Inside story of electronic bank fraud in Nigeria
More than six high-profile electronic bank fraud cases took place in Nigeria between February and July this year. Among these was the failed attempt on an account of a Federal Government parastatal domiciled with one of the first-generation banks in which well over N1 billion was transferred to various accounts across different banks in the country.
“It failed,” some repentant bank hackers, told BusinessDay, “because the transfers were done over the NEFT platform and it takes 24 hours to clear on that platform. So, it was detected before the money could clear.”
Barewa, Ele, and Ereke (not real names) are repentant bank hackers. It took months to cultivate their trust. “We used to be in the business,” Ereke told BusinessDay, after getting assurances of anonymity.
The digital revolution in banking has resulted in an equivalent revolution in e-banking frauds. PwC in a recent report on Payments in Emerging Markets notes that to meet the need for financial inclusion, there has been a rapid expansion of new technologies and innovations, which are helping to make it more economically viable for banks to reach the ‘unbanked’ or ‘underbanked’ populations. Technology has leapfrogged from branch banking to e-banking and now mobile money, which has helped to create pockets of strength even among the less financially inclusive countries.
In Nigeria, usage of mobile-based payment systems has increased due to wide access to mobile phones as a payment form, both on the customer usage side and acceptance (merchant) side.
A 2020 McKinsey & Co report observed that “a youthful population, increasing smartphone penetration, and a focused regulatory drive to increase financial inclusion and cashless payments, are combining to create the perfect recipe for a thriving fintech sector.”
But these variables have not just been drivers of financial inclusion alone. The Nigeria Inter-Bank Settlement System (NIBBS) warned that “the increase in transaction processing, speed and available channels comes with an unavoidable side effect – more vectors for fraudulent activities.”
According to the NIBSS, fraud-related transactions reportedly cost Nigerian banks on average N14 billion in losses annually. These figures, some within the banking sector, believe are understated.
The Nigeria Deposit Insurance Corporation (NDIC) in 2018 sought to investigate some banks for the inadequate rendition of returns to the Corporation on instances of fraud, forgeries, and cases involving members of their staff who were either dismissed or had their appointments terminated on grounds of fraudulent activities. The NDIC made the decision in the light of the report from its Off-Site Supervision of the banks, which revealed the number of fraud cases attributed to internal abuse by staff of banks increased from 231 in 2016, to 320 in 2017, or 38.53 percent above the figure reported for the previous year.
Today, e-banking frauds have developed into a mega industry where cyber criminals deploy sophisticated tools to steal information and scam account holders. The list of bank frauds perpetrated online is endless.
Electronic bank fraud
In September 2020, the Philippines National Bureau of Investigation arrested four Nigerian nationals in Muntinlupa City of the country for alleged involvement in an international syndicate that hacks and siphons funds from banks.
According to the NBI, the fraudsters’ transactions were traced when they hacked a system of one Philippine bank, where at least P100 million ($2m) were transferred into a different account.
In early 2016, a criminal gang penetrated the security systems of Bangladesh Bank with malware that cloned legitimate transactions. On February 4, the malware sent 35 withdrawal requests through the international SWIFT system to the New York Federal Reserve, where the Bangladeshi central bank had money on deposit. The fraudsters attempted to steal a total of $951 million. Thirty of the orders, worth $850 million, were blocked by the New York Fed, but the gang succeeded in having $101 million transferred to banks in Sri Lanka and the Philippines before their activities were noticed, thanks to a spelling mistake in one of the transfer requests. Subsequently, $20 million was recovered from a Sri Lankan bank, but officials were too late to stop the remaining $81 million from disappearing.
In January this year, the Police in Edo State arrested six suspected bank hackers who stole N5 million from a victim’s account. One of the suspects, Adesola Kayode, was said to have confessed to the police: “We buy stolen SIM cards from armed robbers and thieves. We normally assess the ones that have money in their bank accounts and remove the money.”
In July 2021, the police in Kano State arrested eight men and two women for belonging to a syndicate that specialises in hacking individuals’ bank accounts to withdraw money.
Almost a year earlier, a Lagos High Court convicted Abbas Mohammed and a Bureau De Change operator, Ibrahim Saidu Jogal, who connived to hack into the flexible database of Union Bank of N2,550,000,000 (two billion, five hundred and fifty million naira).
In February, Obiwanne Okeke, who once appeared on the cover of Forbes magazine, was jailed for 10 years in the US over a cyber fraud scam that led to the theft of about $11 million. Obinwanne Okeke, also known as Invictus Obi, used Nigerian-based companies to defraud people in the US. His companies used phishing emails to steal funds from victims.
