By Abidemi Ogundipe
When Derin, in Lagos, logged into her mobile wallet in early 2024, she saw a suspicious transfer of ₦20,000 that she hadn’t authorised. Within hours, the money had moved through several accounts, and the fintech platform had no immediate way to stop it. She is far from alone. Across Africa, the surge in digital financial services has unlocked enormous opportunities for inclusion and growth. Mobile banking, instant payments and fintech platforms have brought financial services to millions who were previously excluded. Yet the same infrastructure has also enabled a new commercial ecosystem: organised, low-cost cybercrime sold as a service.
The scale is striking. The recent INTERPOL 2025 Africa Cyberthreat Assessment Report found that in many Western and Eastern African countries, cyber-related crimes now account for approximately 30% of all reported offences. Two-thirds of respondents viewed cybercrime as a medium- to high-level share of criminal activity. Last month, hackers in Kenya stole 2.15 terabytes of data from M-Tiba, a Safaricom-backed digital health wallet, potentially affecting 4.8 million people. The Communications Authority recorded 4.6 billion cyber threats in Kenya between April and June 2025, representing an 80% increase from the previous quarter.
The shift from volume to value
Nigerian financial institutions lost ₦52.26 billion to fraud in 2024, a sharp increase of ₦34.59 billion compared to 2023, according to the Nigeria Inter-Bank Settlement System (NIBSS). The financial sector, while experiencing steady growth, has also seen a 196% increase in fraudulent transactions over the past five years.
A noticeable pattern has emerged: even in years when the volume of fraud appears to ebb, the returns on those that do succeed tend to yield a higher average payout. Data from the Financial Institutions Training Centre confirms this. Fraud losses across Nigerian banks jumped 602.98% to ₦3.29 billion in Q1 2025, while reported cases rose just 7.63% to 12,347 incidents. FITC concluded that “Q1 2025 clearly signals a pivot from frequent small-value hits to targeted, high-impact operations.”
How the attacks work
Rapid onboarding and light-touch verification allow fintechs and banks to scale fast, but also widen entry points for criminals. Mobile-first banking relies heavily on SIM-based authentication. Once a fraudster controls the victim’s phone number through a SIM-swap attack, they can reset credentials, intercept one-time passwords, and impersonate the account holder. Even when banks deploy 3-D Secure (3DS) for card transactions to increase authentication strength, it can still be compromised if the underlying mobile number or SIM is already compromised.
The sophistication shows in the numbers. Fraud attempts during user authentication in 2024 were four times higher than during the registration process. Criminals find hijacking existing accounts more profitable than creating new ones. Some 35% of fraud attempts now target biometric and document verification systems. Identity fraud increased by 167% across Africa, according to Sumsub’s 2024 report, with Niger, Angola, and South Africa each experiencing growth rates exceeding 300%.
A recent Microsoft investigation detailed how a Nigerian developer ran a phishing subscription service across 94 countries, compromising at least 5,000 Microsoft credentials. The operation, sold via Telegram and generating at least $100,000 in cryptocurrency, operated like a startup: coding the service, marketing it, and providing customer support to other criminals. Each subscription allowed thousands of phishing attacks per day.
The financial toll is mounting. Business Email Compromise (BEC) has resulted in billions of dollars in global losses, with eleven African nations now accounting for the majority of BEC activity originating on the continent. South African banks and their customers collectively lost over $184 million in 2023, primarily due to banking app fraud. The fintech sector remains especially vulnerable. Flutterwave lost ₦11 billion in April 2024. Interswitch lost ₦30 billion in 2023 due to a system glitch that enabled fraudulent chargebacks. MTN reported losing $53 million to mobile money fraud in Nigeria in 2022. Safaricom lost over $4 million to SIM card fraud the same year.
ALSO READ: Understanding Digital Identity Fraud in Africa
Why defences lag
The weak link is often human. Babatunde Obrimah, chief operating officer of the FinTech Association of Nigeria, puts it plainly: “The challenge is not so much one of technology but the insider threat. Institutions are compromised by people who connive with fraudsters.” While insiders accounted for only 63 of 12,347 fraud incidents in Q1 2025, according to FITC data, these internal compromises often enable the highest-value attacks, providing privileged access to authentication systems, Know Your Customer (KYC) data, or transaction routing controls.
Security infrastructure has also lagged badly behind the pace of digitisation. Only 30% of surveyed African countries have incident reporting systems, 29% have digital evidence repositories, and 19% have cyber threat intelligence databases.
Cooperation remains fragmented. Some 86% of African countries report inadequate international cooperation capacity due to limited platform access and difficulties accessing foreign-hosted data. Another 89% say their cooperation with the private sector needs improvement. Operation Serengeti, conducted across 18 African countries between September and October 2024, demonstrated what coordination can achieve: 1,209 arrests, the dismantling of 11,432 malicious infrastructures and the recovery of $97.4 million. Such operations remain the exception rather than the rule.
What works
Some institutions are succeeding. United Bank for Africa cut fraud losses by 45.35% to ₦288 million in H1 2025. The common factor among successful defenders is sustained investment in technology, combined with intelligence-led monitoring.
Four components define effective defence. First, real-time monitoring powered by machine learning. The gap between incident frequency and loss magnitude shows that early detection offers the highest return on investment.
Second, intelligence-led rather than reactive approaches. This involves sharing threat intelligence across institutions, utilising behavioural signals native to mobile apps (such as device geolocation changes and SIM changes), and predictive models that identify likely targets before attacks occur.
Third, addressing insider threats through both technical and human controls. Multi-party authorisation for high-value transactions, continuous monitoring of privileged access, and proper segregation of duties all work when implemented consistently.
Fourth, adequate KYC controls that involve robust identity verification, two-factor authentication, risk assessment and due diligence. Continuous authentication spanning onboarding, device, behavioural, and biometric signals is critical.
Looking ahead
Africa reportedly loses over $3.5 billion annually to cyberattacks. The supply side explains much of the scale: fraud tools, identity dumps, and AI-enabled phishing kits are now sold on open messaging platforms and underground forums, lowering the technical barrier to entry. Ransomware detections surged in 2024. South Africa recorded 17,849 detections, and Egypt recorded 12,281, according to Trend Micro data. Nigeria followed with 3,459 and Kenya with 3,030.
Recent pan-African operations that combined law enforcement, private-sector intelligence and platform takedowns show what is possible when countries and companies share tools and data quickly. Some institutions that invested in real-time monitoring and stronger controls have sharply reduced losses, as the UBA case illustrates.
Wider success will depend on three things: accelerating regional cooperation, normalising private-public intelligence sharing and rapidly growing cybersecurity skills across the continent. If those three things happen, defenders can blunt the industrialisation of fraud. If they do not, attackers will continue to turn low-cost tools into high-value theft.
Abidemi Ogundipe is a fraud strategy enthusiast with a focus on using data and technology to combat financial crime and improve customer trust.
