Hands up if you don’t play when it comes to your money — and would lose it if you even smelled something suspicious. If your two hands are up, then this article is for you, for me, and for all of us. Online scammers and fraudsters aren’t new. So long as the internet exists, they’ll be a part of our world. And while you may think you are sharp enough to jump and pass many schemes, scammers will continue to explore new tricks to bypass even the toughest security measures.
To help you stay one step ahead, we spoke to cybersecurity and Governance, Risk and Compliance (GRC) expert, Oluwabukola Ubani, one of the leading minds behind security architecture in digital finance in Nigeria. In this article, we unpack the latest tactics scammers use and, more importantly, how to stay ahead of them.
What are some common tactics scammers use? And could you share some uncommon ones you’ve encountered in your experience?
From my experience working in a financial institution, the most common scam involves impersonation. For example, scammers will call people claiming to be from their bank, saying there’s an issue with their account, and ask for personal information. Here’s the thing: No legitimate bank will ever call you to request personal details over the phone.
Personal information includes things you wouldn’t ordinarily disclose publicly, like your date of birth, account numbers, or specific identifiers like your hometown. Another big red flag is anyone asking for your full debit or credit card details. Banks never request the full PAN (Primary Account Number) of your card. They might ask for the last four or six digits for verification, but never all of it. The same applies to PINs, CVVs, or OTPs (One-Time Passwords) — these should never be shared.
Scammers also use tactics like phishing, where they send fake emails or messages designed to look like they’re from your bank, asking you to click on links or provide sensitive information. Deepfakes are another rising concern. This involves using AI to create convincing fake videos or audio recordings of someone you trust, asking for money or information. Always verify such requests through a separate and trusted channel.
There was an interesting case I encountered involving identical twins. One tried to impersonate the other at a bank to access their sibling’s account. What gave him away was the biometric fingerprint scan — something scammers cannot replicate. This is why banks invest heavily in secure systems like BVNs (Bank Verification Numbers) and biometric data.
What are phishing attacks, and how can you avoid them?
Phishing is essentially a scam where fraudsters “bait” people into providing sensitive information. This can be through fake emails, websites, or messages that look legitimate. For example, you might receive an email that looks like it’s from your bank, asking you to log in and “update your details.” The link in the email leads to a fake website that captures your login credentials.
To avoid phishing attacks, always double-check the sender’s email address or the URL of a website. Look out for funny spellings or typographical errors such as a missing letter, the number 0 instead of the letter “o”, unusual capitalization of letters and so on. For instance, at first glance, you may not realize that G00gle is different from Google. So, it’s always important to be extremely thorough in any communication that involves financial transactions. Legitimate organizations won’t ask for sensitive information via email or text. If in doubt, contact the company through official channels.
What red flags should I watch out for when approached by someone claiming to represent a financial company?
If you receive any form of suspicious communication or any communication you’re unsure of, don’t use the same channel to verify it. For instance, if you get an email, don’t reply to it. Instead, reach out through verified channels like their official website or social media platforms. Legitimate companies often have verified accounts on social platforms like Twitter or Instagram.
One major red flag is anyone asking for payment upfront to process a loan. Legitimate financial institutions don’t operate that way. Also, check if the company is registered and regulated by the appropriate authorities. A lack of transparency about their location, management, or operations are warning signs that indicate that you shouldn’t be dealing with them.
What vulnerabilities should users be aware of when using banking apps?
Banking apps, especially those developed by regulated financial institutions, are quite secure. Regulatory bodies like the Central Bank of Nigeria (CBN) mandate strict security measures, and banks invest heavily in safeguarding their platforms.
However, the biggest vulnerability isn’t technology — it’s human error. For instance, people still use weak PINs like “0000” or their birthdate, which can easily be guessed. Some banks are now switching to five- or six-digit PINs to make it harder to crack.
The truth is that for these cyber frauds to occur, they usually require the individual’s consent. Hence, you should never share your bank OTP. It is also advisable to enable 2FA (Two-Factor Authentication), which can serve as an extra layer of security, or an “extra bodyguard,” for your account.
Another vulnerability is social engineering. Scammers manipulate people into revealing sensitive information. For instance, someone might pose as a bank official offering help, and the victim, in their desperation, might share their PIN or OTP. So, while banking apps themselves are secure, you should always adopt good security habits, such as using strong, unique PINs and never sharing sensitive information.
