Under the Nigeria’s Cybercrime (Prohibition, Prevention, etc.) Act 2015, phishing means the criminal and fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication through emails or instant messaging either in form of an email from what appears from your bank asking a user to change his or her password or reveal his or her identity so that such information can later be used to defraud the user.

Meaning: From fishing to phishing, it is all about throwing hooks and baits to catch victims.
Image credit: Revistaproware.com


Phishingoriginated from fishing, the act of baiting and catching fishes. Phreplaced f because earliest hackers were known as phreaks.[1] Phreaking is the hacking of phone networks. Since phishers lure unsuspecting victims to induce them to give out personal sensitive information through electronic-communication systems, phishingwas coined to describe the activity.

Black’s Law Dictionary, 10th edition, defines phishing as the “criminal activity of sending a fraudulent electronic communication that appears to be a genuine message from a legitimate entity or business for the purpose of inducing the recipient to disclose sensitive personal information.”
 
Under the definition section of Nigeria’s Cybercrime (Prohibition, Prevention, etc.) Act 2015, phishing means “the criminal and fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication through emails or instant messaging either in form of an email from what appears from your bank asking a user to change his or her password or reveal his or her identity so that such information can later be used to defraud the user.”[2]

The statutory definition above is quite similar to Ramzan’s definition of phishing as “the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.”[3]
 
So phishing is a social-engineering technique that fraudsters use to deceive people into giving out personal sensitive information that compromise their security.
 
History: America Online (AOL) first used the word ‘phishing’; ‘phishers’ abused it.
 
Phishing nets may have spread globally in today’s cyberspace, it only started about 2 decades ago. Florida Times Union first published the word phishing 16 March 1997 in an article written by Ed Stansel. The author had warned the public: “Don’t get caught by online ‘phishers’ angling for account information.”[4]
 
AOL was the platform phishers carried out their earliest attacks. Phishers would steal people’s credentials to login to private-online accounts. Phishers enjoyed access to Internet services by compromising AOL accounts, while AOL charged the legitimate account holders’ credit cards. Phishers also used algorithms to create randomized credit-card numbers. Armed with these numbers, phishers opened AOLaccounts and used them to phish other users.
 
Phishers also used AOHell, a free tool that had a program called Fisher. Fisher allowed a phisher masquerade as an AOL administrator. The fake administrator then creates a chat-room login window where new, unsuspecting users logged in and dropped their personal credentials. The phisher accesses these credentials from the backend.
 
Today, phishing has become even more technologically advanced. Phishers, among other tricks, now create spoof or fake websites to lure users to give out personal sensitive information. 


Nigeria’s cyberspace as phishing hotbed

New Telegraph had reported in February 2015 that phishing was going to be one of Nigeria’s biggest threats that year. [5] It relied on Deloitte Nigeria’s cybersecurity report in 2015. [6]  Deloitte Nigeria predicted that “[t]he cybercrime of choice by majority of the Nigerian cyber criminals would be via social engineering. Intelligently crafted phishing emails and phone calls to naïve customers will increase.”

 
Less than a month after New Telegraph’s report, Economic and Financial Crimes Commission’s (EFCC) Head of Advance Fee Fraud and Cybercrime, Abdulkarim Chukkol, raised an alarm about electronic fraud-related and phishing activities in the country. In his words, “the growth in the use of electronic banking systems and e-commerce has brought about a parallel increase in efforts to defraud both individuals and corporate organisations, and thus cause tremendous financial loss”.[7]
 
Phishers in Nigeria’s cyberspace are part of a network of fraudsters masquerading to steal personal financial details, distribute malware online, harm banks and other financial institutions, and damage cybersecurity. Their activities continue to harm the society and the economy, costing the country billions of naira.
 
Between 2000 and 2014, Nigeria lost up to N199 billion to electronic fraud. This loss was largely due to “inappropriate and reckless management of customers’ data.”[8]
 
Phishing destroys customers’ confidentiality, privacy, and security. Phishing is a serious threat to genuine businesses and brands, along with the lives they service and support. Phishing affects everyone.
 
