by Senator Iyere Ihenyen
Lead Partner, Infusion Lawyers
Introduction
Phishing is a play on the word fishing. Like fishers, phishers throw baits on the Internet and other electronic-communication media to lure users to disclosing personal and sensitive information. Once unsuspecting users take a bite, they are hooked—credit-card details, passwords, and other sensitive information become exposed to fraudsters. The rest is history.
In 2015, phishing loomed as the biggest threat in Nigeria’s cyber waters.[1] The New Telegraph report claiming this relied on a cybersecurity report by Deloitte Nigeria.[2] In that report, Deloitte Nigeria predicted that “[t]he cybercrime of choice by majority of the Nigerian cyber criminals would be via social engineering. Intelligently crafted phishing emails and phone calls to naïve customers will increase.”
Less than a month after New Telegraph’s report, Abdulkarim Chukkol, Head of Advance Fee Fraud and Cybercrime at EFCC, raised an alarm about electronic fraud-related and phishing activities in the country. In his words, “the growth in the use of electronic banking systems and e-commerce has brought about a parallel increase in efforts to defraud both individuals and corporate organisations, and thus cause tremendous financial loss”.[3]
This article analysis the crime of phishing, how Nigeria’s law-enforcement agencies are fighting it under the country’s criminal laws, and how far the new Cybercrimes (Prevention, Prohibition, etc.) Act has gone in providing the legislation Nigeria needs to efficiently and effectively fish phishers out of Nigeria’s cyber waters.
What does phishing really involve?
Phishing means baiting unsuspecting people to give out their personal and sensitive information through electronic devices and platforms and using the information to defraud them. So phishers are fraudulent fishers of usernames, passwords, credit-card details, etc, masquerading as legitimate companies and contacts in electronic communication. With today’s global growth in electronic transactions, phishers keep spreading their nets on the world wide web and other electronic platforms people use daily.
Black’s Law Dictionary, 10th edition, defines phishing as the “criminal activity of sending a fraudulent electronic communication that appears to be a genuine message from a legitimate entity or business for the purpose of inducing the recipient to disclose sensitive personal information.”
Nigeria’s Cybercrime (Prohibition, Prevention, etc.) Act 2015, defines phishing as “the criminal and fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication through emails or instant messaging either in form of an email from what appears from your bank asking a user to change his or her password or reveal his or her identity so that such information can later be used to defraud the user.”[4]
The statutory definition above is similar to Zulkifar Ramzan’s definition of phishing in his work, ‘Phishing attacks and countermeasures’. He defines phishing as “the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.”[5] Phishing is criminal.
Phishing nets may have spread globally in cyber waters today.
Florida Times Union first published the word phishing on 16 March 1997 in an article by Ed Stansel. The author had warned the public: “Don’t get caught by online ‘phishers’ angling for account information.”[6]
But America Online (now AOL), a web-services platform with over 35 million users at the time, was the place phishers carried out their earliest attacks. Phishers would steal people’s credentials to login to private-online accounts. Phishers also used AOHell, a free hacker tool that had a program called Fisher that could be used to create fake accounts. Fisher enabled a phisher to masquerade as an AOL administrator. The fake administrator then creates a chat-room login window where new, unsuspecting users logged in and dropped their personal credentials. The phisher then accessed these credentials from the backend.
Today phishing has become more technologically advanced. Phishers, among other tricks, now create spoof or fake websites to lure users to give out personal, sensitive information.
Phishers harm the Nigerian economy by destroying public confidence in Nigeria’s electronic-transaction system and cybersecurity infrastructure.
Phishers in Nigeria’s cyber waters are part of a network of fraudsters disguising their identities to steal personal financial details, distribute malware online, and harm banks and other financial institutions. These activities destroy users’ confidentiality, privacy, and security.
Phishing is a serious threat to genuine businesses and brands, along with the lives they service and support. Phishing activities threaten Nigeria’s e-commerce ecosystem and the country’s cashless-economy policy, thus harming the Nigerian economy. Between 2000 and 2014, Nigeria lost up to N199 billion to electronic fraud. This loss was largely due to “inappropriate and reckless management of customers’ data.”[7] This suggests that exposure of people’s personal and sensitive information—whether carelessly disclosed or fraudulently acquired—is a major threat to cybersecurity in a world that is constantly going e.
