Africa is a challenging area to fight cybercrime. There has been an increasing cybercrime in the region, which is attributed to vulnerable systems and lax of cybersecurity practices in the region. Cybersecurity is considered to be a luxury, not a necessity in many African economies. After the Corona Crisis, this would, unfortunately, not change. In this article, we will analyse the cybersecurity and cybercrime landscape in West Africa.
To start with facts and figures on cybercrime in West Africa – the cybersecurity budget in many organizations based in the region are reported to be less than 1% and many organization don’t allocate budget for cybersecurity. According to Business Software Alliance, Libya and Zimbabwe are two countries with the world’s highest software piracy rates in 2017. This does not limit to Libya and Zimbabwe. In fact, it applies to the whole of African region. Also, these pirated products are a significant cause of the spread of malware in the region.
Lack of Awareness
A significant problem in Africa is related to the lack of awareness among Internet users to protect themselves from rising cyber-threats. A majority of the people in Africa are not very tech-savvy and are getting connected to the Internet for the first time. Also, most don’t know the English language and therefore find it challenging to use cybersecurity products developed in the English language. The continent also faces a severe shortage of cybersecurity expertise. It is estimated that Africa will have a lack of 100,000 cybersecurity personnel by 2020.
Culture of Cybercrime Startups – West African Cybercrime Startup Culture and the African Youth
Although there is significant lack of awareness, there is also a high rate of cybercrime. The cybercriminals tap into the ignorance of people and have successfully created a “culture of cybercrime” in West Africa.
It is also studied that the West African Criminal Culture is more forgiving with fraud and cybercrime. Especially when it is targeted on foreigners. For example, in Ghana, Sakawa is a ritualized practice of online fraud, enabling a cultural mindset encouraging cybercrime. These ritualistic practices also set a legitimate base for the cybercriminal to defraud foreign victims online to escape poverty.
A study focused on the state of youth in Africa, especially their well-being and their participation in the economy, suggests that there is limited data that hinder the measurement of the well-being of African youth. The available data indicate that the youth population is large and growing, and has high educational attainment and unemployment rates. Almost half of the 10 million graduates from more than 668 African universities each year do not find employment. According to the survey by INTERPOL and Law Enforcement in West Africa, about 50% of the cybercriminals that are identified in the region are unemployed.
Research on West African Cybercriminal culture has highlighted the operational and behavioral observations about Cybercriminals. These cybercriminals usually use social engineering tactics to gather information. Keyloggers, Malware files, Phishing emails are all a part of the tactic used by the cybercriminals. Moreover, there is a cybercrime startup culture in many of the West African countries, where the cybercriminals help each other in fraudulent tasks. The challenge, therefore, is to use the “Startup Culture” not for cybercrime but for cybersecurity.
“Youth policies potentially have several challenges, and the assessment of problems facing young people is complicated by data limitations. These limitations include a lack of reliable and accurate data; a lack of comparable data across countries and regions; a lack of pro-jobs and pro-youth economic growth agendas; a lack of comprehensive youth policies that are integrated into national development plans; a lack of broad macroeconomic policies and the need to mainstream youth policies; the fact that the costs of programs and sources for funding are not fully known; and the fact that governments lack the capacity to undertake comprehensive monitoring and evaluative processes.”Kwabena Gyimah-Brempong and Mwangi S. Kimenyi, Youth Policy and the future of African development
In West Africa, the underground market is emerging. It is suggested that more vigorous law enforcement action is needed to stop the evolution of the sophisticated market. However, besides the law enforcement action, skills development, and cybersecurity startup culture must emerge.
The Law Enforcement and Legal Landscape
Weak legislation is also a cause of cybercrimes. Most African economies are characterized by the permissiveness of regulatory regimes that provide a fertile ground for cybercrime activities. According to a November 2016 report of the African Union Commission (AUC) and Symantec, out of the 54 countries of Africa, 30 lacked specific legal provisions to fight cybercrime and deal with electronic evidence. Law enforcement officials in some states do not take significant actions against hackers attacking international websites. For instance, it was reported that government officials in Nigeria claimed that they were ignorant of cybercrimes originated from the country, and some labeled it as Western propaganda.
Also, cybercriminals benefit from inter-jurisdictional and intra-jurisdictional arbitrage. Following raids on cyber cafés in major cities in Nigeria, cybercriminals were reported to move to remote areas to carry out their operations. The porous national borders and a lack of states’ controls on their territories mean that cybercriminals can easily migrate from one jurisdiction to another with a weaker rule of law and enforcement.
The Cybercriminals and Social Engineering Tactics
According to a report by INTERPOL and Trend Micro, there are two types of cybercriminals in West Africa – so-called “Yahoo Boys” and the “Next Level Cybercriminals”. It is identified that the Yahoo boys excel in committing simple types of frauds (advanced-fee, strangled-traveler, and romance scam/frauds) under the supervision of ‘ringleader’ or ‘mastermind’.
However, Next-Level Cybercriminals are more experienced and indulge in Business Email Compromise[BEC], Tax Scams/Frauds, or crimes that require more time, resources, and effort. These criminal practices include using malware such as keylogger, Remote Access tools/Trojan[RATs], etc. and other criminal-enabling software such as email-automation and phishing tools Crypters that can be easily obtained in the underground market.
Cybercriminals in Africa use social engineering tactics to steal money and other criminal activities online. They create fake personas and attempt to defraud as many victims as possible. Creating personas usually involves obtaining several email addresses for various online profiles, on social media, and perform fraud against potential victims. Sending socially engineered email and messages is a common practice.
Cybercrime in West Africa is real. Just because today’s attacks are less sophisticated than those we are accustomed to seeing from cybercriminals in other countries or regions, it does not mean they do not have adverse effects. In fact, the most straightforward attacks enabled by ingenious social engineering tactics such as BEC fraud have crippled all types of companies, regardless of size. West Africa needs to transform. This transformation is possible through collective action. Developing awareness, data-gathering on cybercriminals, social-science and technical research, propagation of a culture of cybersecurity will lead to this change in the coming future.