalking,” Oloni said.

While the companies in charge of ride-hailing apps set up safety measures to protect riders, it is not enough.

To protect users’ privacy, popular ride-hailing apps like Bolt and Uber have phone number masking features that enable riders or drivers to call each other in-app without revealing their phone numbers. However, there is also an option to place a mobile call to the SIM number of the user. On other ride-hailing platforms, often less expensive, like inDrive and Rida, users can only call directly on mobile. They reveal users’ phone numbers immediately after you press the call button. This is how stalkers can save the numbers to their devices and use them to contact and harass users.  

A spokesperson for Uber told TechCabal, ”We encourage riders and drivers to use in-app communication and not give their private details to ensure safety and privacy at all times.” 

Bolt explained to TechCabal that it does the same but finds it necessary to include the option of direct contact in cases where the internet connection is unstable, which is sometimes the case. “We constantly issue driver training materials to inform our drivers not to abuse this function. Any contact leads to immediate action against drivers or riders,” Bolt said in an email to TechCabal.

On the one hand, cyberstalkers may be fined between ₦‎7 million and ₦‎25 million and imprisoned for at least a year; on the other hand, according to Oloni, the absence of explicit reporting mechanisms for victims is a notable gap within the Cybercrimes Act. “While there is a cybercrime reporting portal established by the Nigerian Police Force (NPF), we all know the challenges associated with the effectiveness of the NPF,” Oloni explained. “Notably, the Act only outlines how law enforcement entities address these offences, rather than how these agencies can become aware of the occurrences of such offences.”

The ride-hailing companies often try to shift responsibility to the users, especially for stalking that happens after the ride. Additionally, there are arguments on whether ride-hailing drivers are employees of these companies or not. However, ride-hailing companies are service providers under the Cybercrimes Act and have a responsibility to aid law enforcement agencies in dealing with stalking and harassment and protecting data that’s sourced on their platforms.

Oloni told TechCabal that non-compliance by ride-hailing services could result in potential liability. “Upon conviction, ride-hailing services can be fined up to ₦‎10 million,” she said. Additionally, any director, manager, or officer of the service provider can be imprisoned for a minimum of three years or fined at least ₦‎7 million, or both. 

In the future, a cyberstalking victim may seek recourse in a court of law, and both the ride-hailing apps and their drivers might be coughing up a lot of money and some jail time. But for now, unfortunately, the status quo remains.

Oloni suggested that a possible solution is creating a shared reporting database among ride-hailing apps. This way, deplatformed drivers cannot rejoin under different services due to prior behaviours being flagged. One wonders how long it might take the ride-hailing companies to consider this and create an extra layer of safety for female users.

Have you got your tickets to TechCabal’s Moonshot Conference? Click here to do so now!

Anonymous Sudan, a pro-Russian hacktivist group says it is responsible for a Distributed Denial-of-Service (DDoS) attack which intermittently took websites belonging to Kenyan media, hospitals, universities, and businesses, including Safaricom, offline. The group had previously been involved in a series of “unprecedented escalation in DDoS attack sophistication” with pro-Russian hackers that targeted Western websites including Microsoft, according to a report published by Cloudflare earlier this year.

Denial of service attacks are cyberattacks where the attacker prevents users from accessing a website, online service, or connected device, by flooding the servers with internet traffic.

The group appears to have turned their attention to their southern neighbour this week after a video of a Sudanese general allegedly taunting Kenya’s president went viral on social media. On Sunday, it claimed it had attacked Kenya’s eCitizen website which hosts government services like visa application, business registration and more. It also claimed to have attacked Kenya Commercial Bank, Kenya’s second-largest bank measured by assets, and the country’s largest telecom, Safaricom.

It also attacked media websites including the one of The Standard Group, Kenya’s oldest newspaper, as well as the website of the government-owned Kenya News Agency. On Monday, 10 university websites were hit, including the University of Nairobi. And on Tuesday it targeted seven hospitals and the website of Kenya’s transport agency. The National Transport and Safety Agency allows Kenyan residents to apply and pay for driving licenses among others.

On Spice FM, a local radio station (owned by Standard Media Group whose website was also attacked) Eliud Owalo, Kenya’s cabinet secretary in charge of the Ministry of Information, Communication and the Digital Economy said, no data was accessed or lost. Other targeted websites appear to be functioning normally at press time.