Before Nigeria’s Cybercrimes (Prohibition, Prevention, etc.) Act 2015, phishing was treated in the country under Nigeria’s criminal laws, but as ‘false pretence’.
Phishing is a prevalent cybercrime in Nigeria, aided by an alarming youth-unemployment rate and unhealthy value system. Before the Cybercrimes (Prohibition, Prevention, etc.) Act became the governing law from May 2015, the offence of phishing had not been created in any criminal laws in Nigeria. For too long, thousands of fraudsters took advantage of this legislative vacuum.
But before the enactment of the Cybercrimes Act, law-enforcement agencies in the country generally prosecuted persons they suspected were involved in phishing and electronic-fraud related offences based on the provisions of some preexisting criminal laws in the country. These laws include the Advance Fee Fraud and other Fraud-Related Offences Act 2006 and the Criminal Code (in the South).
Based on the criminal elements of ‘false pretence’ and intent to defraud, phishers are caught by the provisions of the Advance Fee Fraud and other Fraud Related Offences Act 2006.
Sections 1, 6, and 8(a) of the Advance Fee Fraud and other Fraud Related Offences Act 2006 have spread nets wide enough to catch persons who phish or scam online.[8] The State can charge an accused person with obtaining money by false pretence under sections 1, 6, and 8(a) of the Act.
Section 1 of the Act provides that any person who by any false pretence and with intent to defraud obtains from or induces any other person in or outside Nigeria is guilty of an offence.[9] Section 1(3) uses the phrase ‘obtains any property”. If the person is found liable, the punishment is imprisonment for a minimum of 7 years and maximum of 20 years. There is no option of fine.
So section 1(1) and (2) above requires the State to prove defendant’s false pretence and intent to defraud, two elements that are also present in phishing. In State v Ajuluchukwu,[10] a fraud case, the Court of Appeal stated what the prosecutor must prove to get conviction as follows:
- There was a pretence
- The pretence emanated from the accused person
- That it was false
- That the accused person knew of its falsity
- That there was an intention to defraud
- That the thing was capable of being stolen and that the accused person induced the owner to transfer the whole interest in the property. (emphasis supplied)
While section 1 of the Advance Fee Fraud and other Fraud Related Offences Act 2006 is appreciably useful, prosecutorial authorities find it inadequate in certain cases where for instance no property in the sense the word is used in the Act has been stolen. But I think intention to induce and obtain fraudulently are sufficient in sustaining a charge and a conviction for phishing.
By the way, in Alake v The State [1991] 7 NWLR (Part 205) 567, the Court of Appeal per Tobi JCA (as he was then), observed at page 591E-G that “a pretence cannot be anything but false, and so the adjective false qualifying the noun pretence could be good law but certainly not good syntax.” I agree.
Phishing as obtaining by ‘false pretence’ under section 419 of the Criminal Code
Under section 419 of the Criminal Code, the offence of obtaining goods by false pretence is wide enough to catch electronic-fraud related offenders, including phishers. The section provides that:
Any person who by any false pretence and with intent to defraud, obtains from any other person anything capable of being stolen, or induces any other person to deliver to any person anything capable of being stolen, is guilty of a felony … (emphasis supplied)
Since usernames, passwords, credit-card numbers, Bank Verification Numbers (BVNs), Personal Identification Numbers (PINs), etc. fall within anything capable of being stolen, section 419 catches phishers with a wide net. By using the words anything capable of being stolen, I think the drafters have avoided the limitation obtains any property creates in section 1(c) of the Advance Fee Fraud and other Fraud Related Offences Act 2006.
Neither the EFCC Act nor any other Nigerian statute on economic and financial crimes provides for phishing or the criminal elements that constitute phishing.
The EFCC Act is silent on phishing.
