West Africa’s Cybercrime Culture
June 4, 2020
June 4, 2020
Why does this matter:
Within the West African criminal culture, fraud is not as frowned upon as in the Western world. This cultural mindset is most evident in Ghana where Sakawa—a ritualized practice of online fraud—is widely practiced. In Sakawa, a priest is asked to bless criminals with protection and good fortune. This encourages West African cybercriminals to defraud foreign victims (typically Westerners) online as a means to escape poverty.
Types of cybercrime in West Africa include advance-fee fraud and black money, contract, credit card, crude oil, immigration/employment/education, inheritance, Internet dating, lottery, property sale, reshipment, spiritual/religious and transfer of funds scams.
Cybercrime is shifting towards the emerging economies. Many African economies have become important sources as well as victims of cyber-threats. Africa has the lowest number of Internet users but is making the most dynamic progress. The percentage of Africans using the internet has increased from 2% in 2005 to almost 25% in 2018.
As many as 80% of PCs on the African continent are already infected with malware. Windows 7, the operating system most vulnerable to the WannaCry attack, holds a 55% market share in Africa. About one-quarter of African users are using Microsoft Windows XP, an operating system that has lacked support and patches since 2014. More than 95% of African organisations (in both the private and public sectors) are either operating at or below the “security poverty line”, which means that they cannot effectively manage cyberattacks – mainly because they do not have basic security measures and structures in place and barely invest in security solutions.
While the total population of the African continent in 2020 exceeds 1.3 billion, the number of certified cybersecurity professionals is merely 10,000. Widespread unemployment and poverty cause societal acceptance of cybercrime engagement. In Western African countries, the so-called “Yahoo boys” are usually university students who view online fraud as a means of economic subsistence. Another example is the Sakawa boys in Ghana, who engage in internet fraud and frequently justify their activities as the only way to survive in the absence of employment.
There are two main types of cybercrime in West Africa: those that depend on a target’s willingness to accept an idea proposed by the scammer (first generation cybercrimes), and those where the criminal assumes the identity of the victim (second generation scammers). Whereas first-generation cybercrimes focus principally on assuming a genuine and authentic tone in order to convince targets, a more complex form of cybercrime has emerged in which cybercriminals make extensive use of information technology skills and involve less time for an operation compared to first-generation crimes.
It is an on-line operation which makes extensive use of phishing, hacking, website cloning and identity theft. Rather than send an e-mail to a target from the scammer’s inbox, as in the case of first-generation crimes, second-generation scammers hack and use the identity of another person (the first target) for the operation. This type of scam, therefore, involves two victims. By using the identity of a first victim, second-generation scammers exploit relationships that have been built by their first victim over the years to exploit the second.
In West Africa, most of the governments’ resources and actions are focused on physical security and the growing problems of cybersecurity and cybercrime are still overlooked. Cybersecurity capacity building efforts and cybercrime awareness is extremely limited. For instance, in Liberia, individuals and organisations take responsibilities for managing their own risks online. Therefore, the government does not yet have mechanisms in place to monitor and quantify the various cyber crimes and cybersecurity risks.
In Mali, currently, there are not any laws concerning cybersecurity specifically, while cybercrime laws can be found in the Criminal Code. While the country has not established formal mechanisms for responding to cyber incidents and the government does not operate a national CERT (Computer Emergency Response Team), in May 2013, the Government of Mali adopted personal data protection legislation.
Malian officials pointed out that the biggest impediments to cybersecurity advancement is the protection of personal data and electronic transactions. Mali has experienced an increase in the number of cyber incidents over the last year. To combat this rise, authorities have used antivirus, firewall, IPS and IDS security technologies. The most significant cyber incidents which took place in Mali in the last year were financial crimes. Although the perpetrators of the incident were not found, evidence suggests that the perpetrators were located both within and outside Mali’s borders.
In Nigeria, the main challenges the government is facing are the lack of awareness of cybersecurity measures and the risks associated with cybercrime. Nigeria does not yet have a national cybersecurity awareness program, but it developed a cybersecurity national strategy. There are no civil societies/NGOs to educate and raise awareness of cyber risks, yet officials noted that they do have a strategy on enhancing public-private partnerships. Some universities in Nigeria currently maintain cybersecurity degree programs, but no national cybersecurity training facilities have been established.
The most significant cyber incidents in Nigeria are the botnet attacks (the use of infected systems – “zombies” – in Nigeria to attack systems in other countries). Usually, the command and control system is located outside Nigeria while the individual bots (zombies) reside within Nigerian borders.
Organised criminal groups show increasing interest in cybercrime and are also professionalising their activities. West African criminal groups have a long tradition with perpetrating unsophisticated social engineering frauds known as Nigerian email scams, which have now vastly increased in maturity. Phishing campaigns called BEC (Business Email Compromise) are on the rise and, as they target larger organisations, cause significant financial losses.
In a region suffering from extreme poverty, with rising youth unemployment rates and endemic corruption, the display of wealth by cybercriminals has become a lure to poor and unemployed youth. As a result, recent trends point to the increasing involvement of young people from many countries in West Africa. The “Nigerian letter” or “419” became so popular among semi-literate young people that it has seen a rapid regionalisation into a “West African letter”. The phenomenon is known by local names such as “Sakawa” or “Yahoo-yahoo” in Ghana and “Faymania” in Cameroon.
Apart from regionalisation, the crime has also evolved from the posting of unsolicited letters into a more sophisticated Internet-based criminal activity supported by document falsification, identity theft and money laundering. Further, from a crime perpetrated by disparate individuals in isolated cybercafés, it has metamorphosed into one operated by loosely organised networks who are active across several state boundaries and nationalities.
Sakawa is a Ghanaian term for illegal practices which combine modern Internet-based fraud with African traditionalist rituals. In Hausa, the term means putting inside, how to make money. The rituals, which are mostly in the form of sacrifices, are intended to spiritually manipulate victims so that the scammer’s fraud is successful. The term Sakawa referred to specific online scams but has since broadened to include all types of online frauds and scams mainly targeting foreigners. The scammers display stylish clothes, luxury cars, and wealth, to promote this activity.
Sakawa is now Ghana’s most popular youth activity and one of its biggest underground economies. The traditional West African Juju priests adapted their services to the needs of the information age and started to support Internet scammers through costly rituals designed to increase their powers of persuasion and make their emails irresistible to foreigners.
The association of the crime with West Africa has led to the area acquiring a negative label and being stigmatised internationally as the hub of Internet-based crime, and particularly advance-fee fraud (AFF). The stigmatisation of the region is such that legitimate business propositions originating from West African countries are regarded with suspicion in many international business circles. To fix this issue, West African countries should direct some of their physical security funds toward the cybersecurity sector, to raise awareness and to improve the response capacity to cyber-attacks.
Image: EC-Council Blog (link)
Ana Maria Baloi is analyst at Grey Dynamics and a MA candidate at Brunel University London, where she studies Intelligence and Security. Her research is focused on China’s policy and strategy towards Africa.
In the last years, Ana has participated at numerous NATO Youth summits and Model United Nations conferences, while working as an intern for the Romanian Senate.