How Moni keeps your money safe
At Moni, here are the measures we take to ensure your security:
1. To verify your identity, we use your BVN and NIN (with access to your name, date of birth, and phone number ONLY).
2. We have an intelligent fraud detection system that scans through millions of transactions looking for suspicious patterns or activities. Once the system sees a pattern, it immediately flags the account/transaction Once this happens, the account/transaction is passed to a human reviewer for a deep dive into the activity.
3. 2-FA is enabled on your account by default making it more difficult for scammers to access your account.
Your Money is in safe hands with Moni. Create a Moni account.
What if I have my card details stored on some apps and platforms I frequently use? How safe is that?
While convenience is what we all want, I recommend and practice a precautionary measure when storing card details on an app: keep only a limited amount of money on it. So, when you need to make a purchase, you can transfer the required amount to the card and then make the payment.
Another option is to consider getting a credit card. There are now e-cards, which are credit cards with a card PAN and PIN that you can use. If you use a debit card, avoid storing your debit card details on your web browser. Instead, consider using password manager applications like One Password or LastPass.
Are there any cybersecurity tools that can help me protect my money and financial transactions?
Well, the best tool that is guaranteed is knowledge. Technology can help with applications and setting up security measures, but you must be informed.
For mobile devices, there are antivirus applications and mobile firewalls that provide a protective hedge for your security. Some antivirus programs offer layers of protection for website browsing on any of your devices, but the safest measure is ensuring best practices are in place.
I know almost everyone loves freebies these days, but you must avoid using free Wi-Fi, particularly from unknown sources. This is especially dangerous when you’re connected to such networks and viewing your banking apps, using USSD, or on a website that requires your personal information. Doing this puts you at high risk of cyber fraud.
Another freebie you should avoid is using a free VPN. As much as using a VPN can safeguard you, free VPNs are not safe. This is because, while you’re not paying for the VPN directly, you might pay dearly with the exposure of your personal information to the wrong hands. Your details can be obtained through such means and sold.
What are some of the financial security practices I can put in place?
The first practice I’d recommend is ensuring proper password management and etiquette. Keep your passwords secure and avoid writing them in plain sight (in notes, emails, or phone notepads) where they can be easily accessed by anyone.
Another obvious one, which I mentioned earlier, is to use strong passwords. Some people still use passwords that can easily be guessed (like their date of birth), as they are weak and predictable by scammers.
Speaking of managing passwords, what’s the best way to do that, since you advise using strong and different passwords?
Not everyone can recall all their passwords, especially if they’re not frequently used accounts. There are password managers that serve as a vault to keep your passwords safe, such as Google Password Manager, which is quite common. You can also check your Google settings to see if your passwords have been compromised in any way. To access your password manager, you’ll need a verification method, usually your biometrics or PIN.
Let’s talk about online investments. How do you identify online investment opportunities that are phony?
Any investment promising unrealistic returns — like doubling or tripling your money in a short time — is a red flag. Legitimate investments typically offer returns that align with market trends, usually below 30% annually.
For instance, traditional investments like mutual funds, bonds, or savings accounts have clear, realistic returns. On the other hand, schemes offering “guaranteed” high returns are almost always scams. Always research the company’s track record and verify their regulatory compliance before investing.
Looking to Invest in 2025? Here are the best places to put your money.
What red flags should people watch for when dealing with “make money online” schemes or any business investment in general?
Although some people make money from online business schemes. However, these ventures — especially the ones promising quick returns — often follow a predictable pattern. They have an initial phase where they work hard to gain your trust. For example, the first transaction might go smoothly, as will the second and maybe even the third. But once you’ve built trust and decide to invest more significantly — maybe even dipping into your life savings or borrowing — they pull the rug out from under you and disappear.
So, my number one rule for any investment is:If you don’t understand it, don’t put your money in it. Let me repeat that: If you don’t understand how an investment generates returns, stay away from it.
Take banks, for instance. You know how they make money: They lend out money in the form of loans and earn interest on those loans. They also invest in secure avenues like government bonds and use the spread between interest earned and paid to cover costs and generate profits.
Mutual funds and other traditional investments operate similarly—they have clear and traceable methods of generating returns. But if someone approaches you with an investment idea and can’t explain how it makes money, or if the explanation sounds too good to be true, it’s a huge red flag. A rule of thumb is that if something seems too good to be true, it most likely is bad for you.
If someone realizes they’ve been scammed — maybe they gave out their PIN, shared an OTP, or clicked on a fraudulent link — what should they do immediately?
The first thing to do is contact your bank to block your account or card immediately. Many banks have USSD codes for this purpose. This prevents any further unauthorized transactions. Once the account is blocked, you can work with your bank to identify what was compromised either your card, app, or online banking platform, and take steps to secure it.
