The weakest link in the security chain
Nigerian fintechs invest heavily in penetration testing, API security, and encryption. Yet, many high-profile breaches occur without a single line of code being exploited. Attackers target the individuals who hold the keys to the administrative dashboard: the customer support and operations teams.
Spear-Phishing
Targeted emails to operations staff containing malicious links. The goal is to harvest their internal portal credentials or deploy malware to their endpoint.
Pretexting
Attackers call support pretending to be a high-value customer in distress, using publicly available OSINT data to answer basic verification questions and bypass account lockouts.
Insider Threat
A legitimate employee is bribed or coerced by an external syndicate to use their administrative access to approve fraudulent KYC applications or reverse transactions.
Hardening the administrative dashboard
You cannot train away human error entirely. Your defense strategy must assume that a support agent will eventually fall for a phishing email. The goal is to limit the blast radius when that happens.
Phishing-resistant MFA
SMS OTPs and Google Authenticator codes can be stolen via real-time phishing proxies (like Evilginx). To protect your internal administrative portals, enforce FIDO2/WebAuthn hardware security keys (e.g., YubiKeys) for all staff with elevated privileges. These cannot be phished.
Strict Role-Based Access Control (RBAC)
A Tier 1 support agent should not have the ability to manually adjust user balances or approve tier-3 KYC limits. Implement strict, granular RBAC. If a task is high-risk, it should require "maker-checker" logic, meaning two different authorized employees must approve the action before it executes.
Is your internal admin dashboard exposing your fintech to insider threats?
Book a Secure Architecture ReviewVerifying the customer identity
When a customer calls in requesting a password reset or an email change, support teams often rely on easily forged data points: "What is your mother's maiden name?" or "What was your last transaction amount?"
Attackers can acquire this information from previous breaches or social media. Implement dynamic, secure verification channels:
- In-app push notifications: Send a verification prompt to the authenticated mobile device. If the caller does not possess the device, the request is denied.
- Self-service flows: Eliminate the ability for support agents to manually reset passwords. Force all users through an automated cryptographic flow that the support agent cannot bypass.
- Video verification: For high-value accounts or critical actions (like unlocking an account frozen for fraud), require a live video call to match the caller against the original KYC biometric data.
Simulating the human attack
Technical penetration tests must be complemented by Red Team engagements that include social engineering. We run simulated spear-phishing campaigns against your staff to identify training gaps and test whether your internal logging detects the compromised accounts.
Related reading
Blog: KYC and BVN Data Security · Building a Security Culture
Guides: CBN Compliance Guide
Services: Authentication Security
Frequently asked questions
{faq.q}
{faq.a}