The first time Ngozi was phished, it didn’t feel like being robbed. It felt like being tricked by someone who knew her well — like a cousin who remembers how she wears her hair to church and which name she uses for online banking. The message had come at 6:47 a.m., when her body was awake but her brain was still swimming in dream fragments. Something about a Zenith Bank token expiring. She tapped. She didn’t think.
Lagos was loud already. The generators had started their usual morning chorus. Her driver was honking outside. The smell of fried plantain from the compound next door floated through the window. By the time she made it to the office, her company’s accounts were bleeding. One of her developers noticed a strange email she’d never sent. The attacker had been inside her inbox, rifling through investor memos and salary spreadsheets. Quietly. Politely. Like a guest invited in.
It was later, in the panic of trying to undo everything, that she learned the term — Phishing-as-a-Service. Like Uber, like Netflix. But for crime. You don’t need to know how to code. You don’t even need to be clever. You just subscribe. Choose your target. Pick a fake login page: GTBank, Paystack, even NEPA. And send it. No typos. No red flags. Just business.
The thing that frightened Ngozi most wasn’t how advanced the platform was. It was, how ordinary. Sleek interface. Real-time dashboards. Technical support. The person who hacked her probably did it while eating Agege bread and watching Big Brother. It was not personal. It was transactional. Efficient.
She thought of how many people she knew who still thought phishing meant a poorly-spelled email from a fake prince in Benin. We are too trusting in Nigeria, she thought. Or maybe not too trusting, just too busy. We move fast. We click fast. There is always another meeting, another client, another hustle.
Her company wasn’t big — just fifteen people, most under thirty, ambitious and always tired. They built payments infrastructure for small merchants. They’d been growing fast. One week they were fixing POS errors for kiosks in Enugu, the next they were in a virtual meeting with an angel investor in London who kept saying “lovely” and “brilliant” like commas.
After the breach, everything slowed down. Clients asked questions. Partners delayed contracts. The NDPC sent a letter full of official language and subtle threats. But the worst part, truly, was the sense of shame. That feeling that she’d let everyone down by not being paranoid enough.
She made changes. The kind that cost money and time. Hired a consultant. Ran fake phishing tests. Introduced rules — no more clicking links in WhatsApp. They installed firewalls. Started logging who accessed what, when. It felt, at times, like putting bars on the windows of a house she once thought too small to rob.
But something else changed, too. She started talking. At conferences. At meetups. On LinkedIn. “Cybersecurity is not about paranoia,” she told a room of founders in Yaba, “it’s about hygiene.” Like washing your hands after okra. Like locking your car even when you’re only popping in to buy plantain.
There’s something about being breached that reshapes how you see the internet. What used to be convenient starts to feel exposed. Autofill. Cloud backup. Shared calendars. You begin to question everything you once trusted. And the worst part is, you can’t unknow it. You carry the breach with you, quietly, like a bruise under your clothes.
What she didn’t say — what she sometimes still struggled with late at night, staring at her inbox — was how much the attack reminded her that no system is truly safe. That all it takes is one tired click. That the face of the criminal might be a mirror.
Because phishing is no longer a hacker in a hoodie. It’s a dashboard. It’s a button. It’s a service. And in this Nigeria —this fast, digital, connected Nigeria— it is thriving. Not because we are gullible, but because we are human. And busy. And always trying to do too much, too fast, on too little sleep.
- business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com
