Poor Data Privacy: How online scams, unsolicited ads score Nigeria’s digital economy low

By Juliet Umeh

On a quiet Sunday morning, January 6, 2026, Lagos-based musician Kingsley Samuel was scrolling through WhatsApp when a notification from an unfamiliar number, popped up.

“The message had been forwarded and carried the kind of promise many unemployed or under-employed Nigerians have learned to pause over, but not entirely ignore,” Samuel told Vanguard.

According to him, the message read: “Hello, I’m the recruitment manager at Jumia. We are hiring for our team. You will be required to work remotely for 30 to 60 minutes daily and earn between N100,000 and N200,000 as daily salary.”

It went on to say: “If you are interested in this part-time position, please click the WhatsApp link below to add a customer service manager and apply,” with an arrow directing him to where to click.

“I never applied for any job. I didn’t submit my CV anywhere. So, I asked how he got my number,” Samuel said. He added that the sender offered only a vague response – “Slim” – before the conversation abruptly went silent minutes later.

What appeared to be a routine spam message reflects a deeper data-protection impact failure within Nigeria’s digital economy, one where personal phone numbers circulate freely across platforms, vendors, and third-party systems without consent, transparency, or accountability.

A pattern of unlawful data processing

Across Nigeria, unsolicited job offers, fake loan messages, spam calls, robocalls, and aggressive short message service, SMS marketing now flood phones daily. Many recipients report that these messages appear shortly after SIM registration, bank transactions, POS usage, or app downloads, suggesting systemic weaknesses in lawful processing, purpose limitation, and data minimisation, as required under the Nigeria Data Protection Act, NDPA, 2023.

For such people, the question is no longer whether their data has been accessed, but how far it has travelled beyond its original purpose.

A familiar scam, a familiar trail

“On June 13, 2025, at exactly 7:35 p.m., I received a simple ‘hi’ on my WhatsApp from a number I didn’t recognise,” said Mary Okeke, a Lagos-based hairstylist.

“There was no profile photo, no mutual contact, nothing to suggest who the person was.”

Okeke said curiosity made her respond, suspecting it might be someone she knew. “A few minutes later, the person introduced herself as Adebimpe Balogun and claimed she was calling from Temu Online Shopping Mall,” she recounted.

“She said they were recruiting and offered me a work-from-home job as an ‘Online Coordinator’, promising daily earnings of between N80,000 and N150,000.”

According to her, the sender repeatedly emphasised that no upfront payment was required, a reassurance often used to lower suspicion in online recruitment scams.

“The promises were big, the details were vague, and everything felt rushed,” Okeke recalled. Sensing danger, she said that she blocked the number.

Bayo Bankole, a 25-year-old university student, described a similar encounter, this time around the sender said they were recruiting for iTradeNest Online Shopping Mall. The sender promised him N100,000 to N200,000 daily for simple tasks like taking screenshots of products.

“They told me I would earn N1,500 for browsing two products and could make up to N200,000 daily,” he said. “Then they asked me to move the conversation to Telegram. I had to disengage and block the person,” Bankole said.

Lagos residents Rachel Nwankwo and Ken Ikeh shared nearly identical experiences. The messages were polite, personalised, and professionally written, preying on Nigeria’s rising demand for remote work in a struggling economy.

When privacy failure leads to financial harm

For Julie Maduka, unemployed for nearly a year, the cost of data misuse was not theoretical. After responding to what appeared to be a legitimate job offer to work-from-home, she was asked to pay a one-time “registration fee” of N80,000.

“I was so happy when the message came. Even my aged mother was happy, thinking God had answered our prayers,” Maduka told Vanguard. “He told me I would be put in charge of a team.”

She said she was later asked to pay a one-time “registration fee” of N80,000, which she did. Moments after making the payment, she realised she could no longer reach the sender.

“I suspected he had blocked me,” she said. “I just sat there staring at my phone. That money was all I had left.”

For many Nigerians, such scams do more than drain finances; they erode trust in digital platforms, leaving victims wary of even legitimate opportunities.

Loan apps and weaponised phone numbers

Nigeria’s digital lending sector has become one of the most visible examples of data-protection impact failure. 

Since 2023, multiple media reports documented how some digital loan apps were using phone numbers as tools of intimidation during debt recovery. Borrowers reported receiving threatening messages, not just personally, but sent to friends, family members, and colleagues whose numbers were harvested from contact lists.

