We have seen this scenario play out multiple times in Abuja: a business owner forwards us an email asking "is this real?" — and it isn't. By then, an employee has already clicked the link or entered their password. The attackers got in, and the damage is done.
Understanding exactly how these attacks work is the first step to stopping them. This isn't theoretical — these are the exact techniques being used against Nigerian businesses right now.
What Is Phishing?
Phishing is when an attacker sends a fake email designed to look like it came from a trusted source — your bank, a government agency, a supplier, or even your own boss — to trick you or your employee into giving up a password, clicking a malware link, or transferring money.
The name comes from "fishing" — casting a net and seeing who bites. Unlike hacking, it doesn't require technical skill. It requires only that one person in your organisation makes a mistake under pressure.
The 4 Types of Phishing Attacks Hitting Nigerian Businesses
1. Bank impersonation: Fake emails from "GTBank", "Access Bank", or "Zenith Bank" claiming your account has been flagged, your BVN needs verification, or a transaction requires confirmation. The link takes you to a near-perfect fake banking page.
2. Supplier impersonation (the most dangerous): Attackers research your business, find out who your regular suppliers are (often from LinkedIn or your website), then send emails pretending to be that supplier — telling you their account details have changed and asking you to pay your next invoice to a new account. Thousands of Nigerian businesses have lost money this way.
3. Internal impersonation (CEO fraud): Fake emails appearing to come from your CEO or MD, sent to the accounts department, requesting an urgent bank transfer. The "From" address looks correct at a glance but is slightly different — e.g. ceo@gtarsenalsnigeria.com instead of ceo@gtarsenals.com.
4. Government impersonation: Fake FIRS (Federal Inland Revenue Service), CAC, or EFCC emails claiming you owe taxes, your registration has lapsed, or there's an investigation into your business. Designed to trigger panic so you act without thinking.
What a Real Phishing Email Looks Like
To: you@yourbusiness.com
Subject: URGENT: Your GTBank account has been temporarily suspended
Dear Customer,
We have detected unusual activity on your account. To restore full access,
please verify your identity within 24 hours.
Click here to verify: http://gtbank-secure-verify.ng/login
Failure to verify will result in permanent account restriction.
GTBank Customer Security Team
Notice: The sender domain is gtbank-secure-alert.com — not gtbank.com. The link goes to a fake domain. The urgency pressure ("24 hours", "permanent restriction") is designed to stop you thinking carefully.
⚠️ Red flag: Any email that creates extreme urgency — "act within 24 hours", "account will be closed", "immediate action required" — is almost certainly designed to prevent you from thinking carefully. Slow down. Verify the sender domain. Call the company directly using a number you already know.
How to Check If an Email Is Fake
- Hover over (or long-press on mobile) the sender's email address — does the actual domain match the company they claim to be?
- Hover over any links before clicking — does the URL look like the company's real website?
- Check for spelling mistakes or awkward phrasing — legitimate banks and companies proofread their emails
- Is the email addressed to you by name, or does it say "Dear Customer" or "Dear Account Holder"?
- Did you expect this email? Did you initiate the action they're referencing?
- If the email claims to be from a supplier changing their bank details — call that supplier directly (on a number you already have) to confirm
How to Protect Your Business
Set up email authentication (SPF, DKIM, DMARC): These DNS records tell email services to reject emails pretending to be from your domain. If you don't have these set up, attackers can send emails that appear to come from your own email address. We configure these for businesses in Abuja.
Train your team: The weakest link in every business is human behaviour under pressure. Run a quarterly 30-minute session with your staff on recognising phishing. GT Arsenals offers this as part of our cybersecurity training program.
Implement a payment verification policy: Any request to change a supplier's bank account details must be verified by phone call using a stored number — never by replying to the email that requested the change. This single policy has saved more Nigerian businesses than any software solution.
Use two-factor authentication on all email accounts: Even if an attacker gets your email password, 2FA means they cannot log in without your phone. Enable this immediately on your business email.
💡 Free tool: Go to haveibeenpwned.com and enter your business email address. It will tell you if your email and password combination has been leaked in a known data breach — meaning attackers already have your credentials and may be trying to use them.