Hackers know people don’t have tools, expertise to defend themselves against digital identity theft ―Dawodu

Oluwananumi Dawodu, a cybersecurity expert & Fraud and Investigations Officer, UK Department of Works and Pensions, in this interview by IFEDAYO OGUNYEMI, spoke on the rise in the trend of digital identity theft in Africa and how to use proper education to curb them.

You’ve worked across Africa and Europe. What differences have you noticed in how these regions approach cybersecurity?

I’ve seen that Africa and Europe tackle cybersecurity in quite different ways when I’ve worked in both places. Cybersecurity is more regulated in Europe. The General Data Protection Regulation (GDPR) and other rules have made it very important to follow the rules. Most organisations have defined plans for how to respond to incidents, security teams that work full-time, and funding to support strong infrastructure. Cybersecurity is generally a top priority for businesses in the private sector. For instance, by 2023, 88% of German organisations said they had a Chief Information Security Officer (CISO).

Can you walk us through your journey into cybersecurity and what motivated you to specialise in this field?

I got interested in cybersecurity as I started to learn more about how digital systems work and where they go wrong. I work for the UK Government in the Counter Fraud and Compliance Department (CFCD) as a fraud and investigations specialist. I was in charge of security operations at SecureO, where I oversaw the use of SIEM products, including Microsoft XDR, Azure Sentinel, Nessus, and Rapid7. I help businesses achieve PCI DSS and ISO 27001 compliance needs and provide cloud security consulting for AWS, Azure, and GCP environments. I’ve worked in cybersecurity with DigiHealth Africa, Kiteworks UK, TradesTeam, and Makintouch Consulting. As a cybersecurity instructor at GOMYCODE, I have also taught people who are just starting in their careers. I am a 2024 recipient of the Tech Nation UK endorsement for the United Kingdom Global Talent Visa in Cybersecurity. I won the AfriSAFE Young Innovator Award (2021), the Diana Award (2021), the SDG Innovation Challenge Award from the African Youth SDG Summit (2020), and the SME100 Africa 25under25 Most Enterprising Award (2020). I volunteer as a cybersecurity mentor for Scotland Women in Technology, helping women reskill in technology through organised coaching, industry guidance, and career development. I opted to focus on cybersecurity because it gave me the ability to work on actual challenges that matter. Digital identity protection and following the rules were two areas that really interested me. There was a big gap between what the rules said and what people actually did, especially in developing areas. 

What are the most common vectors for digital identity theft and online fraud today?

Cybercriminals mostly use phishing, spoofing credentials, malware, and social engineering techniques to obtain personal information and commit fraud online. Phishing is still the most common type of attack. The 2024 Verizon Data Breach Investigations Report found that some kind of human error or manipulation caused more than 74% of breaches. Phishing attacks generally happen by email or SMS to get people to give up their login information. Credential stuffing, in which hackers utilise stolen credentials from earlier breaches to get into other accounts, still works since many people still use the same passwords. Malware is another common way to get viruses, and it is typically buried in bogus downloads or bad websites. Public Wi-Fi is also dangerous since attackers can access unencrypted data. In some places, SIM switching is used to get around two-factor authentication by moving a victim’s number to a new SIM card. I previously spoke about global identity theft and SIM card scams in the media.

ALSO READ FROM NIGERIAN TRIBUNE: NNPC shuts down Port Harcourt refinery

We’ve seen a rise in the spate of digital identity theft in Nigeria and even all over the globe. How can everyday users in Africa protect themselves from social engineering attacks?

Digital identity theft is developing quickly in Nigeria and all around Africa because hackers know that consumers typically don’t have the tools or expertise to defend themselves. Phishing, fake alerts, and impersonation scams are all examples of social engineering attacks that rely on people making personal mistakes, not technological problems or glitches. There are a few simple but powerful things that everyday people can do. First, always check requests for private information, especially if they say they need it right away or have the power to get it. Don’t click on links or download attachments from people you don’t know. Second, make sure that all of your critical accounts, such as your bank account, email, and social media accounts, have strong, unique passwords and two-factor authentication (2FA) turned on. Third, make sure your operating system and software are up to date. Fourth, be careful about what you post on the internet. People commonly utilise personal information, like your mother’s maiden name, birth date, or school, to guess passwords or security questions. Finally, be careful of online deals and juicy offers that seem “too good to be true.” A lot of scams use emotional manipulation to encourage people to respond urgently and quickly.

Would you advocate the inclusion of digital security in Nigeria’s tertiary institution curriculum, particularly now that millions of students and youths depend on technology and online presence for studies, business and personal interactions? 

I advocate teaching digital security in Nigerian universities and colleges. Millions of kids use technology for work, education, and communication, yet few know how to avoid risks on the internet. Cybersecurity is often considered a specialised field, yet everyone should know how to secure their digital devices, just like reading and writing. General ICT education should teach students how to recognise phishing emails, secure their accounts, and protect their data. Implementing these concepts early will create a more aware, responsible, and tough online generation. It prevents financial losses and reduces the impact on the economy and reputation.

How should law enforcement and the tech industry collaborate to fight online fraud in Africa?

African law enforcement and internet corporations need to work together to stop online fraud. Digital businesses should give security authorities real-time danger information, especially for fraud that is likely to happen. We need data-sharing agreements that protect people’s privacy. Second, police need cybercrime units to catch people who commit digital crimes. A lot of African police personnel don’t have the tools to find online fraud. So, the events of 2020 that started the “END SARS” movement, where young people were wrongly accused of being internet fraudsters without any real inquiry, led to attacks on many young people. Task forces made up of both investigators and technologists can help close that gap. Third, regulators and private sector partners should make it easier for people to report internet fraud by giving them a public platform.

Would you say these gaps also exist in Nigeria’s cybersecurity education in universities, having taught at GOMYCODE and mentored through Scotland Women in Technology? 

Yes, Nigeria’s cybersecurity education still lacks detail and provides students with little real-world experience. Most programmes don’t provide real-world applications or hands-on training; they just focus on theory. From teaching and coaching, I can notice a definite gap in skills readiness.

How can improved cybersecurity education and professional training address these vulnerabilities?

Better education and training can provide people with more than just certificates; they can also give them real-world skills. Certifications, simulations, and boot camps help people prepare. Real-world labs and mentors can help students become professionals who are ready for work.

How can governments and the private sector collaborate to develop sustainable cybersecurity talent pipelines across Africa?

The government should pay for cybersecurity centres at colleges and universities, and businesses should offer internships and mentorships. Joint certification programmes and contests in different areas can help develop lasting pipelines. It is really important to invest in local trainers for a long time.

What advice would you give to early-career professionals who want to enter the cybersecurity field but lack resources?

First, try free internet resources like YouTube tutorials, TryHackMe, and Cybrary. Then, join tech groups in your area and attend virtual cybersecurity meetups. Work on modest projects and get certificates to expand your portfolio.