In one phishing attack in 2018 he managed to gain access to the email of a manager at Unatrac Holding Limited, the export sales office for Caterpillar’s heavy industrial and farm equipment. They made fraudulent wire transfers to the value of nearly $11 million, and moved the funds overseas.
Electronic or e-banking in Nigeria has become so expansive that it is hard to believe that it was only in the 2000s that this reality began to gain prominence within the country’s financial landscape.
How frauds are committed, those behind them and their methodologies
Targeting the business account of a large corporate or public sector organisation requires fraudsters to always recruit an insider from within the target organisation. In the case of the Federal Government parastatal targeted in April this year, such an insider was able to aid the hacking of the accounting platform of the parastatal by accessing the log-in details of as many as six approving officials.
A device known as a ‘Grabber’ will be connected to the key-board of an approving officer’s computer. The work of the grabber is to collect and send all actions on the keyboard to the fraudsters wherever they may be”. The major objective of the fraudsters at this point is to get the password of the approving officers.
With the fraudsters’ computer system connected to the parastatal’s server, they now had a system that served as the link between the server and themselves. At this point, they could now comfortably operate from within or outside the country.
This is made possible by installing a software like TeamViewer which makes it further possible to connect multiple computers to one server once the master hard disc (computer connected to host server) is connected to the server of the targeted bank. TeamViewer is a remote access and remote control computer software that connects computers, smartphones, servers, IoT devices including robots, with fast, high performance connections through a global access network. It was first released in 2005, and its functionality has expanded step by step. It is proprietary software, but does not require registration and is free of charge for non-commercial use. It has been installed on more than two billion devices.
I ask if they are aware of the recent hacking of a first-generation bank in early August. They all mention the name of the bank in unison. “Word spreads around,” they tell me. “It is impossible to undertake such a big project without word spreading in the community. People have to be recruited, accounts have to be opened and money has to be evacuated. You can’t do that alone,” one of them says.
According to the Police Special Fraud Unit, after hacking the Flex-Cube Universal Banking System (FCUBS) of the bank, Salau Abdulmalik Femi created fictitious credits totalling One Billion, Eight Hundred Thousand Naira (N1,868,900,000.00) on the accounts of three of the bank’s customers and successfully consummated debits (outflows) amounting to Four Hundred and Seventeen Million, Five Hundred and Forty-Two Thousand Naira (N417,542,000.00) through Internet Banking transfers to other banks.
Over N1.8 billion was transferred out of different accounts domiciled with the bank using the most secure anti-fraud device known as TOKEN, as the gateway. What they did was to reconfigure existing TOKENS of other customers of the bank and refresh it to match a targeted account in the bank that has good money. Account providers then provided accounts which were credited with amounts ranging from twenty million naira (N20m) to five hundred million naira (N500m) depending on the volume the accounts can carry without raising a red flag.
How are these huge amounts evacuated and laundered through the system?
This is where the Bureaux De Change comes in. BDCs are the major platforms for laundering fraud-based monies. There is a long incestuous relationship between the BDCs and bank fraudsters, a relationship an official of the Economic and Financial Crimes Commission tells me is well known to the regulators, the police and the anti-graft agencies.
In late July, the CBN governor, Godwin Emefiele, banned the sale of foreign exchange to BDC operators. The ban, Emefiele said, was necessary because the parallel market had become a conduit for illicit forex flows and graft.
“We are concerned that BDCs have allowed themselves to be used for graft,” he had said. “This measure is not punitive on anyone, but it is to ensure the CBN is able to carry out its legitimate mandate of serving all Nigerians.”
BDCs are indispensable partners with the fraudsters in major bank fraud operations. The BDCs do not originate any fraud operation, but they serve as the most credible and most practicable instruments for evacuating and laundering the billions of naira hacked out of the banks”.
The methodology is simple. The BDCs provide accounts to which the fraudsters who have attacked a bank pay let’s say five hundred million naira into. The BDCs will then use the money to purchase dollars from the CBN from which they would pay the fraudsters an agreed percentage of the total amount credited to their accounts. Percentages range from 40 to 50 percent for the fraudster. So, if the BDC buys one million dollars from the CBN with the N500 million given to them by a fraudster, they will give the fraudster between four hundred and five hundred thousand dollars and keep between five hundred and six hundred thousand dollars for themselves as their cut.
