Phishing Attacks in Nigeria: Real Incidents and Practical Ways to Stay Protected
Imagine receiving a text: “Your account has been suspended due to suspicious activity. Click here to verify your BVN immediately or lose access permanently.” The message looks legitimate. It carries your bank’s name. There’s a sense of urgency. You reach for your phone to click the link.
Stop right there.
What you’re looking at is likely a phishing attack—and it’s one of the fastest-growing cybersecurity threats facing Nigerians today. As the country races toward its digital economy goals, cybercriminals are moving just as quickly to exploit gaps in security awareness.
The numbers tell a troubling story. Recent international assessments, including analyses by cybersecurity research groups, have ranked Nigeria among the top five countries globally for cybercrime activity in 2024. Between 2023 and 2024, documented fraud and hack cases resulted in losses exceeding ₦82.4 billion. That’s not just a number. It’s businesses shutting down, families losing their savings, and trust in our digital infrastructure taking a serious hit.
But here’s what matters: phishing attacks in Nigeria succeed because they exploit human nature, not just weak technology. And that means you can learn to recognize them and protect yourself. This article breaks down what’s actually happening, shows you real cases, and gives you practical steps to avoid becoming the next victim.
The Scale of the Problem
The figures are deeply concerning. According to the Nigeria Inter-Bank Settlement System (NIBSS), there were over 740,000 attempted digital fraud incidents in 2023, with confirmed losses exceeding $27 million. The Central Bank of Nigeria reported a 26% increase in financial fraud cases in 2024. Industry reports noted a sharp rise in reported data breaches in Q3 2022—increasing from about 35,000 to over 600,000 incidents, largely attributed to improved detection and mandatory breach reporting under evolving regulatory expectations.
Nigeria is particularly vulnerable to phishing due to rapid fintech adoption without matching security awareness, a shortage of roughly 140,000 cybersecurity professionals, and economic pressures that create both victims and opportunistic perpetrators. Meanwhile, attacks are becoming more sophisticated—AI-generated messages with flawless grammar, deepfake voice calls, and cloned WhatsApp accounts that look identical to legitimate profiles.
What Actually Happened: Real Cases
These aren’t theoretical scenarios. Nigerian individuals and businesses have lost billions to phishing attacks in recent years. Here are documented cases that show how these attacks actually unfold. (For more examples, see our collection of Nigerian data breach case studies.)
The Major Banking Phishing Campaign (2023)
In 2023, one of the largest phishing campaigns targeted users of several major banks. Fraudulent emails and texts directed customers to fake websites that looked nearly identical to real banking portals. Once victims entered their credentials, fraudsters accessed accounts and transferred funds to mule accounts.
The affected banks moved quickly to close compromised accounts and implement multi-factor authentication, but millions of naira had already disappeared. The incident showed just how convincing fake websites can be—and how easily urgency overrides natural skepticism.
Fintech Unauthorized Transactions (2024)
In April 2024, a major payment platform reported unauthorized transactions totaling between ₦11 billion and ₦20 billion. The breach was discovered through unusual account activity flagged by monitoring systems.
Funds moved through multiple accounts across five financial institutions to avoid detection. While the platform issued refunds where appropriate and maintained that no customer funds were directly compromised, the incident revealed that even well-resourced platforms can be attacked that slip past their defenses.
Digital Wallet Compromises (2024/2025)
More than 5,000 OPay accounts were compromised through a combination of phishing and SIM-swap fraud.
The two-stage attack worked like this: phishing messages first captured users’ credentials, and then attackers used SIM-swapping techniques to take control of phone numbers. This allowed them to receive two-factor authentication codes sent via SMS, bypassing what users believed was their strongest layer of security.
Opay issued refunds, but the damage to user trust pushed some customers back to traditional banking or cash, exactly the opposite direction of Nigeria’s digital transformation goals.
Business Email Compromise Goes International
In a case that made international headlines, a Nigerian national was sentenced to 10 years in U.S. federal prison for a $20 million business email compromise scheme targeting real estate transactions.
The conspiracy sent phishing emails with malicious attachments to title companies, real estate agents, and attorneys. When employees clicked, they were prompted to enter email credentials. With access to legitimate business accounts, criminals monitored conversations about pending transactions. At the right moment, they sent fraudulent payment instructions redirecting funds to accounts they controlled.
The case involved several collaborators in Nigeria and the UAE, some of whom are still at large. The takeaway is clear: these operations are organized, patient, and move across borders with ease.
