Learning Objectives

After completing this lesson, you will be able to:

Identify the main categories of cyber threats targeting real estate and mortgage professionals in Nigeria.

Explain how phishing, spear phishing, and vishing attacks are used to compromise real estate transactions.

Describe how Business Email Compromise operates in property deals and the scale of global losses it causes.

Distinguish between encrypting ransomware, locker ransomware, and MBR ransomware.

Apply practical prevention strategies including MFA, callback verification, and incident response procedures.

Outline the regulatory obligations under the Cybercrimes Act 2024, the CBN Cybersecurity Framework, and the Nigeria Data Protection Act 2023.

Introduction

Cybercriminals love real estate. You’re handling transactions worth tens of millions of naira. You communicate mostly by email. Your clients trust you to move money. That combination is exactly what attackers are looking for.

In 2024 alone, Business Email Compromise caused N2.7 billion in verified losses globally (FBI IC3 report). Some of that money came from Nigerian real estate deals.

Social engineering is the art of manipulating people into doing things they shouldn’t.

Email Spoofing and Standard Phishing

Email spoofing crafts an email that appears to come from a trusted sender. The display name shows your bank or your regulator. The actual sending address is something completely different.

Standard phishing casts a wide net. Attackers send thousands of identical emails hoping a small percentage click through to a fake login page and hand over their credentials.

In real estate practice, phishing emails typically impersonate your bank, the CBN, IMBLN, or a solicitor you know. They create urgency: Your account will be suspended. Your registration renewal is overdue.

Spear Phishing

Spear phishing is targeted. The attacker researches you specifically. They know your name, your firm, your recent transactions.

By mid-2024, AI-generated content accounted for roughly 40% of Business Email Compromise emails globally. Grammatical errors and awkward phrasing, once reliable red flags, are less common now.

Vishing (Voice Phishing)

Vishing is phishing by phone. The caller claims to be from your bank’s fraud team, from the EFCC, or from a client’s solicitor.

Always end the call. Then ring back on a number you independently sourced, not the number that called you.

The EFCC December 2024 Raid

In December 2024, the EFCC dismantled an 800-person cybercrime syndicate operating across multiple states. An 800-person operation has researchers, writers, technical staff, and money mules. You’re up against an industry, not a lone hacker.

BEC is the single most expensive cybercrime category in real estate. It exploits the moment a large sum of money is about to move.

How BEC Works in Property Transactions

The attacker first gains access to an email account through phishing. Once inside, they read the correspondence, learn the transaction details, and wait for the right moment. When payment instructions are being exchanged, they impersonate the solicitor and send revised account details.

The buyer sends purchase funds to the fraudulent account. The money is withdrawn within hours.

Case: Babatunde Ayeni

Babatunde Ayeni was sentenced to 10 years in a US federal prison for orchestrating a BEC scheme that stole over $20 million from US real estate transactions.

Operation Wire Wire

Operation Wire Wire was a joint US-Nigeria operation targeting BEC fraud in real estate. The operation resulted in 42 arrests in the United States and 29 in Nigeria. It seized approximately $2.4 million.

Scale of the Problem

The FBI’s 2024 IC3 report recorded $2.7 billion in BEC losses globally.

A 2025 survey by CertifID found that 93% of US title companies reported being targeted by phishing attacks.

Types of Ransomware

Encrypting ransomware finds all your files and encrypts them with a key only the attacker holds.

Locker ransomware doesn’t encrypt your files. It locks you out of your device entirely.

Master Boot Record ransomware corrupts the MBR. The system won’t boot at all. This type is harder to remove.

WannaCry: The Benchmark Attack

WannaCry in 2017 hit over 200,000 systems across 150 countries in 72 hours. Unpatched systems are catastrophically vulnerable.

OPay Incident

In 2023, OPay reported approximately 5,000 customer accounts compromised following a malware-related breach.

Recovery Costs

IBM’s 2024 Cost of a Data Breach Report put the average cost of a ransomware incident at $4.9 million globally. Prevention costs a fraction of recovery.

Multi-Factor Authentication

MFA requires a second form of verification beyond a password. Even if an attacker has your password, they can’t log in without the second factor.

Enable MFA on every system that handles client data or financial transactions. This is non-negotiable.

Callback Verification for Wire Transfers

This is the most important single control against BEC. Before you act on any payment instruction, verify it by phone using a number you already have for that party.

Make this a written firm policy. If a client or counterparty resists the callback procedure, that’s itself a red flag.

Password Policies

Passwords must be long (minimum 12 characters), unique to each system, and not guessable. Use a password manager.

Change passwords immediately when a staff member leaves. Review access rights quarterly.

Encryption and Secure File Storage

Client documents must be encrypted at rest and in transit. Secure file-sharing portals are widely available.

Software Updates and Patching

Keep your operating system, software, and antivirus up to date. Turn on automatic updates. Old, unpatched software is the most common entry point for ransomware.

Employee Training

Regular training on phishing recognition, social engineering tactics, and what to do when something feels wrong pays back more than almost any technical control.

Run simulated phishing exercises. Make it psychologically safe to report suspicions.

Incident Response Plan

Two key reporting deadlines: the CBN Cybersecurity Framework requires notification of significant cyber incidents within 24 hours of detection. NITDA and ngCERT require notification within 72 hours under applicable Nigerian regulations.

Document everything from the moment you detect an incident.

Responsibility and Resourcing

Someone in your firm must own cybersecurity. Budget for an IT security retainer with a specialist firm. It costs far less than recovering from a breach.

Risk Identification

Run a basic risk assessment annually. What systems do you use? What data do they hold? Who has access? What would happen if each system was compromised?