Why do the BDCs get such huge amounts when they are not involved in the initiation and operationalisation of the frauds? It is because the BDCs take the biggest risk. “They have to be paid well”, I am told, “because the BDCs will need lots of money to follow up the case in the event of arrest and investigations. It is not easy to find and arrest the brains behind the fraud. It is easier to trace the flow of money to the BDCs. The BDCs provide the final evacuation accounts for the big money and this can easily be traced to them by the Police or EFCC and when investigations start, the monies would easily be traced to them. With big risk comes big money”.
But why do BDCs take such big risks? “Greed!” Ereke asserts. “Greed and because they can get away with it”.
He asks me if I have ever heard of a BDC owner jailed for abetting bank fraud.
I cannot recollect any. He tells me that no BDC owner has ever been jailed for aiding fraudsters after the fact. “Some owners and managers are arrested of course; they settle with the Police or EFCC and are released. Any BDC person jailed is just a low-level employee that has been put forward for just that purpose”.
Who is the Insider?
What is the role of Insiders in e-banking frauds? Absolutely no bank fraud of any nature can happen without the collaboration of someone from the inside; a staff of the bank or staff of the organisation whose business account is being targeted. Though the insider in almost all cases is not the originator of the bank fraud, he or they (most times the fraudster will have multiple insiders on a single fraud transaction) playing a significant role in the operation.
The insider, they tell me, is responsible for plugging the keylogger to the system (for the hardware) or installing it on the system in the case of the software type. A keylogger is a small hardware device not bigger than the smallest flash drive. It is used to record keyboard actions, like keystrokes on a key-board, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored and recorded. Some keyloggers also come as soft wares.
Developed in the then Soviet Union in the 1970s, the Keylogger was first used by KGB (Soviet Intelligence Service) counterintelligence officers who installed keystroke loggers in the US Embassy and Consulate buildings in Moscow. They installed the bugs in Selectric II and Selectric III electric typewriters. It measured the movements of the print head of IBM Selectric typewriters. By doing this, they were able to determine the exact information American diplomats were sending back to their headquarters at the State Department in Washington.
It is almost impossible for fraudsters to hack into a bank’s system from the outside, because all the banks operate on an intranet system. So, there is always the need for an insider who can smuggle a computer system into the bank and connect it to the server. Such a system must have been configured to provide intranet connectivity of the bank to the fraudsters anywhere they are in the world.
In addition, an insider is critical to the fraudsters in their understanding of the detailed process required to carry out fraudulent operations on a customer’s bank account. This will include but not limited to initiation and authorisation process, withdrawal limits on specific accounts, confirmation system and approval patterns, among others.
Furthermore, they enable the fraudsters to be very much cognisant of everything happening within the bank after the fraud has taken place. The post-fraud information they provide makes it difficult for the bank to arrest an account holder in the process of trying to make withdrawals because once the banks find out about the fraud, all account holders will be informed by the insider to stay clear for the meantime.
There is no specific profile of an insider based on tribe, region or religion, but a very distinctive characteristic of such an individual is someone who has gained the trust of his co-workers. They will be careless around him because of his hard work, cheerfulness and willingness to help.
The typical Insider is almost always a Male. Very few women tend to be willing to take big risks to serve as Insiders.
In searching for an insider, fraudsters tend to look out for bankers that are sociable and who tend to live above their income. A banker with a drug addiction is a very sure bet for recruitment as an insider. The insiders are cultivated by the fraudsters who expose them to a very lavish lifestyle. “They fly them on first class air tickets, lodge them in five-star hotels, ply them with some of the most expensive whiskey and wines, and in fact there are cases where senior insiders are flown on weekends to Dubai for operational meetings,” they tell me.
An insider can be any staff of a bank, depending on the role he or she is expected to play. An insider can be a senior bank staff, junior staff, a bank cleaner or the security seated at the door.
“Certainly, you won’t need a Head of Operations in a bank for the purpose of plugging a keylogger”, Ele informs me. These classes of insiders are mostly casual staff of the bank who most times are aggrieved with their employer for a number of reasons such as low salaries, lack of motivation, bogus target, job insecurity and the ego factors such as having the requisite qualifications as their colleagues who are core staff with better enumeration. Even a cleaner can be recruited for key log plugging.
An insider that helps provide connectivity for remote access most likely would have a good knowledge of IT, this is so because IT information will be needed in setting up remote access; information such as URL, domain name and general information. Such a person is expected to be able to multitask. Among other things he or she is expected to identify accounts that will be attacked and debited for the fraud.