One widely circulated message read: “Our agents have been calling and yet payment has not been made. Make a transfer now…” Others threatened to label borrowers and their relatives as criminals. These were coercive debt-recovery tactics, enabled by unauthorised access to private contact data.

An Abia-based pastor with the United Church of Christ, UCC, Mr. Innocent Offor, told Vanguard how he became an unexpected target of harassment by a digital loan app over a debt he never incurred.

Offor said the loan company repeatedly contacted him, demanding repayment of N100,000 that they claimed was owed by a former church member who had once been in the chorister group before relocating. 

“How they got my number is still a mystery to me. I kept receiving dozens of calls and text messages every day,” Offor recounted. “They were branding [the church member] a fraudster and insisting that I pressure him to pay.”

According to the cleric, he had no direct relationship with the loan app and did not guarantee or co-sign any loan. Yet his phone number appeared to be in the lender’s possession, raising concerns about how his personal contact details were obtained.

“What shocked me most was that they spoke as if I was responsible for the debt,” he said. “They didn’t care that I am a pastor or that I never borrowed any money from them.”

Offor’s experience mirrors the  pattern in which loan apps  harvest contact lists and emergency numbers, spam relatives, friends, and associates of borrowers into aggressive debt-recovery campaigns, often without consent.

Bulk loan offers and the data trail

A Vanguard investigation of February 3, 2024, into Lagos-based lender Lucky Finance in 2024 revealed a more industrialised data-exploitation mode.

Victims alleged the company got access to phone numbers in bulk and sent unsolicited SMS messages urging recipients to apply for short-term loans repayable within seven days. Clicking the links reportedly redirected users to a mobile app that harvested sensitive personal data, including Bank Verification Number, BVN, details, bank information, emergency contacts, call logs, SMS records, and phone contact lists.

Defaulters were publicly shamed, while relatives and contacts with no contractual link were targeted. Victims said the company allegedly used data extracted from their phones to smear them on social media, falsely labelling defaulters as criminals, fraudsters, or even HIV carriers

Vanguard further reported concerns about the company’s regulatory status, including how it registered and deployed dozens of SIM cards daily, and whether it complied with Nigeria’s data-protection and consumer-protection laws. Despite its registration with the Federal Competition and Consumer Protection Commission, FCCPC, the company’s practices allegedly contradicted its stated policies.

Such practices illustrate what regulators describe as a systemic DPI breakdown, where multiple actors across telecoms, app ecosystems, and financial services process personal data without coordinated risk assessment or accountability.

A rare court victory

One such issue eventually reached Nigeria’s courts. On December 20, 2024, the Court of Appeal ordered MTN Nigeria to pay N15 million in damages to subscriber Anene Ezugwu, who alleged that he received over 244 unsolicited text messages for services he did not subscribe to.

According to Vanguard report, the three-member panel of justices unanimously ruled that the unsolicited messages and airtime deductions were fraudulent and violated subscribers’ right to privacy under Section 37 of the 1999 Constitution, as well as Regulation 28 of the Consumer Code of Practice Regulations.

The bigger picture: A leaking digital economy

Beyond individual stories, evidence from Nigeria underscores the scale and persistence of unsolicited digital messaging and harassment. In 2025 alone, one of the major telecommunications service operators said it flagged over 9.6 million spam SMS within just two months. Phishing and bulk unsolicited messaging were ranked among the top industry risks by the Nigerian Communications Commission, NCC, in 2023.

Regulatory responses from the NCC and FCCPC in 2023 and 2025 demonstrate sustained efforts to address number harvesting and harassment by digital loan apps, even though exact complaint totals are not publicly released. 

According to the Nigeria Data Protection Commission’s, NDPC, 2023 Annual Report, as reported by Vanguard on March 29, 2024, the regulator was investigating more than 400 cases of privacy breaches involving digital lenders and had received over 1,000 data breach complaints since the law came into effect.

In 2025, the NDPC stated that it handles an average of nearly three new loan shark privacy complaints daily, while the FCCPC reported that 492 digital loan apps had registered under new lending regulations by October 2025 to avoid potential penalties.

Cybersecurity expert insights

Cybersecurity technologists, Gbemisola Esho said the first line of defence against digital threats is mindset. 

“Scammers consistently gain access to phone numbers and personal details through interactions with third parties, vendors, or malicious app downloads.”