The group said it attacked Kenya because it “released statements doubting the sovereignty of [the Sudanese] government.” Sudan has been locked in internecine conflict between the Sudanese Armed Forces (SAF) and the paramilitary Rapid Support Forces (RSF), rival factions of the military government of Sudan since the 15th of April, 2023. Last month, the Sudanese government rejected the appointment of Kenya’s president, William Ruto as leader of a mediation group after accusing the East African nation of lacking neutrality.

African states are vulnerable to cyber attacks from foreign hackers but typically don’t attack each other—at least not publicly. According to Nathaniel Allen and Noëlle van der Waag-Cowling, both cybersecurity researchers, “African countries tend to have low levels of cyber maturity and possess limited offensive and defensive cyber capabilities. Virtually all rely on foreign actors to supply critical information.” Anonymous Sudan might be pro-Sudan, but it also has significant links to pro-Russian hacktivist groups.

Digitising government services is a key part of President Ruto’s agenda. Earlier this year, his administration said Kenyans could access 5,000 government services online. The services include business permits and visa applications. All were affected by the denial of service attacks.

Africa’s growing digital economy is attracting the attention of hackers and digital crime groups. Much of the infrastructure undergirding the continent’s digital boom is often lacking adequate cyber protections in policy and practice. Digitising government services is often hailed as a model for creating efficiency and improving access, but it also opens new vulnerabilities.

In a world of increased digitalisation, when digital public services are unexpectedly and suddenly unavailable it can cause indirect and direct economic and financial losses and even physical harm, in some cases. Across the continent, cybersecurity incidents result in losses estimated at between $3.5 billion and $4 billion every year.

Update:

• Fresh attacks have hit Kenyan government services, Safaricom’s M-Pesa service and Kenya Power, the national utility. Documents shared on Anonymous Sudan’s public telegram group and by Kenya’s principal secretary for Foreign Affairs, Korir Sing’Oei suggest that Kenya will be issuing visas on arrivals to all travellers—in what appears to be a temporary visa-on-arrival program due to the attack on Citizen. In this year’s ICT budget (now held up litigation) Kenya’s government allocated $110 million to ICT. Konza City, a futuristic tech city program got almost half of the budget.

• On Twitter, Kenyans are complaining that bank-to-Mpesa wallet transfers are failing. USSD transactions and an online token purchase for electric power tokens from Kenya’s national power company appear to be also affected, per reports from social media.

This is a developing story.

According to IBM Security’s annual “Cost of a Data Breach” report, the average data breach cost for South African organizations reached an all-time high of R49.45 million in 2023. This is an 8% increase over the last 3 years, and a 73% increase since South Africa was added to the report 8 years ago.

The report also states that the per record average cost of data breaches reached an all-time high at R2,750, a 20% increase from R2,300 in 2021. Detection and escalation costs reached R20.88 million—the highest portion of breach costs, which indicates a shift towards more complex breach investigations. Costs associated with lost business stood at R13.56 million, while post-breach responses cost R13.29 million and notifying relevant stakeholders cost R1.72 million.

The financial sector bore the brunt of data breaches, with the highest average cost of data breaches in the sector totalling R73.1 million. The industrial and services sectors were second and third, with R71.37 million and R58.78 million respectively.

“South Africa is the financial centre and economic gateway to the rest of the continent. This knowledge is not exclusive to the business community; cyber attackers are aware of it too as the financial sector is the most targeted,” said Ria Pinto, general manager and technology leader at IBM South Africa. “Organisations should look to modernise their perimeter security strategies to enhance protection of their financial data by using zero-trust security solutions, underpinned by AI and automation, to increase their cyber resiliency, manage the risks and comply with strict data privacy policies such as the Protection of Personal Information Act (POPIA).”

The majority of cyber threats were the results of stolen or compromised credentials and phishing scams constituting 14% each as the initial attack vectors. Attacks through compromised business emails were second at 12%, and attacks due to cloud misconfiguration were third at 11%. The study also found that globally, 95% of studied organisations, including South African organisations, have experienced more than one breach. However, breached organisations were more likely to pass incident costs onto consumers (57%) than to increase security investments (51%).

AI to the rescue

According to the report, AI and automation had the biggest impact on the speed of breach identification and containment for studied organizations. In South Africa, organisations with extensive use of both AI and automation experienced a data breach lifecycle that was 95 days shorter compared to studied organisations that did not deploy these technologies (190 days versus 285 days). Only 28% of studied organisations have extensively implemented security AI and automation.