Insider-Enabled Fraud (2023)
Sometimes phishing plays a role in broader schemes. In 2023, First Bank uncovered an employee-led ring that had siphoned ₦40 billion through proxy accounts and shadow beneficiaries. While not purely a phishing attack, the scheme relied partly on social engineering and credential harvesting.
It served as a stark reminder that some of the biggest threats can come from inside an organization. Strong external defenses aren’t enough without internal controls and continuous monitoring. (Learn more about protecting your organization from insider threats.)
How Phishing Attacks Work in Nigeria
Obvious scams still exist, but professional criminals now deploy AI-generated messages with perfect grammar, deepfake voice technology to impersonate bank officials or family members, and cloned WhatsApp accounts using stolen profile photos and similar-looking phone numbers.
Common Tactics Targeting Nigerians
The most effective phishing messages exploit specific aspects of Nigerian life: “Your Bank Verification Number (BVN) or Permanent Voter Card (PVC) verification has expired,” fake electricity bill warnings (often referencing legacy providers like NEPA or current distributors like EKEDC), fake student loan portal messages, job offers requiring upfront fees, romance scams that build trust before requesting money, fake crypto investment platforms, cloned Central Bank of Nigeria (CBN) or Nigeria Data Protection Commission (NDPC) communications, and “emergency” messages from “family members” needing urgent funds.
These attacks succeed because they tap into basic human instincts: urgency overrides caution, authority discourages questioning, greed dulls skepticism, and trust lowers defenses. Criminals also piggyback on current events; during elections, they promise voter confirmations. During policy changes, they claim you must “update your information” for government programs.
The Business Threat: Email Compromise
Business Email Compromise (BEC) is among the costliest and most insidious forms of phishing in Nigeria. Unlike mass phishing, BEC is highly targeted, often preceded by weeks of reconnaissance. Attackers study company structures, vendor relationships, and communication patterns, sometimes by compromising a low-level employee’s email first.
A typical BEC attack unfolds in four stages:
1. Reconnaissance: Harvesting employee names, roles, and workflows from LinkedIn, company websites, or prior data leaks.
2. Initial Access: Gaining entry via a phishing email with a malicious link or attachment, often disguised as an invoice, contract, or HR update.
3. Persistence & Monitoring: Remaining undetected while monitoring email threads for payment-related discussions.
4. Execution: Sending a spoofed or compromised email request to change bank details at the last minute, often during high-pressure deal closings.
The average loss per BEC incident in Nigeria ranges from ₦40 million to ₦200 million. But the damage extends beyond finances. Contracts are delayed or canceled, client trust erodes, and regulatory scrutiny intensifies—especially under the Nigeria Data Protection Act (NDPA), which holds businesses accountable for failing to secure personal data.
Red flags include:
– Sudden email address changes from known vendors (e.g., accounts@supplier-ng.com → accounts@supplier-ng.net)
– Requests to “expedite” payments outside normal channels
– Use of free email domains (Gmail, Yahoo) for supposedly official business
– Payment instructions sent only via email, with no verbal or in-person confirmation
Prevention requires layered controls: email authentication (DMARC, SPF, DKIM), mandatory dual approval for payments, and out-of-band verification—ideally via a pre-registered phone number or secure messaging app. For more on securing financial workflows, see our guide to ransomware protection for Nigerian businesses, which includes BEC mitigation strategies.
How to Spot a Phishing Attempt
Look for sender address variations (e.g., accessbankpic.com instead of accessbankplc.com), generic greetings, urgent threats or impossible offers, and mismatched URLs. Hover over links before clicking—the displayed text might say “gtbank.com” but the actual URL is “gtbank-verify.net.” Note, however, that grammar mistakes are no longer reliable warning signs; modern phishing can be flawlessly written.
The Verification Rule: Never act on links from unexpected messages. If you receive a message claiming to be from your bank, close it and open your banking app directly. For any urgent request involving money, call the organization using a number from their official website—not one provided in the message.
For businesses, red flags include payment instruction changes communicated by email only, requests to bypass approval processes, pressure for immediate action, and unusual executive requests.
Prevention: What Actually Works
For Individuals
Use strong, unique passwords for each account (a password manager can help). Enable multi-factor authentication everywhere—especially on banking and email accounts. Never share OTPs, PINs, or card details with anyone. Protect your SIM with a PIN to prevent SIM swap attacks. Only download apps from legitimate stores and keep them updated.
Question urgency—real banks don’t threaten immediate account closure. Verify independently before acting. Check URLs carefully. Be cautious about sharing personal information on social media. Avoid using public Wi-Fi for banking, or use a trusted VPN if you must.