Image credit: Cdn.blog.bit9.com
Treatment of phishing as a crime under Nigeria’s criminal laws before the Cybercrime Act
 
Phishing is a prevalent cybercrime in Nigeria, aided by an alarming youth-unemployment rate and unhealthy value system. Before the Cybercrime (Prohibition, Prevention, etc.) Act became the governing law from May 2015, the offence of phishing had not been created in any criminal laws in Nigeria. For too long, thousands of fraudsters took advantage of this legislative gap.
 
Law-enforcement agencies in the country generally prosecuted persons they suspected were involved in phishing and electronic-fraud related offences based on the provisions of some preexisting criminal laws in the country.  These laws include the Criminal Code (in the South), and the Advance Fee Fraud and other Fraud-Related Offences Act 2006.
 
Based on the criminal elements of false pretence[9]and intent to defraud, phishers are caught by the provisions of the Advance Fee Fraud and other Fraud Related Offences Act 2006.
 
Section 1, 6, and 8(a) of the Advance Fee Fraud and other Fraud Related Offences Act 2006 have spread nets wide enough to catch persons who phish or scam online. [10] The State can charge an accused person with obtaining money by false pretenceunder sections 1, 6, and 8(a) of the Act.
 
Section 1 provides that any person who by any false pretence and with intent to defraud obtains from or induces any other person in or outside Nigeria is guilty of an offence.[11]Section 1(3) uses the phrase ‘obtains any property”. If the person is found liable, the punishment is imprisonment for a minimum of 7 years and maximum of 20 years. There is no option of fine.
 
So section 1(1) and (2) above requires the State to prove defendant’s false pretence and intent to defraud, two elements that are also present in phishing. In State v Ajuluchukwu,[12] a case of fraud, the Court of Appeal has stated what the prosecutor must prove to get conviction:
 
1)    There was a pretence
2)    The pretence emanated from the accused person
3)    That it was false
4)    That the accused person knew of its falsity
5)    That there was an intention to defraud
6)    That the thing was capable of being stolen and that the accused person induced the owner to transfer the whole interest in the property. (emphasis supplied)
While section 1 of the Advance Fee Fraud and other Fraud Related Offences Act 2006 is appreciably useful, prosecutions find it inadequate in certain cases where for instance no propertyin the sense it is used in the Act has been stolen. Though induce and obtain are quite apt for phishing activities. 
 
Phishing as obtaining by false pretence under section 419 of the Criminal Code
Under section 419 of the Criminal Code, I think the offence of obtaining goods by false pretence is wide enough to catch electronic-fraud related offenders, including phishers. The section provides that:
 
Any person who by any false pretence and with intent to defraud, obtains from any other person anything capable of being stolen, or induces any other person to deliver to any person anything capable of being stolen, is guilty of a felony…(emphasis supplied)
Depending on the value of what has been stolen, the punishment is 3 years or 7 years imprisonment.
 
Since usernames, passwords, credit-card numbers, Bank Verification Numbers (BVNs), Personal Identification Numbers (PINs), etc. fall within anything capable of being stolen, section 419 generally catches phishers as well. By using the words anything capable of being stolen, I think the drafters have avoided the limitation obtains any property creates in section 1(c) of the Advance Fee Fraud and other Fraud Related Offences Act 2006.
 
Neither the Economic and Financial Crimes Commission (Establishment, etc.)  {EFCC Act} 2004 nor other regulatory laws on economic and financial crimes in Nigeria provide for phishing or the criminal elements that constitute phishing.
 
The EFCC Act is silent on phishing or any resemblances of it.
 
Similarly, other economic and financial-crimes legislations do not contain the offence of phishing. These legislations include the Banks and Other Financial Institutions Act 1991, the Failed Banks (Recovery of Debt and Financial Malpractices in Banks) Act, the Miscellaneous Offences Act, the Money Laundering Act, and other laws regulating economic and financial crimes in Nigeria. 
 
The absence of any specific cybercrime laws in the country presented a great challenge. Because these laws were not made with cybercrime in mind, law-enforcement agencies could not sustain some of their charges against cybercrime suspects. Getting convictions was difficult. Criminal minds turned this gap to a phishing free zone.     
 