Account openers and account peddlers
These are people whose only role in the fraud cycle is the provision of accounts that will not be traceable to them in the event of fraud. What they do is recruit financially handicapped people in the society and open various bank accounts for them and then collect the ATM cards from them. Their targets are shoe shiners, truck pushers, bike riders (Okada) who have never had any dealings with a bank. The ‘account peddler’ tends to sell them a glossy but false story about the Federal Government distributing money to the poor through the banks. For these financially excluded persons to be able to access these monies, they are told they first need to open a bank account.
Because of voter awareness in the northern part of Nigeria most of this group of people have the INEC voter’s card which is one of the means of identification needed to open a savings account. The ‘peddler’ now provides them with the other requirements needed, such as utility bills, phone number (which the peddler already has), email address and N10,000 (amount needed to open a bank account).
When the account is opened and the bank ATM given to the account opener, the ‘peddler’ collects the ATM from the account owner on the pretext of taking it to the government agency for registration. A day or two later he calls the account holder, and informs him that the money has been paid into the account, gives him N10,000 and tells him that particular account cannot collect the grant twice. So now armed with his BVN from the first account, the ‘peddler’ will now take the account opener round commercial banks in town, opening accounts and paying N5000 to N10,000 for each account.
At the end of the day, a single person could provide between 10-12 ATM cards for the peddler. An active Peddler can recruit up to 10 persons in a month, and by doing so he will have control of over 100 accounts that are not traceable to him. In the event of a bank hacking fraud operation, he is able to provide these accounts to the fraudsters. If the fraudster credits each of these cards with N5 million each, the total will amount to over N500 million. He will then be given a percentage of the amount withdrawn from these accounts.
These funds tend to be withdrawn at different sources such as big departmental stores with the aid of staff such as the Manager or Supervisor of the store at an agreed percentage. He uses the ATM on their POS and collects cash. Petrol filling stations, electronics and car marts also serve as withdrawal points.
There is no specific number of persons required to undertake an electronic bank fraud. The ‘Chairman’ (initiator and supervisor of a particular fraud) alone determines exactly what he needs for the operation. So, he recruits people based on the input he requires and the operational strategy he has put in place. I am told there is a pool of bank fraudsters of over ten thousand people scattered across the country. So, all the ‘chairman’ needs, is to access the pool, where he will get all the ‘specialists’ needed. Each ‘specialist’ in the team for a specific bank fraud has a specific role to play. Nobody is called upon to participate unless there is a role he or she has to play. These include roles like an Insider to plug the keylogger, an Insider that can provide remote access, account peddlers that will be used for the evacuation of proceeds of the fraud and if need be, a sponsor of the operation.
Almost all bank frauds tend to take place during weekends and public holidays. The reason for this is to allow ample time for the monies hived out of the bank to be squirrelled away. “It is mostly on Fridays that these operations take place. Public holidays that begin on Thursdays are the most welcome period for bank fraud. This is because there will be sufficient time to carry out the operation, move the funds to twenty to fifty different accounts, and then the weekends and public holiday periods will allow them to withdraw the money through ATMs, POS, supermarket purchases and transfers to BDCs”.
A crime without end
Andy Greenberg in Wired, aptly noted that “the traditional model of robbing a bank isn’t so different from the old-fashioned method of robbing one. Thieves get in, get the goods, and get out”. In 2016, Nigeria’s central bank warned, “that this digital journey is plagued with land mines represented by electronic fraud would be stating the obvious, as the world over has shifted security policy stances to a more cybercentric position. The warfare of banking security has changed from what was conventional to a constantly changing strategy in response to the rapid developments in payment technology…
“The story behind the figures clearly shows that as we move further down the digital path in payments, fraud attempts are bound to increase and the test of our strength as an Industry will be how effective the collaboration among all stakeholders in warding off this imminent threat to the payments system is, not only domestically but also internationally.”
In today’s world, bank thieves no longer need a sledgehammer and an AK-47 to break into your bank and steal your money. Their weapons of choice today are a harmless computer, an innocuous hardware and software; and with these harmless tools, they are able to steal a lot more money than they could ever have stolen with large instruments of violence. It is unlikely that electronic banking fraud will end anytime soon in Nigeria. While the regulators and the banks have continued to put up electronic ramparts and throw instruments and institutions of the criminal justice system to counteract the fraudsters, this at best is passive resistance.
Lack of a willingness by banks and the regulators to invest in understanding the risk landscape, archaic risk assessments, policies, procedures and controls would continue to result in knowledge gaps that serve as broad highways for fraudsters to walk into the Nigerian banking system.
The NIBBS was right when it posited that, “the anti-fraud battle can only be won when organisations institute a well-rounded strategy involving sensitisation, investments in well-suited technologies, risk management, effective governance, and industry-wide collaboration with relevant stakeholders.”