She said: “In the cyber world, understanding that networks and computers are interconnected is critical, because even if a system appears ‘fully secure’ which is often a fallacy, other connected networks may have vulnerabilities that threat actors can exploit. “

Esho noted that vulnerabilities exist in almost every system, and that while  organisations and cybersecurity experts deploy new tools and expertise, threat actors are also evolving.

“The responsibility of defenders is to continuously track these vulnerabilities, mitigate them as quickly as possible, put guardrails in place, and secure systems effectively,” she said. “Data breaches and weak infrastructure further amplify these threats. Technology alone cannot solve the problem; people and awareness are equally critical.

She   commended the Nigeria Data Protection Commission, NDPC, for increased enforcement, citing its ongoing privacy-breach case against Meta (Facebook) as evidence of regulatory responsiveness.

Another cybersecurity expert and Managing Director of Havosoft International Limited, Rock Adote, said Nigeria is still playing catch-up in data-protection compliance, noting that technology has evolved far beyond the models on which the country’s original compliance frameworks were built.

“People are uploading entire company datasets, including staff records, into AI platforms hosted on foreign servers without realising that this alone constitutes a breach of the Nigeria Data Protection Act,” he said.

Adote added that granting apps unrestricted access to contacts, messages, and location data on corporate-issued devices effectively exports sensitive Nigerian data to foreign servers.

“Phishing is no longer basic. Artificial intelligence has increased the scale and complexity of attacks, making detection far more difficult. WhatsApp is one of the worst channels for phishing because users cannot easily preview links the way they can with emails. These scams follow predictable scripts, inflated earnings, fake job roles, and urgent instructions, yet they remain effective because trust in digital platforms is already fragile,” he explained.

Both experts agreed that stronger enforcement, improved organisational compliance, and sustained public cybersecurity awareness are critical to curbing the growing abuse of Nigerians’ personal data.

Regulators react – but gaps remain

The NCC, on September 7–8, 2023, publicly warned loan apps and telemarketers against illegally accessing subscribers’ phone numbers, threatening prosecution for violations while promoting the Do-Not-Disturb, DND, code 2442 to block unsolicited messages. 

The CBN followed on May 12, 2025, cautioning Nigerians against unsolicited SMS and WhatsApp messages falsely claiming to represent CBN loans, grants, or intervention funds. Meanwhile, the NDPC has ramped up engagement and investigations, hosting the Network of African Data Protection Authorities, NADPA, conference in April 2025 to reinforce compliance and best practices.

Yet enforcement remains slow, leaving a thriving underground data market where phone numbers and personal information continue to be harvested, traded, and exploited without consent.

Legal perspective

Davidson Oturu, lawyer and General Partner at Nubia Capital, warned that the rising wave of unsolicited loan messages, spam calls, and harassment constitutes a clear violation of the Nigeria Data Protection Act, NDPA, 2023 and the constitutional right to privacy.

“Unsolicited loan SMS, spam calls and harassment of people who never requested loans typically violate key provisions of the Nigeria Data Protection Act,” he said. “Personal data must be processed lawfully, fairly and transparently. Using someone’s phone number for loan marketing or debt recovery without consent has no lawful basis under the law.”

He added: “The law is very clear on purpose limitation. Data collected for one purpose, such as registering for a service, cannot later be used for unsolicited marketing or debt recovery. When people are harassed based on inaccurate or outdated information, it also reflects a failure to uphold data accuracy and minimisation principles.”

Oturu noted that NDPC enforcement actions include the N766 million fine imposed on Multichoice Nigeria and ongoing investigations into over 400 privacy breaches linked to digital loan apps. He further said victims could seek civil redress under Sections 24 to 34 of the NDPA.

The trust deficit

At the heart of Nigeria’s digital transformation lies a trust problem: If Nigerians cannot trust that their data is safe, can the country truly build a secure digital economy?

SIM-NIN integration, digital IDs, mobile money, and public digital infrastructure all rely on citizens believing their data will be protected. 

But as unsolicited messages, loan harassment, and phishing schemes multiply, that trust continues to erode. Until organisations are required to conduct meaningful Data Protection Impact Assessments, enforce consent, and treat personal data as a constitutional right rather than a commodity, Nigeria’s digital economy will remain powerful and dangerously porous.

*This report is supported by the DPI Africa Journalism Fellowship Programme of the Media Foundation for West Africa and Co-Develop

Vanguard News

The post Poor Data Privacy: How online scams, unsolicited ads score Nigeria’s digital economy low appeared first on Vanguard News.