Fraud-as-a-Service: The Rising Threat to Africa’s Digital Future

Today, The Sumsuber sat down with Corradino Corradi, General Manager of Information Security Strategy, Architecture, and Technical Excellence at MTN, to talk about a specific threat that’s been worrying Africa’s financial sector recently—the rise of fraud-as-a-service. We will discuss what this trend actually is, the tactics of the fraudsters, and the countermeasures, to see what Africa has been doing to push back against this danger to the digital future of African countries.

The big picture: Why Africa, why now?

THE SUMSUBER: Thank you for taking the time for this interview, Corradino. Let’s start from the top—what is Fraud-as-a-Service, and how is it evolving in Africa today?

CORRADINO CORRADI: To put it simply, fraud-as-a-Service (FaaS) is a business model where cybercriminals offer fraud tools and services to other fraudsters and criminals, enabling them to commit various types of fraud without needing advanced technical skills. This model has become increasingly prevalent in Africa, where the digital landscape is rapidly evolving.

THE SUMSUBER: Why do you think the African fintech and digital finance ecosystem has become a hotspot for industrialized fraud?

CORRADINO CORRADI: The African fintech and digital finance ecosystem has become a hotspot for industrialized fraud due to several factors. The rapid growth and adoption of digital financial services, combined with the unique socio-economic landscape, have created an environment ripe for exploitation by fraudsters.

Firstly, the success of mobile payment platforms like MoMo by MTN and M-Pesa by Vodafone has significantly contributed to financial inclusion in Africa. These platforms have enabled millions of unbanked and under-banked individuals to access financial services, making transactions more convenient and secure. For instance, MoMo by MTN allows users to store and manage their money electronically, pay for goods and services, and send money to other users.

However, this widespread adoption also presents opportunities for fraudsters. The large user base and the high volume of transactions make these platforms attractive targets. Fraudsters employ various tactics, such as phishing, identity theft, and social engineering, to exploit vulnerabilities in the system. The lack of robust and uniform regulatory frameworks in Africa and the rapid pace of technological advancement further exacerbate the issue.

THE SUMSUBER: Having this fragmentation in mind, which regions or countries do you think are most impacted right now—and what’s driving that surge?

CORRADINO CORRADI: FaaS is significantly impacting several regions and countries in Africa, with South Africa, Nigeria, Kenya, Egypt, and Morocco being the most affected. This surge is driven by various factors, including the rapid adoption of digital financial services, the proliferation of mobile technology, and the increasing sophistication of cybercriminals.

South Africa, Nigeria, and Kenya are particularly vulnerable due to their advanced mobile and digital financial ecosystems.

The latest Interpol Africa Cyberthreat Assessment Report highlights that many small and medium businesses on the continent operate without the necessary cybersecurity protocols, making them easy targets for cybercriminals. The report also identifies the top cyberthreats in Africa, including ransomware attacks, online scams, digital extortion, and business email compromise.

THE SUMSUBER: You previously mentioned the lack of uniform or strong regulations. How much of the problem comes down to regulation gaps, enforcement, or visibility into what’s actually going on?

CORRADINO CORRADI: Many African countries lack comprehensive and up-to-date cybersecurity regulations. The absence of standardized regulations across the continent means that fraudsters can exploit weaker jurisdictions to launch attacks on more regulated markets.

Even in African regions where regulations exist, enforcement can be inconsistent and weak. Law enforcement agencies often lack the resources, training, and technology needed to combat cybercrime effectively. This is compounded by the fact that cybercrime is a relatively new phenomenon in many African countries, and law enforcement agencies are still catching up.

A significant part of the problem is the lack of visibility into what is actually happening in the cyber landscape. Many organizations do not have the necessary tools and systems in place to detect, monitor, and report fraudulent activities. This lack of visibility makes it difficult to respond to threats in a timely manner.

The GSMA Africa Fraud and Security Group has highlighted the need for more cohesive regulatory frameworks to combat mobile fraud and has emphasized the importance of improving threat intelligence and information sharing among organizations to enhance visibility and response capabilities.

However, beyond regulations and visibility, there’s also the matter of how these fraud schemes are actually carried out on the ground.

The playbook of modern fraud

THE SUMSUBER: From what you describe, it sounds like these schemes can be quite complex. Can you walk us through a typical FaaS operation—from toolkits to execution?

CORRADINO CORRADI: Sure! Fraud-as-a-Service operations usually begin with the acquisition of various fraud toolkits. These toolkits are often sold on underground forums and marketplaces, and they can include a wide range of tools such as phishing kits, malware, and social engineering scripts.