Additionally, studied organisations that deployed security AI and automation extensively saw an average decrease of nearly R10.49 million in data breach costs than those that did not deploy these technologies. This was the biggest cost saver identified in the report. And with nearly 29% of studied organisations not yet deploying security AI and automation and 43% using them sparingly, organisations still have a considerable opportunity to boost detection and response speeds. 

“Time is the new currency in cybersecurity, both for the defenders and the attackers. As the report shows, early detection and fast response can significantly reduce the impact of a breach,” said Chris McCurdy, the general manager of  Worldwide IBM Security Services. “Security teams must focus on where adversaries are the most successful and concentrate their efforts on stopping them before they achieve their goals. Investments in threat detection and response approaches that accelerate defenders’ speed and efficiency – such as AI and automation – are crucial to shifting this balance.”

According to INTERPOL’s 2022 Africa Cyberthreat Assessment report [pdf], South Africa leads the continent in the number of identified cybersecurity threats, with 230 million total threat detections. Research by Accenture also illustrates the severity of the cybercrime landscape, with the country recording the third-highest number of cybercrime victims worldwide, at a cost of R2.2 billion a year.

According to Liquid C2 Cyber Security’s “The Evolving Cyber Security Landscape in Africa 2022” report, 62% of surveyed companies on the continent said that the cybersecurity breaches to their operations occurred as a result of remote or hybrid working. The study, which covered 139 companies in South Africa, Kenya, and Zambia, also uncovered that as a result of remote and hybrid work, companies had limited capacity to curb the proliferation of threats on users’ devices.

The top method of attack used by cybercriminals targeting companies was through email, using Phishing or Spam attacks (61%), with attacks through compromised passwords following at 48% and data breaches and attacks (44%) being the second and third most common. “One of the primary threats cited by decision-makers around remote and hybrid working was authorised use – the concern that the person accessing the device or the company resources is not a family member or someone misusing company owned resources. There are concerns around managing this challenge alongside malicious code from harmful websites and lost or stolen devices,” the report said.

According to the report, from ensuring the protection of one environment for hundreds of employees in the office, they are now tasked with protecting hundreds of environments scattered across different countries, geographies, time zones and regions.

To further alleviate the problem, the continent does not have the requisite cybersecurity skill pool to deal with the surge in threats. The report estimates that there are only 7,000 certified cybersecurity professionals, or one for every 177,000 people on the continent.

“The biggest concern emerging from this report is that companies are saying that they’ve put a lot more cyber security controls in place. With threats evolving faster than security systems, companies cannot afford to get complacent,” says David Behr, CEO of Liquid C2. “The report highlights that businesses must be consistently vigilant about the ever-evolving cybercrime landscape and the methods malicious actors use to breach cyber security measures. As the report shows, complacency is a luxury no one can afford.”

According to INTERPOL’s 2022 Africa Cyberthreat Assessment report [pdf], South Africa leads the continent in the number of identified cybersecurity threats, with 230 million total threat detections. In second place was Kenya with 72 million.

Last week, streaming platform Showmax confirmed that a hacker had accessed 27,000 customers’ data, mostly login credentials, eventually offering them for sale on a hackers forum. Prior to this incident, JD Group, one of South Africa’s largest retail conglomerates, was also hacked, with over 500,000 customers’ personal data exposed.

Hacking incidents in the country have become quite frequent, with the likes of Shoprite, DisChem, Liberty Insurance,TransUnion, and even government departments  falling victim to cybersecurity breaches in recent months.

“The reason attacks seem to be getting more prominent nowadays is that attack time is a lot quicker than it’s ever been before and the reason for that, among others, is encryption technology, which is now so progressive and available to businesses and consumers, is equally as available and can be leveraged by bad actors. This technology is so much faster than it’s ever been, meaning that security breaches can also happen much quicker. Back then, the dwell time for attacks, which is the time an attacker needs to make a break-in, was in the 290-day ballpark range. Nowadays, this has been reduced to about 84 minutes on average,” said Kate Mollett, senior director of southern Africa operations at Commvault, a cybersecurity firm.

Mitch Adams, a cybersecurity professional who has done cybersecurity work for some of the country’s most prominent tech startups and corporates, believes that the advent of COVID-19 which pushed more people online and tough socio-economic conditions like unemployment, are the main reasons for the surge in cybersecurity over the last two years.