If You’ve Already Clicked
Stop immediately. Disconnect from the internet. Change your passwords from another trusted device. Call your bank. Enable fraud alerts. Screenshot everything. Report the incident to the EFCC (info@efccnigeria.org) and ngCERT (cert@nitda.gov.ng). Monitor your accounts closely for the next 3–6 months—and don’t be embarrassed. Reporting helps protect others. For detailed steps on responding to data breaches, see our step-by-step guide.
For Businesses
Technical defenses include email security solutions with anti-phishing filters, Domain-based Message Authentication, Reporting & Conformance (DMARC) to prevent spoofing, endpoint protection, regular vulnerability assessments, network segmentation, and secure, tested backup systems. Nigerian SMEs and startups face unique challenges that require tailored approaches.
But the human element is even more critical. Provide regular security awareness training. Run simulated phishing tests. Create clear, no-blame reporting procedures. Implement strict verification protocols for financial transactions. Require multi-person approval for large payments. Use out-of-band verification (e.g., a phone call to a known number) for any changes to payment details. Ransomware protection often begins with stopping phishing at the door.
NDPA Compliance
Businesses must conduct data protection audits (mandatory for organizations processing 2,000+ records), implement appropriate security measures, report breaches to the NDPC within 72 hours, train employees on data protection, maintain strict access controls and encryption, and document incident response procedures. Non-compliance penalties can reach up to 2% of annual turnover or ₦2 million, whichever is higher. Read our full guide on Nigeria Data Protection Act compliance and data protection compliance strategies.
Free Resources
The National Information Technology Development Agency (NITDA), in collaboration with ONSA and the UK Foreign, Commonwealth & Development Office (FCDO), offers a free cybersecurity toolkit for SMEs covering phishing attacks in Nigeria, ransomware, and incident response. NITDA also provides free vulnerability testing for MDAs, and ngCERT offers incident response support.
Taking Action
If you’ve been attacked, reach out for help. Contact NITDA for cybersecurity policy and training, ngCERT at cert@nitda.gov.ng for incident response, EFCC at info@efccnigeria.org for financial fraud investigations, or your bank’s fraud hotline. Report incidents even if you didn’t lose money—every report helps authorities track patterns and warn others before they become victims.
Nigeria’s digital economy is growing fast. The National Digital Economy Policy and Strategy targets 95% digital literacy by 2030, but we don’t have to wait for government programs to protect ourselves. Individual awareness matters just as much as policy.
Phishing works by exploiting the gap between what technology can protect and how humans make quick decisions under pressure. No firewall will stop you from entering your password on a fake website if you’re not paying attention. That part is on you.
The good news? You can protect yourself right now. Enable multi-factor authentication on your banking and email apps today. Share what you’ve learned here with your family—especially those less comfortable with technology. When something feels off, trust that instinct. When an offer sounds too good to be true, it probably is.
The ₦82.4 billion in documented losses represents the hard work of real people, family savings, and business capital. Behind every stolen naira is someone who earned it. Nigeria’s digital transformation is worth protecting—and it starts with each of us making smarter decisions online.
Stay alert. Stay skeptical. Stay safe.
Quick Reference: Is This Message Legitimate?
Ask yourself these questions before clicking any link or downloading any attachment:
- Do I know this sender personally?
- Was I expecting this message?
- Does the sender address exactly match the organization’s official domain?
- Is there urgent pressure to act immediately?
- Am I being asked for sensitive information (passwords, PINs, OTPs, card numbers)?
- Does the link URL match the legitimate website (hover to check)?
- Would my bank, boss, or family member actually contact me this way?
If you answered “no” or “not sure” to any question, don’t click. Verify independently using the organization’s official contact information on its website.
Frequently Asked Questions
📚 Related Resources
Nigeria Data Protection Act: What Businesses Need to Know
Understand your legal obligations and how to align cybersecurity with NDPA requirements.
Responding to Data Breaches in Nigeria: A Step-by-Step Guide
Actionable steps for containment, reporting, and communication after a breach.
Nigerian Data Breach Case Studies: Lessons from Real Incidents
Real-world examples of how Nigerian organizations were targeted—and what they learned.
Cybersecurity for Nigerian SMEs: Practical Steps on a Budget
Cost-effective security measures for small and medium enterprises.
Insider Threats in Nigeria: Prevention and Detection
How to build internal controls without fostering a culture of suspicion.
For regular updates on cybersecurity, data protection, and Nigeria’s digital transformation, explore more articles on the PlanetWeb blog. Have questions or topics you’d like us to cover? Get in touch—we’re here to help Nigerian businesses navigate the online world safely.