Once the toolkits are acquired, the fraudsters plan their operation. This involves selecting targets, setting up infrastructure (such as fake websites or compromised servers), and preparing the necessary scripts and tools. They may also collaborate with other criminals to share resources and information.

The execution phase involves deploying the tools and carrying out the fraud. This can include sending phishing emails, deploying malware, or using social engineering techniques to trick victims into revealing sensitive information.

After successfully executing the fraud, the criminals move on to the monetization phase. This involves converting the stolen data or funds into usable assets. They might sell the stolen information on dark web marketplaces, use it to make fraudulent transactions, or launder the money through various channels.

Finally, the fraudsters take steps to cover their tracks and avoid detection. This can include deleting logs, using anonymization tools like VPNs and TOR (to access the Dark Web), and moving their operations to different locations to evade law enforcement.

THE SUMSUBER: From what we gather, sharing information between criminals is one of the key steps in this fraud type. What role do apps like Telegram or WhatsApp play in coordinating or selling fraud services?

CORRADINO CORRADI: Messengers could provide a secure and relatively anonymous environment (thanks to end-to-end encryption) for cybercriminals to communicate, share information, and conduct transactions.

For example, a recent case study from the GSMA Fraud and Security Group (FASG) highlights how a large SIM Box-based SIM farming operation in Africa was discovered and taken down. This operation used Telegram and WhatsApp to receive one-time passcodes (OTPs) to set up fake accounts for various services, including Amazon, Alipay, and Facebook. These online channels are one piece of the puzzle—but another is the human and organizational networks behind them.

THE SUMSUBER: Speaking of organizational networks, how do cross-border networks factor into the story? Are we talking about local operations or regional crime syndicates?

CORRADINO CORRADI: Cross-border networks play a significant role in the landscape of FaaS in Africa, involving both local operations and regional crime syndicates. These crime networks facilitate the coordination and execution of fraud schemes across multiple countries, leveraging the interconnectedness of digital and financial systems.

Local cybercriminals may work with others in neighbouring countries to share resources and information. Regional crime syndicates can orchestrate large-scale fraud operations that span multiple countries. They might use sophisticated techniques such as SIM swap fraud, social engineering, and mobile malware to exploit vulnerabilities in the digital financial ecosystem.

Nowadays, with new technologies like artificial intelligence coming into play, these operations are becoming even harder to spot.

THE SUMSUBER: Are AI-powered tools like deepfakes or voice clones already being used in onboarding fraud across African fintech?

CORRADINO CORRADI: Yes, fraudsters are already utilizing deepfakes, voice clones, and other AI-powered tools to impersonate individuals and gain unauthorized access to financial systems.

In particular, deepfakes are being used to create realistic video and audio impersonations of individuals, and voice cloning technology is being used to create convincing audio impersonations.

AI-powered chatbots are also being used to automate phishing and social engineering attacks. These bots can engage with victims in real time, making fraud attempts more convincing and harder to detect. Given this escalating toolkit, it’s no surprise that fintechs are looking for practical, immediate steps to defend themselves.

Tools, tactics, and who’s stepping up

THE SUMSUBER: Let’s move on to what defences they can use to fight fraud. What are some practical steps fintechs can take to defend themselves against FaaS—especially if they have limited resources?

CORRADINO CORRADI: Defending against Fraud-as-a-Service can be challenging, especially for fintechs with limited resources. However, there are several practical steps that can be taken to mitigate the risk. These steps include:

• Conducting fraud risk assessments: Regularly assess the fraud risks associated with your business processes, products, and services. This helps identify potential vulnerabilities and allows you to implement appropriate controls to mitigate those risks.
• Implementing hard and soft controls: To reduce the opportunity and motivation for fraud, use a combination of hard controls (such as segregation of duties and authorization requirements) and soft controls (such as promoting ethical behavior and adherence to company values).
• Monitoring new products and services: Conduct high-level fraud risk assessments for each new product or service before it is introduced to the market. This ensures that all potential fraud risks are identified and mitigated before launch.

In addition to fraud risk assessments and controls and “anti-fraud by design”, fintechs can train employees in fraud prevention, foster collaboration with industry peers, and leverage technology such as AI-powered systems to improve detection and response capabilities.

THE SUMSUBER: Supposing some fintechs are already using some of these tactics, can you share examples of African companies or initiatives that are making real progress in fraud detection or prevention?

