The Central Bank of Nigeria issued an April 21, 2026 alert warning the public about fraudulent messages, emails, and online communications impersonating the apex bank. The phishing campaign spreads false information about CBN leadership, licensing processes, and policy decisions while attempting to harvest personal account credentials through malicious links.
CBN Acting Director of Corporate Communications Hakama Sidi Ali stated the fraudulent messages are designed to “misinform members of the public” and “hack personal accounts.” The bank emphasized its official website remains www.cbn.gov.ng and advised Nigerians to verify all CBN communications through official channels and recognized media outlets.
Timing Suggests Exploitation of Recent Breach Climate
The phishing alert arrives weeks after Nigeria experienced its largest documented data breach. In March 2026, threat actor ByteToBreach published over 3 terabytes of sensitive data from 30+ Nigerian organizations including government agencies, banks, and telecommunications providers. The breach exposed customer records, internal communications, and system credentials across entities like Remita, Sterling Bank, the Nigeria Police Force, and multiple state governments.
The Nigeria Data Protection Commission formally announced investigations into Remita and Sterling Bank on March 18, 2026 — days after ByteToBreach’s publication but weeks after security researchers first discovered the exposure. The timing gap created a window where fraudsters could weaponize leaked credentials and contact information to craft convincing phishing messages targeting Nigerians already concerned about financial security.
Phishing campaigns frequently spike following major data breaches as attackers leverage leaked information to build credible social engineering attacks. The CBN impersonation scheme likely exploits public anxiety about banking system integrity, making recipients more susceptible to clicking suspicious links or sharing credentials when messages appear to come from the regulatory authority itself.
CBN Cybersecurity Push Intensifies
The phishing warning forms part of a broader CBN cybersecurity offensive launched in early 2026. On January 21, Deputy Governor Philip Ikeazor directed banks to reduce fraud response times to under 30 minutes during the Nigeria Electronic-Fraud Forum technical session. The directive accompanied new ISO 20022 implementation requirements and identity management protocols designed to shrink fraud losses across the financial system.
On April 20, one day before the phishing alert, CBN Governor Olayemi Cardoso and Nigerian Communications Commission leadership signed a Memorandum of Understanding to combat electronic fraud and reinforce payment system integrity. The agreement establishes joint committees on payment systems, consumer protection, and the Telecom Identity Risk Management Portal, creating a regulatory framework linking telecom and financial infrastructure against fraud.
The CBN also announced new Bank Verification Number guidelines effective May 1, 2026 aimed at reducing mobile banking fraud. The tightened BVN rules limit mobile app usage and strengthen account security protocols, acknowledging that mobile channels have become primary vectors for fraudulent activity as digital banking adoption accelerates.
What Nigerians Should Do
The CBN advisory provides three specific recommendations. First, refrain from clicking links or sharing personal information on suspicious websites. Second, verify the authenticity of all CBN communications through the official website and recognized media outlets. Third, report any suspected fraudulent sites, emails, or messages to law enforcement authorities.
The bank emphasized it does not request personal or financial information through unofficial channels. Any communication asking for credentials, passwords, account numbers, or BVN details should be treated as fraudulent regardless of how official the messaging appears.
For Nigerians who may have already interacted with phishing messages, security best practices include immediately updating passwords, enabling two-factor authentication on all financial accounts, and reporting compromised information to your bank and authorities including the Economic and Financial Crimes Commission, Department of State Services, and Nigerian Police Force.
The Broader Context: Nigeria’s Digital Security Crisis
The phishing campaign operates against a backdrop of systemic cybersecurity failures across Nigerian institutions. The ByteToBreach breach exposed fundamental security gaps in organizations handling millions of customer records. The NDPC’s delayed response to the March incident—investigating weeks after public disclosure — revealed regulatory enforcement challenges in a rapidly digitizing economy.
Nigeria’s draft National AI Regulation Framework acknowledges the security dimension of emerging technology but focuses primarily on governance rather than hardening existing infrastructure. The Remita and Sterling Bank investigations demonstrate that even established financial institutions struggle with basic data protection, creating vulnerabilities fraudsters actively exploit.
The CBN’s statement that it “remains fully committed to safeguarding the Nigerian financial system” and will “continue to strengthen its cybersecurity frameworks in collaboration with relevant agencies” represents intent but not yet demonstrable capability. The phishing campaign proves attackers view Nigerian targets as high-value, low-resistance opportunities. Until fundamental security hygiene improves across banks, telecoms, and government agencies, warnings about individual phishing messages address symptoms while the underlying exposure persists.
The question isn’t whether Nigerians should be cautious about clicking suspicious links—that’s obvious. The question is whether the institutions holding their data can prevent that data from fueling the next social engineering campaign before the CBN needs to issue another warning.
Follow us on Bluesky, LinkedIn, X, and Telegram to Get Instant Updates