Similarly, other economic and financial-crimes legislations do not contain the offence of phishing. These legislations include the Banks and Other Financial Institutions Act 1991, the Failed Banks (Recovery of Debt and Financial Malpractices in Banks) Act, the Miscellaneous Offences Act, the Money Laundering Act, and other laws regulating economic and financial crimes in Nigeria.
Our law-enforcement agencies ingeniously got around Nigeria’s obsolete laws regarding cybercrime. One thing was clear—Nigeria needed a governing law for it’s largely unregulated and fast-growing cyber waters. The legislative loophole was beginning to get too dangerous to ignore.
To fill this dangerous abyss in cybercrime legislation, Nigeria’s Cybercrime (Prohibition, Prevention, etc.) Act 2015 was enacted to become the governing law on Nigeria’s cyber waters.
The absence of any specific cybercrime laws in the country presented a great challenge. Because the old laws were not made with cybercrime in mind, law-enforcement agencies could not sustain some of their charges against cybercrime suspects. Getting convictions was difficult. Consequently, criminal minds turned this legislative abyss to a phishing free zone. Daily, millions of Nigerians receive phishing emails, phishing links to spoof or fake websites, phishing Short Message Service (SMS), phishing popups, and even phishing voice calls. Many unsuspecting receivers of these phishing messages have fallen (and continue to fall) for these tricks.
To make Nigeria’s cyber waters safer, the National Assembly passed the Cybercrime (Prohibition, Prevention, etc.) Bill in November 2014.[11] The Bill was signed into law by President Goodluck Jonathan in May 2015.[12]
Section 32(1) of Cybercrimes Act criminalizes phishing in Nigeria. The Act punishes any person who knowingly or intentionally engages in computer phishing. Armed with this punishment section and the scope of phishing under the definition section of the Act, the fight against phishing in Nigeria got a boost. As cited earlier, section 58 defines phishing as:
the criminal and fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication through emails or instant messaging either in form of an email from what appears from your bank asking a user to change his or her password or reveal his or her identity so that such information can later be used to defraud the user.
Apart from section 32(1), sections 29, 36, and 37 of the Act are important provisions that will significantly reduce the prevalence of phishing and other electronic-fraud related activities in Nigeria. Section 29(1) applies to breach of confidence by service providers with intent to defraud, forge, or illegally use a person’s security codes. This offence makes the fraudster liable to a fine of N5 million and forfeiture representing the monetary value of the owner’s loss.
Specifically targeted at phishers, section 36 of the Act criminalizes the use of any device or attachment, emails, or fraudulent website to obtain a cardholder’s information. If caught, a 3-year imprisonment or N1 million fine awaits the offender. And to systematically reduce the rate of phishing and electronic-card related fraud in the country, section 37(a) of the Act now requires financial institutions to verify their customers’ names, addresses, and other relevant information before issuing ATM cards, credit cards, debit cards, and other related electronic devices. This is why section 37(b) now makes know-your-customer principle mandatory for financial institutions. Financial institutions must document every customer’s electronic transfer, debit, payment, and issuance orders. Failure to do so renders the financial institution liable on conviction to N5 million fine.
As technology advances, phishing methods have become more sophisticated, but the hook-and-bait concept remains the same.
Phishing methods are changing rapidly, but the concept has remained the same. People who use the Internet and other electronic platforms and devices to complete electronic transactions must be cautious with sharing their personal and sensitive information with any source. This is because no matter how strong a law against cybercrime is, laws are either prohibitive or penal. Laws cannot stop people from falling for phishing tricks. At best, laws can only regulate service providers and users in cyber waters and punish any offenders for breach of cybersecurity standards.
Phishers are social engineers who masterly manipulate people’s psyche to get whatever they want. It could be a mask, a trick, or even a Greek gift. This is why I agree with Marc A. Rader and Syed M. Rahman when they observed in their work that “[p]eople are the weakest link in any security program. Phishing capitalizes on this weakness and exploits human nature in order to gain access to a system or to defraud a person of their assets.”[13]
Conclusion
Phishers will not stop baiting users. Users will not stop falling for baits. But we must ensure that our information-security system is based on best global practices. Service providers must not also compromise data protection and privacy. There must be strict compliance and high standards regarding data collection, data control, and data transfer.
