Nigeria's Fraud Losses Keep Climbing Even as Reported Incidents Fall

Fewer fraud cases are being recorded in Nigeria, but each one costs more. A new cybersecurity framework is coming, the question is whether enforcement will follow.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial style, 16:9 framing
Share

Key points

  • Nigerian organisations faced an average of 4,361 attempted cyberattacks per week in June 2026, more than double the global weekly average of 2,270, according to Check Point Software.
  • Digital-payment fraud losses in Nigeria rose from roughly US $12.8 million in 2023 to US $18.7 million in 2025, even as the total number of fraud incidents fell.
  • The number of reported incidents dropped by 34% in the final quarter of 2025, which regulators say reflects a reporting problem, not a safety improvement.
  • Nigeria's 2023 Data Protection Act requires organisations to tell the Nigeria Data Protection Commission (NDPC) about a breach within 72 hours, but enforcement is inconsistent.
  • A forthcoming national cybersecurity framework will set minimum security spending levels and require incident reporting, though no launch date has been confirmed.

The headline numbers look encouraging. Fraud incidents reported in Nigeria fell from roughly 124,000 in 2021 to around 68,000 in 2025, a drop of nearly 46%. Then you look at the money, and the picture changes.

In 2025, digital-payment fraud cost Nigerians approximately US $18.7 million (₦25.85 billion), up from US $12.8 million (₦17.67 billion) in 2023. Fewer incidents, bigger losses. The Nigeria Inter-Bank Settlement System (NIBSS), which is the organisation that processes payments between the country's banks and tracks fraud, put it plainly: criminals are becoming more precise, and insiders are partly to blame.

"Insider involvement is high, and recent investigations have confirmed this," said Premier Oiwoh, the NIBSS chief executive, earlier this year. He named SIM-swap fraud (where a criminal convinces a mobile network to transfer your phone number to their SIM card, letting them receive your verification codes), phishing (fake emails or messages designed to trick people into handing over passwords), and account takeover as the schemes doing the most damage.

How are criminals getting into Nigerian accounts?

They are mostly stealing login credentials, meaning usernames and passwords, rather than breaking systems by force. Hendrik de Bruin, head of security consulting in Africa for Check Point Software, described it this way: "Attackers aren't smashing windows; they're quietly collecting keys to unlock the front door with." Those keys open customer accounts, payment systems, and eventually wire transfers.

Nigeria's size makes it a target worth focusing on. With a GDP of around US $377 billion, it is the largest economy in West Africa. That economic weight, combined with rapid growth in mobile payments and digital banking, draws criminals who go where the money is moving fastest.

Check Point, which tracks more than 50 active criminal groups operating in Nigeria, recorded attack volumes that have stayed stubbornly high throughout the past year. The country ranked second only to Angola for attack intensity across Africa.

Smaller businesses are especially exposed. Anna Collard, a security adviser for KnowBe4, a firm that helps organisations train staff to spot scams, noted that small businesses get hit at more than double the rate of larger companies, largely because they have fewer trained staff and thinner security budgets.

Nigeria's 2023 Data Protection Act already requires a 72-hour breach notification to the NDPC. The problem, Collard says, is not the law. It is consistent enforcement and a weak culture of compliance among businesses.

The government's planned cybersecurity framework, expected later in 2026, aims to set minimum security spending levels, mandatory reporting timelines, and closer cooperation between government and industry. Whether it moves from policy document to real-world practice will determine whether the losses curve finally bends downward.

What ordinary Nigerians and their employers should do now

If you use mobile or internet banking, set up login alerts so you know immediately when your account is accessed. If you receive an unexpected call asking you to confirm your SIM or account details, hang up and call your bank directly on a number from their official website. Businesses should require staff to complete regular fraud-awareness training, because insiders and deceived employees remain the most common entry point.

© 2026 Threat Vectr