To fill the dangerous gap, Nigeria’s Cybercrime (Prohibition, Prevention, etc.) Act 2015 became the governing law on cyberspace.
 
Daily, millions of Nigerians receive phishing emails, Short Message Service (SMS), popups, links to spoof or fake websites, and even phone calls. Many fell (and continue to fall) for these tricks.
 
To make Nigeria’s cyberspace safer, the National Assembly passed the Cybercrime (Prohibition, Prevention, etc.) Bill in November 2014[13]. The Bill was signed into law by President Goodluck Jonathan in May 2015.[14]
 
Section 32(1) of Cybercrime (Prohibition, Prevention, etc.) Act 2015 criminalizes phishing in Nigeria. The Act punishes any person who knowingly or intentionally engages in computer phishing. Harmed with this punishment section and the meaning of phishing under the definition section of the Act, the fight against phishing in Nigeria can only get better. As cited earlier, section 58 defines phishing as:
 
‘the criminal and fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication through emails or instant messaging either in form of an email from what appears from your bank asking a user to change his or her password or reveal his or her identity so that such information can later be used to defraud the user.’
Apart from section 32(1), sections 29, 36, and 37 of the Act are important provisions that will significantly reduce the prevalence of phishing and other electronic-fraud related activities in the country.
 
Section 29(1) applies to breach of confidence by service providers with intent to defraud, forge, or illegally use a person’s security codes. This offence makes the fraudster liable to a fine of N5 million and forfeiture representing the monetary value of the owner’s loss.
Targeted at phishers, section 36 of the Act criminalizes the use of any device or attachment, emails, or fraudulent website to obtain a cardholder’s information. If caught, a 3-year imprisonment or N1 million fine awaits the offender.
 
To systematically reduce the rate of phishing and electronic-card related fraud in the country, section 37(a) of the Act now requires financial institutions to verify their customers’ names, addresses, and other relevant information before issuing ATM cards, credit cards, debit cards, and other related electronic devices. This is why section 37(b) now makes know-your-customer principle mandatory for financial institutions. Financial institutions must document every customer’s electronic transfer, debit, payment, and issuance orders. Failure to do so renders the financial institution liable on conviction to N5 million fine.
 
The Hook and Bait
Image credit: Neuronis.com
 
 
Phishing methods are changing rapidly, but the concept is the same. Washington Post published a useful article showing how phishing methods have evolved over time.[15]
No matter how strong a law against cybercrime is, laws are prohibitive or penal. Laws cannot stop people from falling for phishing tricks; it can only punish offenders and send a strong message to others. This is why I think apart from law (and technologically advanced anti-phishing programs), people still need to be cautious with how they treat sensitive personal information online and offline.
 
Phishers often manipulate people’s psyche to get what they want. It could be a mask, a trick, or even a Greek gift. In their work, Marc A. Rader and Syed M. Rahman observed that “(p)eople are the weakest link in any security program. Phishing capitalizes on this weakness and exploits human nature in order to gain access to a system or to defraud a person of their assets.”[16]
 
Conclusion
 
Law and technology may not be able to beat phishers in their own game and on their own turf, but we must block loopholes, close gaps, and fill vacuums.
 
Phishers will not stop baiting users. Users will not stop falling for baits. But we must ensure that our information-security system is based on best global practices. Service providers must not compromise data protection and privacy. From their establishment as service providers to their operation, there must be regulations and standards.
 
The Central Bank of Nigeria (CBN), EFCC, and Nigerian Communications Commission (NCC), must set standards for service providers. They must ensure that the user’s privacy and security on electronic communication is protected at all times. To protect privacy and data effectively and efficiently, there must be rights, duties, and liabilities. I think a comprehensive Data Protection and Privacy Act will help address this issue finely. 
 
 
 Senator Iyere Ihenyen is an Associate at Assizes Lawfirm and The Write House, Lagos.


