I start this news story with a personal experience. A few months ago, I was a victim of online money fraud.
I thought I knew a few things about cybersecurity and making sure my online money transactions were safe, but I was wrong. I lost over 1 million old Leones (a little over US$100), and I still don’t understand how it happened. This made me ask the bigger question: how many other people in Sierra Leone are going through similar money losses, and are banks and other providers of online financial services doing enough to protect their customers’ money?
“There [are] a lot of such reports here,” a bank attendant told me, pointing to several customers waiting in line. “Many of these people are here with the same complaints. The only advice we have is for people to cancel the compromised banking card and open another one,” he explained.
The fact that the bank had no solution for such a grave problem was especially worrying to me.
“The banking system [in Sierra Leone] has not invested enough in the security of online transactions, which opens up the people to vulnerabilities,” said Abu Bakarr Jalloh, Founder and CEO of the Freetown-based Sanusi Research & Consulting firm.
It is impossible to estimate the extent of online financial fraud in Sierra Leone because financial services providers contacted, including my bank, UBA, did not respond to requests for information.
According to a written response from the Financial Intelligence Unit (FIU), it investigated eight cases of online financial fraud in 2020 and six cases in 2021. But this is just beginning to scratch the surface of the reality.
USD495 billion in Mobile Money Transactions
For a market where access to formal banking is limited, informal financial services like Mobile Money transfers appeal to many Sierra Leoneans. Data shows that Africa has raced ahead as global leaders in mobile payments landscape, with nearly 161 million active accounts and more than 495 billion dollars in transactions, according to the Global System for Mobile Communications (GSM)’s latest report, “State of the Industry on Mobile Money 2021.”
Orange and Africell, the two leading communications operators in Sierra Leone, also run the two main Mobile Money services in the country – Orange Money and Afrimoney, respectively. Both operators have been at the center of endless complaints of fraud, and their public awareness programs to educate about these fraud types are always behind the cybercriminals who find innovative ways to scam.
According to the FIU, the most common online financial crimes in the country are scams via social media and email (also known as phishing) informing people, or victims, of lottery winnings purportedly from telecommunications companies. Kadija Mansaray (real name protected) bitterly recalls her experience losing 400,000 old Leones in 2020. She received a text message (cybercrime called smishing) telling her that she won 12 million Leones from Africell. The scammer told Kadija that if she wanted the money, she needed to pay a “processing fee” of 100,000 Leones. She sent the fee by Afrimoney, but the scammer kept asking for more. By the time she realized it was a scam, Kadija lost all her savings. She reported the matter to Africell, but it yielded no result, she said.
Although the FIU stated that mobile money operators engage in awareness raising, this type of scam continue to proliferate. In fact, it appears that scammers take advantage of the very traps created by mobile money operators through lottery games that pass as “promotional” offers. Mobile companies too, just like the scammers, promise huge prizes for winners who sometimes do not even have to opt in to be considered for the winning. This makes it difficult for digital users (people who use electronic devices) to know which offer is real and which one is a scam.
Mariama S. Yormah is Sierra Leone’s National Cybersecurity Coordinator, a position created through the Cyber Security and Crime Act, 2021. Yormah said that while her institution continues to assess the national cybersecurity readiness, it appears that the banking and financial sector is dealing with issues mainly relating to insecure connections, leaving it vulnerable to not just outside hackers but also perpetrators locally in the country. She said that her team is currently focused on putting itself together to adequately respond to cybercrime threats.
The Sierra Leone Commercial Bank also acknowledged that threats exist. In a written response to ManoReporters, SLCB said that it was dealing with incidents of “unauthorized access” of its system, without providing further details.
Yormah said that once the Cybersecurity Coordination Centre is properly set up, her team will work to develop policies and standards which will have to be respected by all financial institutions. But to address the problem, one must know the extent of the problem. Or, in Sierra Leone, there is no data. Interpol West Africa, for example, was unable to respond to a request for information sent by ManoReporters due to lack of data in the region. According to Yormah, banking institutions fail to report incidents of fraud.
“The reason why we need to have this Critical Information Infrastructure Protection Plan [is that], one thing we noticed is that most banks are not reporting these incidents. The reason being because of the branding. They don’t want to spoil their brand name,” she said. She added that a World Bank-funded plan expected to start later this year will require banking institutions to cooperate on cybersecurity issues, and they will be regularly audited to ensure compliance with cybersecurity guidelines.
Then, there is radio silence from local data sources too. The Bank of Sierra Leone (BSL) and the National Telecommunications Commission (NATCOM), both government organizations, did not respond to multiple requests for information for the purpose of this article.
The need for Data Protection
The Sierra Leone Police (SLP) is limited too in its capacity to investigate financial cybercrimes. The Dumbuya family (real name protected due to privacy issues), woke up one day in May 2022 to learn that their son was kidnapped from the East End of Freetown. The alleged kidnappers asked the family to send an initial 300,000 old Leones via Mobile Money. The family reported the matter to the police. But the investigation was delayed, and kidnappers, tired of waiting, released the boy home.
“It was disappointing that with all the information the family provided the police, they couldn’t do anything to help,” said a distant relative, who asked to remain anonymous due to lack of authorization from the family to speak about the issue. The SLP didn’t respond to multiple requests for comment on this case, and other related matters.
The police has sometimes blamed telecommunications operators for lack of cooperation in investigating cybercrimes. There is a regulatory and ethical clash between the telecommunications companies releasing privacy data on their customers without a court order. This emphasizes an ongoing debate about the need for a data protection law, which experts say could have outlined ways to navigate genuine concerns of privacy and facilitate cooperation in such critical investigations. A data protection law promised by the government last year has not yet reached the Parliament.
So, what should we do?
The FIU advises people to always be on the lookout for online security vulnerabilities, especially if they buy products and services online. Only deal with reputable financial institutions and telecommunications companies which comply with the Payment Card Industry Data Security Standards [PCIDSS]. It is also important that, when making financial transactions online, to use secure connections, as well as encrypted or tokenized applications. The FIU said that other red flags, or warning signs, are when strangers ask people for their personal information, or to make wire transfers in return for promises, and also when strangers try to gain their trust; never send money to people you never met.
One of the greater vulnerabilities to online financial transactions in Sierra Leone is when people use public computers, which are not secure, said Jalloh. In order to protect electronic devices from attacks, digital users must also download antivirus software from credible sources.
Cybersecurity Coordination Center lead, Mariama Yormah, advises people to be careful about how much information they share online, because this information can be used by cybercriminals to access their financial accounts, mobile money accounts, and do other cybercrimes.
“First and foremost, you need to be very careful about [promises] that are too good to be true…You should be very careful about the links you click. And if you are using [something] like a payment platform, because now most of the banking institutions have online platforms, you need to be careful. No banking institution will ask you for your password online,” Yormah emphasized.