In November 2021, Oluwaseun Medayedupin was arrested by the Nigerian police in Lagos. An investigation found that he had been pursuing “disgruntled employees” from American companies and pushing them to release ransomware on internal enterprise servers, offering a percentage of the cut if they agreed to collaborate in the attack.
This was a sophisticated social engineering scheme, far more advanced than the notorious “Nigerian prince” emails that have made the country of Nigeria synonymous with scams.
The origins of these types of scams may be attributed to a boom in the establishment of cybercafes during the 1990s, coinciding with falling oil prices in Nigeria and a rise in unemployment. Add in a lack of national social security, and many Nigerians were forced to seek out alternative forms of employment – physical labour; gig work; and, most notoriously, cybercrime.
For years, the Nigerian Police Force has been keeping tabs on domestic cybercriminals, and Nigeria’s Economic and Financial Crimes Commission (EFCC) even reported several recent cases of fraudulent requests for gift cards and cryptocurrency, some of the more common methods for criminals hoping to access digital funds.
As Medayedupin’s case shows, the rampant fraud has not been isolated within national borders. The US Treasury Department currently has six Nigerian criminals on its Most Wanted cybercriminals list, while the FBI’s Internet Crime Complaint Centre (IC3) reported nearly $2.5 billion in losses tied to Nigerian-originating cybercrime in 2020.
Historically, finding and resolving fraud has been a difficult task for individual companies. Due to a lack of adequate understanding and data regarding African markets, these companies become particularly vulnerable to international scams, leading them to rely on external providers to detect and mitigate risks.
This has spurred the creation of cybersecurity products from companies such as Abnormal Security, Proofpoint, and Stripe, all of which specialise in detecting fraudulent activity on digital platforms.
The last five years have seen an increase in tech companies internationalising their services for emerging African markets. But as more platforms make the transition, the potential for mistakes becomes higher and the consequences more severe.
Fraud detection services, whether for email, credit cards, banking, or other online transactions, generally use some combination of rule-based engines and deep-learning models to identify patterns of fraudulent activity. This can either take the approach of identifying known scams – writing “rules” to discover similarities between familiar scams and the transaction being observed – or of identifying unusual activity in transactions.
Either approach uses some form of featurisation, segmenting transactions into qualitative or quantitative data points, such as (in the case of email), sender IP address, recipient name, or country of origin. Though some types of attacks, like “Nigerian prince” scams, may be easily detected by heuristics (they often contain the same phrases or are written in all caps), attempting to detect more sophisticated attacks, such as Medayedupin’s disgruntled employee scheme, can yield inaccurate results.
That is, emails that are not fraudulent can be also flagged due to attacks’ similarities to legitimate transactions.
These problems may have inspired Stripe to acquire PayStack, a start-up founded by two entrepreneurs in Lagos and considered one of the leading payment services in Nigeria. Not only does a Nigerian-founded company provide an entrance into African markets, but data from PayStack’s active users could prove helpful for differentiating signals in a space so riddled with fraudulent noise.
But what about companies lacking the resources to access this data? Most security providers don’t have the engineering budget to build systems accurate enough to detect highly targeted scams or the capital to acquire African companies already working on solutions. Given the high volume of fraud originating from Nigeria, the de facto solution for many companies today has been block-listing suspicious accounts originating from the country or training machine learning models using limited data that biases against Nigerian users.
Binance reportedly blocked 281 Nigerian cryptocurrency accounts in January 2022, citing anti-money-laundering measures. PayPal has also historically banned Nigerian users from receiving payments on their platform, while Proofpoint claims to use “linguistic styles” to identify Nigerian threat actors based on email activity.
In the 2021 Merchant Risk Council report, 24 per cent of all global merchants claimed to use blocklists to handle fraud, while 18 per cent used geographic indicators or global location data.
International perceptions of Nigerian scammers have already had negative consequences for Nigerians in tech. According to Olubukola Stella Adesina, professor of International Relations at the University of Ibadan, “international financial institutions now view paper-based Nigerian financial instruments with [scepticism]. Nigerian bank drafts and checks are not viable international financial instruments. Nigerian internet service providers (ISPs) and email providers are already being blacklisted in email-blocking blacklist systems across the internet. Some companies are blocking entire internet network segments and traffic that originate from Nigeria.”
In 2021, the Office of the Director of National Intelligence released a report revealing that Russia had outsourced its disinformation campaigns to local hackers from countries including Nigeria.
Camille Stewart, former senior policy adviser for the Department of Homeland Security, explained in a blogpost for the Council on Foreign Relations that “deeper analysis of Russia’s outsourcing of information operations to [Nigeria] could show that this is more than just an obfuscation tactic and tool to inflame racial tensions, but also an effective mechanism for targeting African diaspora communities by exploiting their connections back to the continent.”
This international response has gone beyond precaution. Discriminating against Nigerian users may save companies from actual fraudulent activity, but it comes at the cost of subjecting innocent users to high levels of scrutiny, often involving their personal data and financial history.
In machine learning, the more often heuristics are applied, the more strongly the resulting data is biased, and the more likely it is that innocent users end up being policed. This feedback loop self-perpetuates – as long as the recall (the percentage of detected true attacks to all true attacks) of the fraud detection model remains sufficiently high, data generated by the model can be considered usable for training new models.
- A Wired report