Incident Monitoring

Login alerts for unusual access. Email security tools that flag suspicious messages. Antivirus that runs continuously. Average dwell time for a threat actor in a corporate network was 24 days in 2024.

Third-Party Management

Your solicitors, valuers, estate agents, and lenders all connect to your transactions. A breach at any one of them can compromise your clients.

SCUML and CBN Framework Compliance

A cybersecurity breach that exposes client data or transaction records will attract SCUML scrutiny about whether your controls were adequate.

The CBN Cybersecurity Framework 2024 sets the benchmark for adequate controls in financial services.

Cybercrimes Act 2024 and Reporting Obligations

Non-reporting of a cybercrime incident where reporting is required carries a fine of up to N2 million under the Act.

Report incidents to ngCERT and, where financial fraud is involved, to the EFCC.

Cyber Insurance

Cyber insurance covers costs from a cyber incident: legal fees, notification costs, data recovery, business interruption, third-party liability.

Read the policy carefully. Some policies exclude BEC losses. Some require minimum security standards.

Case Study: The N45 Million Lekki BEC

Adaeze Nwachukwu is a mortgage broker handling a residential purchase in Lekki Phase 1. Her client is buying a property for N45 million. The seller is represented by Barr. Tunde Fashola at fashola@fashola-co.ng.

Step 1 – Compromise: An attacker sends a spear phishing email to Fashola. He clicks a fake CBN login page and enters his credentials. The attacker now has access to fashola@fashola-co.ng.

Step 2 – Reconnaissance: The attacker reads the email thread for four days. They learn the parties, the amount, the expected completion date, and the tone of communications.

Step 3 – The Strike: Three days before completion, Adaeze receives an email from fashola@fashola-co.ng: Adaeze, please note our firm has changed banks. Please ensure the N45 million balance is sent to: GTBank, Account Name: Fashola & Associates Legal, Account No: 0123456789.

Step 4 – The Transfer: Adaeze doesn’t call Fashola to verify. She’s transferred funds before on his instructions without issue. She processes the N45 million. The funds are split across 12 accounts within 90 minutes and begin moving internationally.

Step 5 – Discovery: On completion day, the actual seller’s solicitor calls asking for funds that haven’t arrived. Adaeze contacts Fashola directly. He has no idea about the new account. The attacker has been reading and deleting his messages for five days.

The damage: N45 million gone. Recovery through banking channels retrieves N3.2 million. The client may have a claim against Adaeze’s firm. She faces possible IMBLN discipline. The transaction collapses.

What would have prevented it: One phone call to a number Adaeze independently held for Fashola, before processing the transfer. Fashola’s firm should also have had MFA on their email accounts. Two controls. N45 million protected.

KEY TAKEAWAYS

Phishing, spear phishing, and vishing are social engineering attacks. AI-generated content accounted for roughly 40% of BEC emails by mid-2024.

Business Email Compromise cost $2.7 billion globally in 2024. The EFCC December 2024 raid dismantled an 800-person BEC syndicate.

Ransomware comes in three main forms: encrypting, locker, and MBR. Prevention through patching and backups costs far less than recovery, which averaged $4.9 million per incident in 2024.

The core prevention controls: MFA on all systems, callback verification for every payment instruction, strong password policies, software patching, encrypted file storage, regular staff training, and a written incident response plan.

The CBN Cybersecurity Framework 2024 sets the benchmark for adequate controls in financial services.

The Cybercrimes Act 2024 imposes a fine of up to N2 million for non-reporting of cyber incidents. The CBN requires notification within 24 hours. The NDPA 2023 requires notification of personal data breaches within 72 hours.

Knowledge Check (10 Questions)

1. What percentage of Business Email Compromise emails were AI-generated by mid-2024?

   1. Around 15%
   2. Around 25%
   3. Around 40%
   4. Around 60%

2. In December 2024, the EFCC dismantled a cybercrime syndicate of approximately how many members?

   1. 200 people
   2. 450 people
   3. 600 people
   4. 800 people

3. For how many years was Babatunde Ayeni sentenced for his BEC scheme targeting real estate?

   1. 5 years
   2. 7 years
   3. 10 years
   4. 15 years

4. Operation Wire Wire resulted in how many arrests in Nigeria?

   1. 14 arrests
   2. 29 arrests
   3. 42 arrests
   4. 57 arrests

5. Which type of ransomware corrupts the Master Boot Record and prevents the system from starting?

   1. Locker ransomware
   2. Encrypting ransomware
   3. MBR ransomware
   4. Payload ransomware

6. According to the FBI IC3 report for 2024, what was the approximate global total of BEC losses?

   1. $1.1 billion
   2. $1.9 billion
   3. $2.7 billion
   4. $3.4 billion

7. What percentage of US title companies reported being targeted by phishing in CertifID’s 2025 survey?

   1. 67%
   2. 81%
   3. 93%
   4. 99%

8. Under the CBN Cybersecurity Framework 2024, within how many hours must you notify the CBN of a significant cyber incident?

   1. 12 hours
   2. 24 hours
   3. 48 hours
   4. 72 hours

9. What is the maximum fine under the Cybercrimes Act 2024 for failing to report a cybercrime incident where reporting is required?

   1. N500,000
   2. N1 million
   3. N2 million
   4. N5 million

10. Which single control would have prevented the N45 million Lekki BEC described in the case study?

    1. Encrypting all client emails
    2. Registering with SCUML
    3. Verifying the new payment details by independent phone call before processing
    4. Filing a Suspicious Transaction Report

Answers

Answers: 1. (c) 2. (d) 3. (c) 4. (b) 5. (c) 6. (c) 7. (c) 8. (b) 9. (c) 10. (c)

IMBL Nigeria Certification