How Lagos residents lose billions to fraudsters’ new tricks
•N288bn stolen in 2018
Crime is not new to Lagos but the perpetrators always try to be a step ahead of the law and the defence mechanism of the residents. In this piece, CHIMA NWOKOJI, AKIN ADEWAKUN and LEKAN OLABULO try tipping the uninformed.
A Latin proverb says, “to be forewarned is to be forearmed,” meaning prior knowledge of possible danger or problems should give a likely victim an advantage.
In 2018, Nigerians lost N288 billion ($800 million) to cybercrime. Although there was no state-by-state breakdown of the humongous stealing, residents of Lagos State, due to their sheer number, are without doubt, a major victim of the growing community of cyber robbers.
While the figure for 2019 is being awaited with bated breath, it has been discovered that the 2018 figure recorded a N38 billion increase in comparison to the 2017 figures, which stood at N250 billion ($649 million).
With 2019 figure expected to rise beyond the current number, the question agitating many minds is whether the victims, both old and new, aren’t learning anything from all the warning signals or the criminals are always a step ahead.
A fresh insight gained by Saturday Tribune into the cybercrime community, revealed latest tricks the fraud artists have adopted in fleecing innocent people of their hard-earned money.
In fact, a little and brief carelessness can now cost one all his/her savings, as the cyber thieves have now developed bigger capacity to wipe out depositors’ funds in their bank accounts in a jiffy and your bank’s response may even get you more confused.
Worse still, you are not likely to get any appreciation for the money taken away. Instead, you may end up with a ridiculous name like mugu, meaning a fool.
The spike in cyber fraud led to the creation of a body named the Nigeria Electronic Fraud Forum (NeFF). It consists of all relevant stakeholders in the financial system who have been actively and proactively reacting to the challenge to safeguard integrity of the e-payment channels but they obviously cannot fix the mess without the active involvement of members of the public.
Just as measures are being taken to prevent this particular line of fraud, the fraud industry also reinvents the wheel or changes pattern to remain in business. Lagos as a commercial hub of Nigeria provides them with great opportunities to thrive.
While the story of Mr S. Aigbe who entered a criminal-packed vehicle popularly known as one chance may be called daylight robbery, the experiences of other residents as revealed by Saturday Tribune’s investigation are complete electronic fraud that can be avoided if certain preventive measures highlighted by the experts were taken.
Aigbe had left his Surulere residence for Ajah on January14, 2020. Unknown to him, the yellow bus he boarded to his destination was packed with robbers. They pretended, as is their practice, that the yet-to-be occupied space was meant for a single passenger (one chance).
On getting to Argungi Bus Stop, a few passengers alighted and just a stone’s throw from the bus stop, they began their operation.
Mr Aigbe was not only beaten up, he was taken to the nearest Automated Teller Machine where he was forced to withdraw all that was in his account. They took the money and his phone and abandoned him to his fate.
Another passenger, according to Aigbe, was forced to check her account balance. Thereafter, the thieves went away with her phone and debit card.
However, it is not only one chance that is causing pain and anguish to Lagos residents. Without telling anyone the four-digit code, people have equally given out their bank details unknowingly.
Mr Aigbe’s case is different from that of Mrs T. Ogunwale. The mother of three had visited her husband’s bank at Ikotun Egbe, Lagos, on December 24, 2019. She went to make withdrawal using her husband’s debit card, commonly called ATM card, for the Christmas Eve shopping.
She did not suspect any foul play, being the Automated Teller Machine (ATM) she had been using over time. Two young men that she greeted before approaching the ATM were innocently discussing on the bank premises. They were there for a mission and when the woman went in to conduct her transaction, one of them pretended as if he came for the same purpose and queued behind her.
Not suspecting anything, Mrs Ogunwale made her N40,000 withdrawal and went to the market. The husband, as usual, got the debit alert for the same amount. On getting home, she returned the card to the owner.
However, trouble started early in the morning when Mr Ogunwale woke up to see several debit alerts on his phone. He was alarmed that his card had been compromised but how and by whom?
He called his wife’s attention but the woman could not explain anything. Since there was nothing left in his account, he did not bother to block it until after the Christmas holiday. When Ogunwale finally reported to his bank, they told him that he must have given someone his debit card.
Indeed he gave his wife his card and she withdrew N40,000 but she returned it to him the same day and never went out again. The face that performed the cash transaction was shown to him and it dawned on him that a fraudster had feasted on his hard-earned money while he slept. The balance on Ogunwale’s account after exceeding daily withdrawal limit was equally used for online shopping.
That was when his wife recalled there were two men on the premises when she made cash withdrawals. In the eyes of the fraudster, Mrs Ogunwale had helped her husband fall a mugu. That was how the innocent man lost N967,000 to a thankless stranger.
