Techpoint Africa has confirmed three separate incidents involving employees or ex-employees receiving suspicious emails from their (ex-)CEOs. These emails urgently requested assistance with sorting out overdue payments.
The emails typically read:
"Do you have up to N1m in your personal account to cover an overdue payment for me this morning? I will make arrangement(sic) for a refund on Friday. Please advise, and I will forward the beneficiary details within the next hour."
Professionally worded, these emails vary in the amount requested, the promised reimbursement time, and the CEO's email signature.
The first reported case came from Emmanuel Paul, Techpoint Africa's Managing Editor, who received an email purportedly from Adewale Yusuf, the company's co-founder and former CEO. Yusuf was immediately notified about the attempted fraud.
Some days later, two similar cases were reported on X (formerly Twitter) by Abimbola Adebakin, CEO of Advantage Health Africa, and Ikpeme Neto, CEO of WellaHealth. Adebakin confirmed during a quick chat that three employees reported receiving a similar email.
In what appears to be impersonation, Outlook and Hotmail accounts were created in the names of these CEOs to send the emails.
In one of the cases, when the employee asked for an account number for the transfer, they were given account details in the CEO's name -- OPay and Palmpay accounts -- linked to a phone number that is inactive and doesn't belong to the CEO.
This raises questions about the account opening processes in Nigeria's burgeoning digital banking sector. Generally, opening a bank account with digital banks, Neobanks and MFBs, although more seamless than traditional banks, requires a Bank Verification Number (BVN), and the account is supposed to bear the name associated with the BVN.
The rise of fraud in the fintech space has become increasingly concerning for founders in recent months. Reports have indicated that some digital banks may have lax account opening procedures, creating opportunities for exploitation.
Be the smartest in the room
Fortunately, none of the targeted employees fell victim to these scams, as they sought confirmation from their CEOs about the emails' authenticity.
Blessing Agbor, a cybersecurity engineer, describes these incidents as cases of email spoofing and specifically Business Email Compromise (BEC). This type of scam often uses familiarity and personalisation tactics to exploit victims' trust in their employers and the possibility of gaining financial incentives. It also preys on the fear of repercussion and possibly getting on the bad side of their employers, compelling them to respond favourably.
To prevent this, she recommends employers should establish clear reporting procedures for suspicious emails before taking any actions, educate employees about email spoofing techniques and other scam red flags, enforce strong passwords and multi-factor authentication (MFA), and implement anti-malware software that is host-based.