In November 2021, Oluwaseun Medayedupin was arrested by the Nigerian police in Lagos. An investigation found that he had been pursuing “disgruntled employees” from American companies and pushing them to release ransomware on internal enterprise servers, offering a percentage of the cut if they agreed to collaborate in the attack. This was a sophisticated social engineering scheme, far more advanced than the notorious “Nigerian prince” emails that have made the country of Nigeria synonymous with scams.
The origins of these types of scams may be attributed to a boom in the establishment of cybercafes during the 1990s, coinciding with falling oil prices in Nigeria and a rise in unemployment. Add in a lack of national social security, and many Nigerians were forced to seek out alternative forms of employment—physical labor; gig work; and, most notoriously, cybercrime. For years, the Nigerian Police Force has been keeping tabs on domestic cybercriminals, and Nigeria’s Economic and Financial Crimes Commission (EFCC) even reported several recent cases of fraudulent requests for gift cards and cryptocurrency, some of the more common methods for criminals hoping to access digital funds.
As Medayedupin’s case shows, the rampant fraud has not been isolated within national borders. The US Treasury Department currently has six Nigerian criminals on its Most Wanted cybercriminals list, while the FBI’s Internet Crime Complaint Center (IC3) reported nearly $2.5 billion in losses tied to Nigerian-originating cybercrime in 2020. Historically, finding and resolving fraud has been a difficult task for individual companies. Due to a lack of adequate understanding and data regarding African markets, these companies become particularly vulnerable to international scams, leading them to rely on external providers to detect and mitigate risks. This has spurred the creation of cybersecurity products from companies such as Abnormal Security, Proofpoint, and Stripe, all of which specialize in detecting fraudulent activity on digital platforms.
The last five years have seen an increase in tech companies internationalizing their services for emerging African markets. But as more platforms make the transition, the potential for mistakes becomes higher and the consequences more severe.
Fraud detection services, whether for email, credit cards, banking, or other online transactions, generally use some combination of rule-based engines and deep-learning models to identify patterns of fraudulent activity. This can either take the approach of identifying known scams—writing “rules” to discover similarities between familiar scams and the transaction being observed—or of identifying unusual activity in transactions. Either approach uses some form of featurization, segmenting transactions into qualitative or quantitative data points, such as (in the case of email), sender IP address, recipient name, or country of origin. Though some types of attacks, like “Nigerian prince” scams, may be easily detected by heuristics (they often contain the same phrases or are written in all caps), attempting to detect more sophisticated attacks, such as Medayedupin’s disgruntled employee scheme, can yield inaccurate results. That is, emails that are not fraudulent can be also flagged due to attacks’ similarities to legitimate transactions.
These problems may have inspired Stripe to acquire PayStack, a startup founded by two entrepreneurs in Lagos and considered one of the leading payment services in Nigeria. Not only does a Nigerian-founded company provide an entrance into African markets, but data from PayStack’s active users could prove helpful for differentiating signals in a space so riddled with fraudulent noise.
But what about companies lacking the resources to access this data? Most security providers don’t have the engineering budget to build systems accurate enough to detect highly targeted scams or the capital to acquire African companies already working on solutions. Given the high volume of fraud originating from Nigeria, the de facto solution for many companies today has been blocklisting suspicious accounts originating from the country or training machine learning models using limited data that biases against Nigerian users. Binance reportedly blocked 281 Nigerian cryptocurrency accounts in January 2022, citing anti-money-laundering measures. PayPal has also historically banned Nigerian users from receiving payments on their platform, while Proofpoint claims to use “linguistic styles” to identify Nigerian threat actors based on email activity. In the 2021 Merchant Risk Council report, 24% of all global merchants claimed to use blocklists to handle fraud, while 18% used geographic indicators or global location data.
International perceptions of Nigerian scammers have already had negative consequences for Nigerians in tech. According to Olubukola Stella Adesina, professor of International Relations at the University of Ibadan, “international financial institutions now view paper-based Nigerian financial instruments with [skepticism]. Nigerian bank drafts and checks are not viable international financial instruments. Nigerian internet service providers (ISPs) and email providers are already being blacklisted in email-blocking blacklist systems across the internet. [S]ome companies are blocking entire internet network segments and traffic that originate from Nigeria.”