“During COVID-19, work from home became so common, and it still is, which saw people taking their work away from firewalled work computers to at home with no any security whatsoever. Additionally, South Africa has high unemployment rates and technology professionals who cannot get a job can sometimes be tempted to exploit lax security measures in order to try to earn a living,” Adams told Techcabal over a call.

According to INTERPOL’s 2022 Africa Cyberthreat Assessment report [pdf], South Africa leads the continent in the number of identified cybersecurity threats, with 230 million total threat detections. In second place was Kenya with 72 million. Phishing attacks, ransomware attacks and business email compromise (BEC) attempts were identified as the leading modes of breaches in the country.

Research by Accenture also illustrates the severity of the cybersecurity landscape, with the country recording the third highest number of cybercrime victims worldwide, at a cost of R2.2 billion a year.

The scale of cyber criminality in the country is further evidenced by the fact that the country is estimated to suffer 577 malware attacks an hour. The South African Banking Risk Information Centre (SABRIC) reported [pdf] that “gross fraud losses on South African-issued cards increased by 20.5% from 2018 to 2019” due to CNP fraud and banking malware attacks, putting South Africa as second only to Russia in this regard.

Crypto fuelling the fire

The mainstreaming of cryptocurrencies over the last three years seems to have fuelled the occurrence of ransomware attacks in the country, with retailer Shoprite falling victim to such an attack last year. RSAWeb, Transnet, and most recently, the Development Bank of Southern Africa, have been hit by ransomware attacks.

Ransomware is a type of malware that encrypts a victim’s data and synchronises it to a remote node or blocks its access while a ransom is demanded. The average ransom demanded for the data is at least $300,000, mostly in crypto.

“Ransomware criminals exploit the international nature of virtual assets like cryptocurrencies to facilitate large-scale, nearly instantaneous cross-border transactions, sometimes without the involvement of traditional financial institutions that have anti-money laundering and counter terrorist financing (AML/CFT) programs. Criminals further complicate their transactions by using anonymity enhancing technologies, techniques, and tokens in the laundering process, such as anonymity enhanced cryptocurrencies and mixers,” says the Financial Action Task Force (FATF).

Another growing cybersecurity concern for South Africa involving crypto are scams, in which threat actors seek to defraud victims of their cryptocurrency. Over the last two years, South Africa has recorded two large-scale crypto scams.

The first was a Ponzi scheme where thousands of investors were allegedly scammed out of $588 million in Bitcoin by the company Mirror Trading International in 2020. The second case involved the trading company Africrypt, whose founders allegedly absconded with $3.6 billion from investors in April 2021.

Cryptocurrency scams seem to be quite lucrative in South Africa, one of the top ten countries worldwide where threat actors received the highest volume of cryptocurrency from illicit addresses. Additionally, South Africa was second only to the US in the list of countries from which most crypto scams emerge.

Staying safe amidst the wave of attacks

According to Mollett, the best way for businesses to stay safe during this wave of cybercrime attacks and breaches is to treat cybersecurity measures as a necessity for each and every business, not a privilege reserved for big companies only.

“The prevalence of smartphones, through which both your staff and customers do everything from accessing emails to using banking apps, means that there is a huge risk factor for a breach and just education and awareness will not suffice. As a business, a breach always reflects back on you, so it’s best to take proactive measures to ensure safety. Recovery is great. What is so much better than recovering from something is preventing it in the first place. So Commvault made a key acquisition early last year of an organisation called ThreatWise, which is able to assist organisations with something we call “active defence”. And what that does is it provides early warnings of an attack within your environment before it even happens,” added Mollett.

Adams also believes being proactive in combating attacks before they even happen is crucial in the fight against cybercrime attacks.

“The problem is that small businesses are of the mentality that cybersecurity attacks won’t happen to them because on the news they only read about attacks on big companies. But this is not true because one always thinks it won’t happen to them until it inevitably happens to them. It’s best to invest in cybersecurity before an attack because addressing an attack which has already happened will be much more expensive than having been proactive,” said Adams.

Startups playing their part

Startups are also playing their role in trying to ensure cybersecurity in the country. One of those is Sendmarc, a Johannesburg-based cybersecurity startup specialising in anti-phishing solutions. In February, the company raised a $7 million Series A round to scale its solution. The company’s technology relies on email authentication methods, including the Sender Policy Framework (SPF) and the Domain-based Message Authentication, Reporting, and Conformance (DMARC), globally-recognised email security standards that protect domains against email spoofing.

