Cybersecurity researchers warn that Nigerian organisations are facing a rising wave of targeted email scams where attackers impersonate top executives to defraud companies through fake invoices.

Kaspersky, a global cybersecurity firm, says it has uncovered a series of sophisticated Business Email Compromise (BEC) attacks aimed at finance departments of organisations across various countries, including Nigeria. The attackers forge executive identities—often posing as Chief Executive Officers (CEOs)—to trick staff into authorising fraudulent payments for supposed consulting services.

The emails, which appear to be part of a genuine thread between a company’s CEO and an external contractor, are in fact carefully crafted fakes. In many cases, no actual attachments are included—just a deceptive sense of urgency demanding immediate payment, according to cybersecurity analysts at Kaspersky.

In the cases analysed, the sender addresses were cleverly disguised. Although the emails displayed names resembling the CEOs or legitimate law firms, the underlying email addresses were unrelated, often changing with each attempt. This sleight of hand is intended to bypass spam filters and exploit the natural deference employees have toward senior management.

“The attackers manipulate trust by mimicking internal communication patterns and creating realistic scenarios,” Anna Lazaricheva, a spam analyst at Kaspersky says. “They rely on the assumption that employees won’t question instructions from leadership.”

Sophisticated impersonation

In the cases analysed, the sender addresses were cleverly disguised. Although the emails displayed names resembling the CEOs or legitimate law firms, the underlying email addresses were unrelated, often changing with each attempt. This sleight of hand is intended to bypass spam filters and exploit the natural deference employees have toward senior management.

One scenario involved forged communication between the company CEO and an external legal partner, urging the finance team to settle a fabricated invoice. In another, the attacker simply referenced an urgent bill—without even attaching it—banking on employees’ fear of delaying a request from the boss.

Why this matters for Nigerian businesses

Nigeria, like other emerging markets embracing digital transformation, faces growing cyber threats as more businesses migrate operations online. The uptick in such executive impersonation scams underscores the vulnerability of companies, especially where internal controls or cybersecurity awareness are weak.

These attacks not only risk financial losses but also damage reputations and erode internal trust. For local businesses in Lagos and beyond, it is a call to strengthen email security systems and embed cybersecurity education across all levels of staff.

How to stay safe

Kaspersky recommends several best practices to defend against BEC and similar threats:

• Always verify sender addresses, not just the displayed names in email headers.
• Do not click links or open emails from unknown or unverified sources.
• Confirm unusual requests through a different channel, such as a phone call or internal messaging.
• Examine website URLs carefully—look for subtle changes that may indicate phishing.
• Invest in trusted cybersecurity tools, such as Kaspersky Next or Kaspersky Premium.

The cybersecurity company urges Nigerian firms to adopt a proactive cybersecurity culture. “The sophistication of these scams shows that email security is no longer a back-office issue—it’s a boardroom priority,” Lazaricheva adds.