Mrs Ese Imohinmi is still raining curses on an unidentified woman that was by the side of a long queue at an old generation bank on Egbe Road, Iyana Ejigbo, Lagos.
She had gone with her daughter, Olivia, to make a withdrawal but when it was her turn, the machine showed ‘temporarily unable to dispense cash.’ Since another generation bank’s ATM is nearby, Mrs Imohinmi asked her daughter to quickly go and make use of the machine and meet her at Iyana Ejigbo market. Unknown to them, the strange woman had run fast, boarded a tricycle and went ahead of 14-year-old Olivia. When Olivia arrived and joined the queue, the strange woman went to her and told her that her mother said she should use the other ATM card and make the withdrawal. The stranger gave Olivia a debit card with a PIN and requested to hold the other one and wait for her to finish the transaction. As soon as the unsuspecting young girl approached the ATM, the strange woman disappeared into thin air. It was when Olivia slotted her new debit card that it dawned on her that she had fallen for a scam. That was how Mrs Imohinmi lost N120,000 to a fraudulent merchant of cloned debit cards.
This fraudulent practice is a worldwide problem and considering how it has hit the Nigerian financial system, residents can stay safe and reduce the chances of their cards being cloned by taking certain steps.
The most common way of cloning a card is through the use of a card skimmer. The card skimmer, according to information technology experts, allows the fraudster to capture and record all the data on the ATM card. The card skimmer is placed on any machine that accepts debit or credit cards like Automated Teller Machines or POS machines. When an unsuspecting victim inserts their card in the skimmer, the data on the card is captured.
Depending on the sophistication of the card skimmer, the fraudsters might also need to capture the Personal Identification Number (PIN) separately and would make use of a camera or a dude peeping over the customer’s shoulder to get it.
Experts say that it is not easily noticeable when a device has been tampered with and a card skimmer installed in it. But they advise that people should be wary if the machine looks bulky, feels loose or blocked. A loose rubber or number pad is also a bad sign, as well as a machine situated in a secluded or hidden area.
It was obvious that the strange woman had given Olivia a fake, cloned ATM card. It is obvious, too, that Mrs Ogunwale had used a machine under attack, according to a financial expert and Deputy Managing Director, Afrinvest (West) Africa Limited, Mr Victor Ndukauba.
Ndukauba, who has extensive knowledge of information technology, told Saturday Tribune that people, especially in Lagos, have been losing millions of naira to card-cloning fraudsters.
Explaining what people should watch out for, he said that the fraudsters usually insert their gadget or card reader on top of a green/black plastic attached to the ATM hollow where the card is usually slotted in.
His words: “They mount it there and it looks as if it is part of the machine. When you come and slot your card into the ATM, the metallic chip in the card reader copies every information on your ATM card. When you are done with your transaction, they have harvested such information as card number, name, PIN and 3 digit number behind the card. They can now print any other card, input all the information harvested and begin to carry out transactions on your behalf.”
Ndukauba said this process is difficult to unravel but the first thing to do for safety purposes is to look at the machine properly and if possible shake the projected mouth of the machine and if it doesn’t pull off, then “you are safe to slot in your card.”
The Afrinvest DMD further said that his savings account ATM card is strictly linked to his current account. He does not leave money in that current account. So, anytime the card is used, it will be declined because there is always insufficient balance since the primary account is current and the secondary account is savings, which will be difficult for fraudsters to know.
He also explained that the fraudsters can hack someone’s card using public WiFi to capture everything the person types and they can phish the emails.
Bankers advise that knowing how to block your account with a code is very important because in times of emergency, running to the bank might be too late, especially during weekends. They suggest that customers should approach their banks for the code needed to block their accounts in case of emergency.
We have been drained –Victims
For Mr B. Adesuyi, a customer of a new generation bank, what had looked like a harmless mail received a few months ago was to later cost him the sum of N180,000.
The financial consultant had mistaken a scam mail for one coming from an acquaintance and clicked on it. Unknown to him, an identity theft had occurred and the person whose e-mail account was being used to send the mail was different from the sender. A scammer had sent the mail and he fell for it.
“I wasn’t suspecting anything. I thought the mail was coming from somebody I knew. And to make matters worse, he never told me his mail had been hacked. So, nothing prepared me for what was to happen later. I was driving out of Shoprite in Lekki, where I had gone to do some shopping with my family, when I started receiving debit alerts on my bank account. It was during a holiday period so there was little or nothing I could do to stop this. At the end of the day, I lost N180,000 to the scam.
“Curiously, when I went to lodge complaint at my bank, they said they were going to look into it. I was shown the picture of the guy that withdrew the monies from the ATM. It was that of a man. I requested from the bank, a copy of the picture. The bank turned down the request,” he said.
Adesuyi disclosed that he later petitioned the Economic and Financial Crimes Commission (EFCC), intimating the commission of the development. “Perhaps because of the amount involved, the anti-graft organisation simply refused to entertain the complaint,” he stated.
