Open Letter to CBN: Nigerians are being defrauded of millions of naira by criminals using Pseudo Bank Social Media handles
An open letter to CBN and all Nigerian Banks
…a call for a comprehensive review of cybersecurity approach of banks in Nigeria
…why all Nigerian Banks should, as a matter of urgent public importance employ a dedicated cybersecurity professionals to implement security control programmes for their social media channels.
On August 3, 2022, I went on Zenith Bank Virtual Card online portal to create a Virtual Card for my account. I successfully created the Card, after which I checked my Zenith Mobile app to see if the newly created card has been attached to my account. I saw the Card attached but the PAN number and CVV were not displayed. This prompted me to desiring to lodge a complaint with Zenith Bank. As usual, I normally use Twitter to talk to Bank first and I have been using that channel to get some issues sorted out. I tweeted Zenith Bank my concern (See the screenshot) and the bank responded with its Official Twitter Handle [@ZenithBank], asking to engage them on DM. Next, I saw another response from Zenith Bank handle [@ZenithBankNg]. The second handle asked me to use their Whatsapp Live for faster response. Of course, I have used the Official Zenith Bank Whatsapp Live handle and got my concern sorted out.
Unbeknownst to me, I have been directed by a fraudster to a fraudulent Whatsapp platform. As I was eager to have a Virtual Card since I misplaced my ATM, I was much a after platform that will offer prompt solution to my concern hence, the idea of going for the Whatsapp platform. Unfortunately, the fraudster redirected me to his WhatsApp Number [+234 907 433 6421].
On demand, I gave out my PIN, OTP and Token, and consequently my bank account was emptied.
As an IT Professional with interest in Cybersecurity, I could not imagine being a victim for the first time in my life.
I became really interested in knowing how I was defrauded, I found out that these criminals created pseudo accounts of all major Nigerian banks, especially their Support Twitter Handles. They monitor those banks for the customers that will tweet the banks about issues they have and want them sorted out. As they Bank respond, either asking the customer to use their DM them or their Whatspp Live (in the case of Zenith Bank), the fraudsters will also reply to those customers directing them to their pseudo WhatsApp live platforms. If it can happen to me, an experienced IT professional with many years of industry practice, how much more with bank customers who are not cyber security specialists.
To begin my personal investigation, I checked the SMS alert I got and saw the transaction for which my account was emptied and noticed it was done through Paystack online platform. I reported to Zenith Bank and got no reasonable response.
To alert people about this new development, I posted the experience on my personal Facebook page (facebook.com/youngdestinya). To my greatest surprise, over ten people entered my Inbox to narrate their experience, some told me they lost millions through the same method and none of them can recover any money, this triggers my curiosity.
To my understanding, when someone opens a Paystack online account, you must attach your local Bank details where you will receive your inflow. That means, Paystack has details of people who have account with them. I also understand that any successful financial transaction between banks in Nigerian is assigned an N.I.B.S.S. code. I had expected that Zenith would have asked Paystack to supply them with the Local Bank details of the owner of the Paystack account through which my Bank account was emptied. But this hasn’t happened.
Why are Nigerian Banks paying lip service to cybersecurity while their customers are constantly being defrauded by criminals?
The most striking concern about my case, is that after, Zenith Bank [@zenithbankng] had replied to my tweet, the fraudster also replied to the Official Zenith Bank handle [@zenithbank]. Wouldn’t this have raised red flag to Zenith Bank that fraudsters are attempting to lure their customers? I noticed over 10 pseudo accounts related to Zenith Bank alone trying prey on Zenith Bank customers.
To stop then further defrauding Nigerian, I immediately reported to [@ZenithBankNg] to Twitter and within 30 minutes, I got it suspended. Thereafter, I reported as many as I see, and Twitter got those accounts suspended. This is what Zenith Bank dedicated Information Security Staff would have been doing, not a customer. Why are Nigerian Bank so careless about the safety of their customers’ money?
Some people have told me about their experience with other banks. This is why I decided to through open this letter.
Nigerian Banks should employ dedicated IT Security officers to monitor their social media channels for fraudster. Their duty would be to report those fraudulent account to the Social Media services providers to suspend such accounts immediately.
Destiny Young,
Writes from Uyo
Email: youngdestinya247@gmail.com