The startup claims to serve over 1,000 paying customers including South African stock exchanges, law firms such as Bowmans, insurance companies, tech startups, banks, and law enforcement agencies across North America, Europe, Australia, South Africa, and Latin America, with its technology. Additionally, 80% of its clients are based in South Africa.

Another startup is Port443 which raised an undisclosed amount of funding from technology investment firm Iziko2.0, with supporting funding from RMB Ventures last month. The Johannesburg-based startup specialises in security automations and integrations. Through its custom platforms and OneView dashboards, it gives management and technical teams at-a-glance views of the status of their security estate, to help them proactively manage vulnerabilities and respond to breaches.

Other startups which also have cybersecurity offerings include TakeNoteIT, which offers early detection technology productions, and Octarity which offers cybersecurity solutions specifically for small businesses in the country.

The prevalence of cybercrime attacks despite the presence of regulatory frameworks such as the Cybercrimes Act and the Protection of Personal Information Act (POPIA), is perhaps proof that the fight against such attacks will take more than just effort from lawmakers and law enforcement branches. Mollett agrees with this hypothesis.

“Those legislations are of course vital in the fight against cybercrime attacks, but in most instances, you realise that they are the last line of defence. Innovative solutions are what is really effective to fight attacks as they happen or even before they happen, and not just as a remedy against attacks which have already affected customers and destroyed a business’ reputation,” concludes Molett.

The steadily increasing rates of South Africa’s internet, smartphone, and crypto adoption rates are a double-edged sword as, despite fostering digital inclusivity, also present an even larger pool of possible victims for bad actors. 

But on the bright side, the prevalence of these attacks also presents an opportunity for innovators, including corporates and startups, to build solutions which will protect South African citizens and businesses from these attacks.  According to data by Statista, the largest market within cybersecurity is security services with a projected market volume of US$349.00m in 2023. Revenue is expected to show an annual growth rate (CAGR 2023-2028) of 8.81%, resulting in a market volume of US$949.30m by 2028, showing the amount of opportunity for innovators in the space.

As Nigeria embraces digital transformation and witnesses a rapid increase in internet connectivity, data breaches have intensified. For the uninitiated, a data breach occurs when an intruder—usually a hacker—copies and leaks confidential user data such as names, email addresses, passwords, banking details and more without permission. According to a report [pdf] by IBM, the cost of a data breach averaged $4.35 million in 2022.

A recent global study released by Surfshark, an Amsterdam-based cybersecurity firm, ranks Nigeria as the 32nd most breached country in the first quarter of 2023. Per the report, Nigeria had 82,000 leaked accounts from January to March 2023, representing a 64% increase from the previous quarter. It adds that data breaches globally declined in Q1 2023, with 41.6 million accounts breached. This is almost 50% less than the nearly 81 million recorded in Q4 2022.

Agneska Sablovskaja, lead researcher at Surfshark, is not relieved by this reduction in data breaches. “However, the fact that over 40 million accounts were breached in just a few months is still a cause for concern. Those whose data was compromised are at an increased risk of being targeted by cybercriminals as their personal information can be utilized for phishing attacks, fraud, identity theft, and other serious cybercrimes,” she said.

Russia tops the data breach charts with 6.6 million breaches, accounting for a sixth of all global data breaches from January through March. In second place is the United States, with 5 million, while Taiwan appears in third place with 3.9 million after extreme quarter-over-quarter growth, followed by France and Spain recording 3.2 million each. 

The alarming surge of data breaches in Nigeria and their potential consequences raises the urgent need for proactive measures to protect sensitive information. Data breaches have severe implications for both individuals and businesses. Personal information, including financial records, medical data, and identification details can be compromised, leading to identity theft, financial fraud, and reputational damage. 

For example, in July 2022, a data breach that rocked the Plateau State Contributory Health Care Management Agency (PLASCHEMA) exposed the personal data of thousands of citizens. In February, the Nigeria Data Protection Bureau (NDPB) said that it was currently investigating over 110 companies in Nigeria over allegations of data breaching. 

While it is pertinent that individuals recognize the importance of data protection by staying vigilant online, other stakeholders—government agencies, corporate organisations, and civil society organisations (CSOs)—must equally rise to the occasion. Addressing the surge of data breaches requires proactive and collaborative efforts to develop comprehensive policies to strengthen the nation’s cybersecurity position.