According to him, the scammers were able to access the account because the compromised e-mail account was tied to his bank account.
“That was where I had all my financial transactions details. It was really shocking, a huge disservice to online banking,” he stated.
But T. Oluwaferanmi, an old generation bank’s customer was a bit lucky. The prompt intervention of his elder brother prevented the scammer from emptying his bank account. Somebody had called him purportedly from First Bank asking for some details on his account.
The person who pretended to be a staff of the bank was actually following up on the text message purportedly sent by the bank that his account would be deactivated if he refused to upgrade.
“He told me the bank was doing some upgrade and would need those details from me. I think he even told me that my ATM card had been deactivated; since the time given by the bank to me to comply had lapsed. Honestly, I never suspected any foul play because he called me by the name with which I registered the account, called my account number and other intimate details. It was when I discussed the development with my elder brother that my bank was doing an upgrade and would require me to supply some details or have the account deactivated that my brother promptly advised that I should visit the bank.
“I didn’t eventually go because the period I was asked to comply with the directive or have my account deactivated had come and gone and the account was still active. I was to learn later that a lot of people had fallen for the prank in the past,” Oluwaferanmi added.
Experts say that some of the account information that they have are retrieved from certain fake forms most people fill online for one thing or the other.
For Mrs Titi Ogunsemoyin, it came in form of another harmless call from her bank asking for her real date of birth. According to her, the caller had complained about two contrasting dates of birth registered against her name and would want her confirm the actual one. This she did.
Not long after she had innocently done that, that she started getting debit alerts. At the end of the day, close to N100,000 was debited from her account.
Till date, just like Adesuyi, she has not been able to recover the money since her bank refused to accept any liability.
“I felt very bad but what do I do? I have been to the bank and I was told that such a message never came from them,” she stated.
Each time the poor woman remembers the incident, she stated, she always feels her body well up with rage, frustration and anger.
Mr T. Ogunsemoyin’s case was not the same with that of Eke (not real name) whose case went viral online recently.
He was in Lagos for a programme. Eke narrated how one of the participants was about booking for his flight. He went online to the website of an airline, got to the payment point to pay N21,500.
The moment he imputed his card details, the site went off and lo and behold, the N2 million in the account had been wiped out.
He showed Eke the debit alert he received from the bank.
It was a very traumatic experience for him, better imagined than experienced. The website was a fake website created to deceive unsuspecting members of the public.
Eke, therefore, advised that people should open a new account to be used for making online payments only.
“You can then fund the account whenever you need to use it. Please, let us, as soon as possible, open another account for online transactions. The site that was used had all the features of the original website of the airline,” he said.
Multiple problems, multiple solutions
But website builders advised that opening a new account might not solve the problem.
According to some of them who spoke to Saturday Tribune, there are signs to look out for. A website that has a padlock sign at the beginning of it is more secure and likely to be genuine. Also, people should look at websites very well to see if there are additions to the name of the company.
For instance, instead of www.flyaero.com, the fake website could be www.flyaero.me.com. That little addition makes all the difference. Some might also not carry anything but while opening, they re-direct the user to another website.
The beginning of the Web address in genuine browsers address bar should be “https://” rather than just “http://”. Also, if it re-directs to an IP address like http://126.96.36.199 one should be wary.
The Afrinvest Deputy Managing Director, Ndukauba, called this phishing, whereby fraudsters create a website that looks like the original. They can create a company’s fake website and once a person keys in card details or pays money online for the service, the criminals bring down the website, he stated.
Phishing scams come in all shapes and sizes, ranging from the crude, to highly sophisticated schemes with phony websites, resembling those of any bank or company – NNPC, airlines, Amazon and other familiar names.
With about 3.9 billion users, the internet has become one of the greatest technological developments. While widely accepted for its ease and efficiency, it is also embedded with a multitude of vulnerabilities which pose significant security threats to users and has led to the emergence of cybercrime.
Fraudsters trick people by sending a link to be clicked in order to clear up an issue or ‘verify your account’.
Once the email link is clicked, the person is taken to a login page or presented with a form in which to enter personal details like Bank Verification Number, password, credit card number and even banking PIN or routing numbers. Falling for this scam means the game is over. The crooks have everything they need to steal identity, buy things online and empty one’s bank account.
“Anytime you go to the website of your bank or other site and you see the address suddenly switch to another site, do not enter any information. You have a Trojan horse virus.
“Do not open emails that are unsolicited to avoid falling for email phishing scam. Their goal is to get you to open the message and read it. The scam artist can manipulate the browser to not reveal the URL line so you will not even be able to see what site you have signed onto,” the IT expert explained.
Between late 2019 and February 2020, people have been receiving calls from telephone numbers that look like the following: +375602605281; +3712791309; +56322553765 .
