The Long Shadow of the ‘Nigerian Prince’ Scam

Nigeria’s tech ecosystem is maturing, but cybersecurity companies are unwilling to forget its fraudulent past. The repercussions could be disastrous.
Collage of images of Nigerian police money person on computer and binary code
Photo-Illustration: Sam Whitney; Getty Images

In November 2021, Oluwaseun Medayedupin was arrested by the Nigerian police in Lagos. An investigation found that he had been pursuing “disgruntled employees” from American companies and pushing them to release ransomware on internal enterprise servers, offering a percentage of the cut if they agreed to collaborate in the attack. This was a sophisticated social engineering scheme, far more advanced than the notorious “Nigerian prince” emails that have made the country of Nigeria synonymous with scams.

The origins of these types of scams may be attributed to a boom in the establishment of cybercafes during the 1990s, coinciding with falling oil prices in Nigeria and a rise in unemployment. Add in a lack of national social security, and many Nigerians were forced to seek out alternative forms of employment—physical labor; gig work; and, most notoriously, cybercrime. For years, the Nigerian Police Force has been keeping tabs on domestic cybercriminals, and Nigeria’s Economic and Financial Crimes Commission (EFCC) even reported several recent cases of fraudulent requests for gift cards and cryptocurrency, some of the more common methods for criminals hoping to access digital funds.

As Medayedupin's case shows, the rampant fraud has not been isolated within national borders. The US Treasury Department currently has six Nigerian criminals on its Most Wanted cybercriminals list, while the FBI’s Internet Crime Complaint Center (IC3) reported nearly $2.5 billion in losses tied to Nigerian-originating cybercrime in 2020. Historically, finding and resolving fraud has been a difficult task for individual companies. Due to a lack of adequate understanding and data regarding African markets, these companies become particularly vulnerable to international scams, leading them to rely on external providers to detect and mitigate risks. This has spurred the creation of cybersecurity products from companies such as Abnormal Security, Proofpoint, and Stripe, all of which specialize in detecting fraudulent activity on digital platforms.

The last five years have seen an increase in tech companies internationalizing their services for emerging African markets. But as more platforms make the transition, the potential for mistakes becomes higher and the consequences more severe.

Fraud detection services, whether for email, credit cards, banking, or other online transactions, generally use some combination of rule-based engines and deep-learning models to identify patterns of fraudulent activity. This can either take the approach of identifying known scams—writing “rules” to discover similarities between familiar scams and the transaction being observed—or of identifying unusual activity in transactions. Either approach uses some form of featurization, segmenting transactions into qualitative or quantitative data points, such as (in the case of email), sender IP address, recipient name, or country of origin. Though some types of attacks, like “Nigerian prince” scams, may be easily detected by heuristics (they often contain the same phrases or are written in all caps), attempting to detect more sophisticated attacks, such as Medayedupin’s disgruntled employee scheme, can yield inaccurate results. That is, emails that are not fraudulent can be also flagged due to attacks' similarities to legitimate transactions.

These problems may have inspired Stripe to acquire PayStack, a startup founded by two entrepreneurs in Lagos and considered one of the leading payment services in Nigeria. Not only does a Nigerian-founded company provide an entrance into African markets, but data from PayStack's active users could prove helpful for differentiating signals in a space so riddled with fraudulent noise.

But what about companies lacking the resources to access this data? Most security providers don’t have the engineering budget to build systems accurate enough to detect highly targeted scams or the capital to acquire African companies already working on solutions. Given the high volume of fraud originating from Nigeria, the de facto solution for many companies today has been blocklisting suspicious accounts originating from the country or training machine learning models using limited data that biases against Nigerian users. Binance reportedly blocked 281 Nigerian cryptocurrency accounts in January 2022, citing anti-money-laundering measures. PayPal has also historically banned Nigerian users from receiving payments on their platform, while Proofpoint claims to use “linguistic styles” to identify Nigerian threat actors based on email activity. In the 2021 Merchant Risk Council report, 24% of all global merchants claimed to use blocklists to handle fraud, while 18% used geographic indicators or global location data.


International perceptions of Nigerian scammers have already had negative consequences for Nigerians in tech. According to Olubukola Stella Adesina, professor of International Relations at the University of Ibadan, “international financial institutions now view paper-based Nigerian financial instruments with [skepticism]. Nigerian bank drafts and checks are not viable international financial instruments. Nigerian internet service providers (ISPs) and email providers are already being blacklisted in email-blocking blacklist systems across the internet. [S]ome companies are blocking entire internet network segments and traffic that originate from Nigeria.”

In 2021, the Office of the Director of National Intelligence released a report revealing that Russia had outsourced its disinformation campaigns to local hackers from countries including Nigeria. Camille Stewart, former senior policy adviser for the Department of Homeland Security, explained in a blog post for the Council on Foreign Relations that “deeper analysis of Russia’s outsourcing of information operations to [Nigeria] could show that this is more than just an obfuscation tactic and tool to inflame racial tensions, but also an effective mechanism for targeting African diaspora communities by exploiting their connections back to the continent.”

This international response has gone beyond precaution. Discriminating against Nigerian users may save companies from actual fraudulent activity, but it comes at the cost of subjecting innocent users to high levels of scrutiny, often involving their personal data and financial history. In machine learning, the more often heuristics are applied, the more strongly the resulting data is biased, and the more likely it is that innocent users end up being policed. This feedback loop self-perpetuates—as long as the recall (the percentage of detected true attacks to all true attacks) of the fraud detection model remains sufficiently high, data generated by the model can be considered usable for training new models.