CORRADINO CORRADI: I’m familiar with the activities done by my colleagues in the MTN Revenue Assurance and Anti-fraud team, and I truly believe they are doing a great job minimizing the FaaS risks.

In general, I like to mention the Africa Fraud and Security Group (AFASG), which is a specific GSMA working group dedicated to dealing with critical fraud and security issues for the telecommunications industry in Africa.

AFASG includes major telecommunications groups in Africa, such as MTN, Orange, Airtel, Vodafone/Vodacom, in addition to other individual mobile operators and Associate Members, such as technology vendors Ericsson and Huawei.

Of course, these efforts can only go so far without strong, consistent customer verification and monitoring.

THE SUMSUBER: So, how important is good KYC/AML in preventing fraud at scale, and where do you believe most firms fall short?

CORRADINO CORRADI: Good Know Your Customer (KYC) and Anti-Money Laundering (AML) practices are crucial in preventing fraud at scale. These practices help financial institutions verify their customers’ identities, understand the nature of their transactions, and detect suspicious activities that could indicate fraud or money laundering.

Unfortunately, many companies (not only in Africa) still rely on outdated technology, implement inadequate verification processes, or fail to continuously monitor customer transactions and activities; by addressing these shortcomings and implementing robust KYC/AML measures, firms can significantly enhance their ability to prevent fraud and protect their customers.

Good KYC/AML makes fraud prevention activity more effective, improves customer trust, and facilitates regulatory compliance.

THE SUMSUBER: Having KYC/AML in mind, do you have anything like collaborative fraud intelligence or shared blacklists emerging in the region?

CORRADINO CORRADI: I believe information sharing is essential for the protection of the mobile ecosystem and the advancement of cybersecurity for the telecommunication sector.​

The GSMA Telecommunication Information Sharing and Analysis Center (T-ISAC) is the central hub of information sharing for the Telecommunication Industry.​

AFASG actively promotes the use of T-ISAC and the collaboration of the Telco operators part of the African group. Still, fraud techniques are evolving rapidly, which raises the question of what’s coming next.

Looking ahead: From defence to resilience

THE SUMSUBER: Let’s discuss the possible future outcomes for this situation. Where do you see this trend going—what’s the next phase of FaaS in Africa?

CORRADINO CORRADI: The next phase of Fraud-as-a-Service in Africa will likely involve even more sophisticated techniques, including the use of AI and machine learning to automate and enhance fraud operations. Cybercriminals will continue to collaborate and share hacking tools and information, making their schemes more effective and harder to detect. Additionally, financial institutions and telecom sectors will remain primary targets, necessitating continuous vigilance and adaptation from organizations (anti-fraud people, processes, and technologies) to mitigate the impact.

THE SUMSUBER: And if you could redesign Africa’s fraud prevention ecosystem from scratch, what would be your top priority?

CORRADINO CORRADI: Given the fragmented regulatory landscape across the continent, redesigning Africa’s fraud prevention ecosystem from scratch might not be the most practical approach.

In my opinion, it makes more sense to focus on harmonizing the existing rules and regulations. This includes standardizing contracts with customers in the telecom sector, as well as aligning privacy and anti-fraud regulations. By working towards a unified framework, we can create a more cohesive and effective fraud prevention system that addresses the unique challenges faced by different regions in Africa.

THE SUMSUBER: A unified framework is a good potential way of preventing FaaS. Are there any global models that could inspire a more predictive, pan-African approach to fraud?

CORRADINO CORRADI: Models created in other regions hardly apply in Africa due to its unique characteristics, such as a young population and the large use of mobile financial services. Instead, it is important to share best practices and favour cooperation and information sharing, such as through the AFASG and T-ISAC. 

Additionally, it’s super important to foster public-private partnerships, such as those between telecom operators and police national cybercrime units, which can significantly enhance the effectiveness of fraud prevention and detection efforts. While that’s the ideal for Africa, it’s worth asking whether models from other parts of the world could be adapted here.

THE SUMSUBER: Thank you for your valuable insights into FaaS and regulations around the African continent, Corradino. Lastly: what message would you send to regulators, founders, and compliance teams trying to stay ahead of this threat?

CORRADINO CORRADI: The key to staying ahead of the rising threat of Fraud-as-a-Service lies in fostering cooperation across sectors and among public and private actors within the anti-fraud ecosystem. By working together, sharing information, and developing unified risk mitigation strategies (e.g., between cybersecurity and revenue assurance/fraud management), we can effectively counter the growing number and sophistication of FaaS attacks, especially in Africa.