[1] Anthonio San Martino and Xavier Perramon, ‘Phishing Secrets: History, Effects, and Countermeasures’, International Journal of Network Security & Its Applications (IJNSA), Volume XI Number 3, 164.
[2] Section 58 of Cybercrime (Prohibition, Prevention, etc.) Act 2015
[3] Zulkifar Ramzan, ‘Phishing attacks and countermeasures’, Handbook of Information and Communication History, Springer, 2010, 433, 434 edited by Peter Stravroulakis and Mark Stamp. This is the same definition of phishing on Wikipedia, https://en.m.wikipedia.org/wiki/Phishing#cite_note-1 accessed January 5 2016.
[4] Marc A. Rader and Syed M. Rahman, ‘Exploring Historical and Emerging Phishing Techniques and Mitigating the Associated Security Risks’, International Journal of Network Security & Its Applications (IJNSA), Volume V, Number 4, July 2013, 23, 25.
[5] ‘Cybercrimes: Phishing, insider threats to be biggest threat’, New Telegraph, February 2015 http://newtelegraphonline.com/cybercrimes-phishing-insider-threats-to-be-biggest-threats/ accessed 23 December 2015.
[6] ’Nigeria Cyber Security Report 2015’, Deloitte Nigeria, http://www2.deloitte.com/ng/en/pages/risk/articles/nigerian-cyber-security-outlokkk-2015.html accessed 23 December 2015.
[7] ‘Nigeria Cyber Criminals Use Network – EFCC’, Leadership Newspapers, 7 April 2015, http://leadership.ng/news/423644/nigeria-cyber-criminals-use-network-efcc) accessed 3 January 2016.
[8] ‘Investigation: Nigerian Banks Lose N199bn To e-Fraud’, Leadership, 20 July 2015 http://leadership.ng/news/448096/investigation-nigerian-banks-lose-n199bn-to-e-fraud accessed 2 January 2016.)
[9] In Alake v The State [1991] 7 NWLR (Part 205) 567, the Court of Appeal per Tobi JCA (as he was then), observed at page 591E-G that “a pretence cannot be anything but false, and so the adjective ‘false’ qualifying the noun ‘pretence’ could be good law but certainly not good syntax.” I agree.
[10] ‘Court jails UNILORIN student for 20 years over internet scam’, Channels TV, 18 June 2012, http://channelstv.com/2012/06/18/court-jails-unilorin-student-for-20years-over-internet-scam/ accessed 4 January 2016;   ‘EFCC Arraigns Youth Corps Member, Two Others for Cybercrime, EFCC Website, 4 January 2014, http://efccnigeria.org/efcc/index.php/news/1160-efcc-arrains-youth-corps-member-two-others-for-ybercrime/ accessed 6 January 2016; ‘Nigeria recovers R1.5 billion from cybercriminals’, IT News Africa, 6 December 2010, http://itnewsafrica.com/2010/12/nigeria-recovers-r1-5-billion-from -cybercriminals/ accessed 10 January 2016.
[11] Section 1(1) and 1(2) of the Act.
[12] [2011] 5 NWLR (Part 1239) 78, at 92F-H citing the Supreme Court in Alake v State [1991] 7 NWLR (Part 205) 567, at 591
[13] ‘At last, Senate passes Cyber Crime bill into law’, Vanguard, 5 November 2014, http://vanguardngr.com/2014/11/last-senate-passes-cyber-crime-bill-law/ accessed 22 December 2015.
[14] ’Nigeria’s President Jonathan signs the cybercrime bill into law’, Techloy, 16 May 2015, http://techloy.com/2015/05/16/nigerias-preseident-signs-cybercrime -bill-into-law/ accessed 22 December 2015.
[15] Brian Krebs,A Brief History of Phishing’, Washington Post, 18 November 2004,
http://www.washingtonpost.com/wp-dyn/articles/A59350-2004Nov18.html accessed 10 January 2016 accessed 21 December 2015.
[16] Marc A. Rader and Syed M. Rahman, ‘Exploring Historical and Emerging Phishing Techniques and Mitigating the Associated Security Risks’, International Journal of Network Security & Its Applications (IJNSA), Volume V, Number 4, July 2013, 24.
 

About the author

Nigerian Law Today

NLT’s mission is to take legal-content writing to the next level in Nigeria by leveraging legal expertise and technology. We publish fresh, original, and insightful articles on areas of law we cover.

Leave a Comment