Any number starting with +371 +375 +381. +375 code is for Belarus. +371 code is for Latvia; +381 Serbia; +563 Valparaiso; +370 Vilnius; +255 Tanzania.
They only ring once and hang up. All over social media, people have claimed that if a person calls back, they can copy the person’s contact list in three seconds and if there are bank or credit card details on the phone, they can copy those, too.
They said it is “a new trick which is used to access one’s SIM card, make calls at the victim’s expense and frame people up.
The only escape route at the moment is to bar such numbers or never try to call back, according to a staff member of one of the telecommunication companies.
Cybercrime, which includes any crime committed with the aid of a computer and network (e.g. phishing, bank verification number scams, fraudulent emails, hacking, cyber harassment, spamming, ATM spoofing, social media hi-jacking etcetera), exploits vulnerabilities of both electronic devices and their users. In Nigeria, a number of key factors – such as a high rate of unemployment, the quest for wealth, a lack of strong cybercrime laws, and incompetent security on personal devices amongst others – have coalesced to make cybercrime a significant problem for the country.
For individuals, simple security tips such as having an updated and recognised anti-virus software, avoiding pop-ups requiring personal information, using strong passwords and ignoring emails or calls requiring financial details to help unblock cards or accounts, etc, will go a long way in preventing security breaches.
What are banks doing?
Lagos is the commercial nerve centre of the country and as such, most of these fraudulent activities are more rampant in its metropolis.
However, in order to protect customers, some local banks have persistently warned their customers to be wary of hi-tech fraudsters.
Saturday Tribune investigation revealed that most of them, on their websites and in banking halls, have scam alert written boldly. By this, informed and alert consumers assist in the defence against payment fraud. For instance, one of the warnings from one of the banks read:
“Please be informed that fraudsters can gain access to your email account and therefore, have access to your sensitive and confidential information
“They can do this by requesting you to update your personal bank details through several means, including claiming that the bank has launched a new and secure online banking site; that the customers will not be able to log on to their online banking site if they do not migrate to the new one; that it is mandatory to enter the token code and most times it is written in capital letters.”
The bank said it “would not require sensitive and confidential information from her customer.” Information like token, password, full card details and PINs, the bank sad, are private to the customer and would not be requested by it either via email or telephone.
Furthermore, a top bank staff who preferred not to be mentioned because he is not authorised to speak for the institution said that financial institutions are not resting on their oars.
Specifically, he said that NeFF, comprising the CBN and the banks, had consistently acted as a catalyst in the formulation of cohesive and effective fraud and risk management strategies.
He, however, warned customers to stop allowing their debit cards to be taken out of sight.
According to him, “when entering your PIN, make sure to block it out so that no camera or peeping Tom catches a glimpse. Give the card slot and number pad a good shake to check for looseness. If loose, it may have been tampered with, do not insert your card in there.
“If your card is swallowed, contact the bank immediately, if possible right there while you are in front of the machine that swallowed it.”
We are not aware of rising cases –Police
Internet fraud is a criminal offence as provided for in the 2015 Act. Law enforcement agencies have the duty to ensure that there is no sympathy whatsoever for anyone found guilty of perpetrating these crimes.
When contacted, the Lagos State Police Public Relations Officer (PPRO), Bala Elkana, said most victims of the ATM and cybercrime attacks do not report to the force and so there is no record of rising cases of such crime.
“I am not aware of any rise in such fraud-related cases because many of them are not reported,” he said.
CBN fraud data
Major payment channels in Nigeria were hit with high numbers of fraud incidents in 2018, according to data obtained by Saturday Tribune from the Central Bank of Nigeria (CBN).
The apex bank’s Financial Stability Report disclosed that the payment channels’ hard-hit include Automated Teller Machines (ATM), Point of Sales (POS) and Mobile.
Details provided showed that ATM recorded the highest incidences of fraud in Nigeria with 34.87 per cent Fraud Interest Index in the period under review. Also, the Mobile payment channel ranks second with fraud incidences of 28.21 per cent, while POS recorded 19.55 per cent fraud incidences.
The Nigerian banking industry lost N15.15 billion to cybercrime and forgeries in 2018. This amount was 539 per cent higher than the N2.37 billion recorded in 2017.
This information was contained in the 2018 report of the Nigeria Deposit Insurance Commission (NDIC) posted on its website. There are speculations that this figure might be higher in 2019 due to the sophistication of e-fraud over time.
The NDIC report reads: “The increase in the sophistication of fraud-related techniques such as hacking, cyber-crime as well as IT-related products and usages, fraudulent withdrawals and unauthorised credit are the sources through which the perpetrators operate.”
According to the report, a total of 37,817 fraud cases which stood at N38.93 billion were reported in 2018, over 11,000 more, than the 26,182 recorded fraud cases of 2017, amounting to N12.01 billion.