Nigeria’s financial and telecommunications sectors need to be more efficiently and effectively regulated. The Central Bank of Nigeria (CBN) and Nigerian Communications Commission (NCC)—Nigeria’s regulators in the financial sector and telecommunications sector respectively—have leading roles to play. CBN must improve its regulations and standards for financial-service providers, particularly regarding data collection, control, storage, and transfer. And NCC must continue to improve its regulations and standards for telecom-service providers.
Law and technology may not be able to beat phishers in their own game and on their own turf, but we must fish out the phishers of men in our cyber waters. The time to do so is now.
[1] ‘Cybercrimes: Phishing, insider threats to be biggest threat’, New Telegraph, February 2015 http://newtelegraphonline.com/cybercrimes-phishing-insider-threats-to-be-biggest-threats/ accessed 23 December 2015.
[2] ’Nigeria Cyber Security Report 2015’, Deloitte Nigeria, http://www2.deloitte.com/ng/en/pages/risk/articles/nigerian-cyber-security-outlokkk-2015.html accessed 23 December 2015.
[3] ‘Nigeria Cyber Criminals Use Network – EFCC’, Leadership Newspapers, 7 April 2015, http://leadership.ng/news/423644/nigeria-cyber-criminals-use-network-efcc) accessed 3 January 2016.
[4] Section 58 of Cybercrime (Prohibition, Prevention, etc.) Act 2015
[5] Zulkifar Ramzan, ‘Phishing attacks and countermeasures’, Handbook of Information and Communication History, Springer, 2010, 433, 434 edited by Peter Stravroulakis and Mark Stamp. This is the same definition of phishing on Wikipedia, https://en.m.wikipedia.org/wiki/Phishing#cite_note-1 accessed January 5 2016.
[6] Marc A. Rader and Syed M. Rahman, ‘Exploring Historical and Emerging Phishing Techniques and Mitigating the Associated Security Risks’, International Journal of Network Security & Its Applications (IJNSA), Volume V, Number 4, July 2013, 23, 25.
[7] ‘Investigation: Nigerian Banks Lose N199bn To e-Fraud’, Leadership, 20 July 2015 http://leadership.ng/news/448096/investigation-nigerian-banks-lose-n199bn-to-e-fraud accessed 2 January 2016.)
[8] ‘Court jails UNILORIN student for 20 years over internet scam’, Channels TV, 18 June 2012, http://channelstv.com/2012/06/18/court-jails-unilorin-student-for-20years-over-internet-scam/ accessed 4 January 2016; ‘EFCC Arraigns Youth Corps Member, Two Others for Cybercrime, EFCC Website, 4 January 2014, http://efccnigeria.org/efcc/index.php/news/1160-efcc-arrains-youth-corps-member-two-others-for-ybercrime/ accessed 6 January 2016; ‘Nigeria recovers R1.5 billion from cybercriminals’, IT News Africa, 6 December 2010, http://itnewsafrica.com/2010/12/nigeria-recovers-r1-5-billion-from -cybercriminals/ accessed 10 January 2016.
[9] Section 1(1) and 1(2) of the Act.
[10] [2011] 5 NWLR (Part 1239) 78, at 92F-H citing the Supreme Court in Alake v State
[1991] 7 NWLR (Part 205) 567, at 591.
[11] ‘At last, Senate passes Cyber Crime bill into law’, Vanguard, 5 November 2014, http://vanguardngr.com/2014/11/last-senate-passes-cyber-crime-bill-law/ accessed 22 December 2015.
[12] ’Nigeria’s President Jonathan signs the cybercrime bill into law’, Techloy, 16 May 2015, http://techloy.com/2015/05/16/nigerias-preseident-signs-cybercrime -bill-into-law/ accessed 22 December 2015.
[13] Marc A. Rader and Syed M. Rahman, ‘Exploring Historical and Emerging Phishing Techniques and Mitigating the Associated Security Risks’, International Journal of Network Security & Its Applications (IJNSA), Volume V, Number 4, July 2013, 24.
Chidimma
Great article. Nice to read.