In Nigeria itself, the meaning of “tech” is rapidly changing. In the last year, data centers have been spreading all across Africa. Lagos-founded MainOne, the largest ISP and data center operator in West Africa, was acquired by Equinix for $320 million in 2021, with the hopes of expanding mobile broadband to the remaining 60% of West Africans not yet connected. The gig economy, from Airbnb to ride-hailing apps, offers opportunities for Nigerians to work with flexible hours. And there are now over 716,000 professional developers across Africa, a 3.8% increase from the last year, with many local businesses moving online and the pandemic spurring a global demand for remote tech talent.

Still, there are many areas where this narrative reframing has not yet caught on. For years, upward mobility in Nigeria has been eyed with suspicion by Nigerian police, who have long harassed workers fitting the profile of young scammers. On Rest of World's outlet software developer Kofoworola David-Okesola described an incident in which he was ambushed by the federal Special Anti-Robbery Squad (SARS), which confiscated his belongings and interrogated his online activities. “Why do you have multiple Gmail accounts?” one of the officers asked him at gunpoint. “Where did you get money to buy a MacBook? And what do you do for a living?”

The SARS police force was founded in 1992 as a masked unit to investigate and prosecute violent criminals. When cybercrime started becoming more common in the 2000s, the unit began focusing on prosecuting potential cybercriminals. Rather than investigating crimes digitally, however, the unit took to profiling primarily young Nigerian men on the streets and using methods of harassment and torture to extort those they deemed suspicious, according to Amnesty International Nigeria program manager Seun Bakare. In a 2020 report by Amnesty International, the unit was found guilty of 82 counts of illegal stop and frisks, arrests, sexual harassment, and extrajudicial killings. Young men between the ages of 17 and 30 were at the highest risk of extortion, with many of the victims accosted at public venues and falsely accused of engaging in online fraud.

On October 3, 2020, a video was taken of a SARS police officer shooting a young Nigerian man in Ughelli after accusing him of cybercriminal activity. The video began trending on Twitter, resulting in nationwide protests organized with the #EndSARS hashtag. Young tech workers demanded the government investigate and prosecute all forces involved in police misconduct. In response to the public outcry, SARS was decommissioned, along with several other tactical police units. Given the government’s history of inaction, however, many Nigerians are still skeptical as to whether this constitutes an adequate response to police brutality.

While arrests such as Medayedupin’s may be praised abroad, the reality is that promoting a cybersecurity culture that celebrates arrests like these only incentivizes the Nigerian police force to focus their efforts on finding and prosecuting individual criminals, rather than addressing the problem of cybercrime at large. Cybercriminals often interact in tight networks, operating thousands of servers, hosting domains, and databases distributed across an international team. Prosecuting a single criminal at a time is a drop in the bucket compared to the impact of identifying these wider networks of criminals, many of whom communicate on publicly accessible platforms such as Facebook and Discord.

Beyond the sociopolitical repercussions, continuing to criminalize and police Nigerian users necessarily impedes a shifting narrative. In response to freezing 281 Nigerian cryptocurrency accounts, Binance CEO Changpeng Zhao issued a public statement that revealed the company's continued wariness toward the Nigerian market. “User security remains our top priority,” he wrote. “We love and are devoted to our Nigerian community, but we must ensure that our users are safe.” Nigerian accounts also remain banned from Coinbase despite the country’s status as the leading market for venture capital in Africa.

With the rapid growth of Nigeria’s tech ecosystem, young workers today are facing far more lucrative opportunities than in the past. Mobile data adoption is up, and as the successes of Paystack and Flutterwave have indicated, users are more willing to trust digital payment systems. Yet cybersecurity providers remain focused on fraud as a heuristics-based problem, building solutions with bias against an entire demographic.

Though heuristics can work in fraud detection, they must be sufficiently tuned to not flag numerous non-suspicious transactions. It’s clear that many security providers today are not putting in the work to distinguish between non-suspicious activity from Nigerian accounts and the behavioral patterns of scammers. Fraud detection services continue to screen transaction data by GeoIP, block Nigerian-originating users, and advocate for scam-baiting and vigilantism as the primary means of addressing cybercrime. Stronger indicators of fraud, such as IP history, failed verifications, mismatched user data, or activity inconsistent with user history—detections based on user behavior rather identity—can provide a more holistic way to identify fraudulent transactions.

Beyond the bigotry of subjecting entire ethnicities to large-scale policing, fixating on short-term gains is an ineffective strategy for actually reducing incidents of cybercrime. Though a large volume of attacks may originate from Nigeria, overfitting models to parameters not associated with cases of fraud simply yields poor detection. It may be easier for companies to lean on tried-and-true heuristics, but these methods are not sustainable in a rapidly developing ecosystem. Companies that continue to address fraud with quick patches will lose out on customers from the largest emerging markets in Africa—as it turns out, users are also aware of the repercussions of using services that actively discriminate against them.

It’s evident how a biased mentality arises from the industry: according to the 2020 (ISC)2 workforce study, only 9% of cybersecurity professionals self-identified as Black. Within an environment so lacking in diverse leadership, there are few incentives to change the status quo. Regardless, the narrative must change. Barring the harms of perpetuating systemic racism within the United States’ justice system, increasing surveillance of African and African diasporic individuals will only further reduce access to financial and communication channels for the individuals who need them the most.


More Great WIRED Stories