“Attackers exploit trust, not code”, Olawale Oladoja on fintech security

Nigerian fintech is moving fast. I mean, onboarding is frictionless, and transactions are instant. But underneath the speed, something critical is missing.

According to Olawale Oladoja, who has spent the last several years studying how digital platforms approach trust and security, most African fintech teams are building the wrong thing entirely.

“One of the biggest gaps I have observed in Nigerian fintech is that many teams speak about security primarily from a compliance perspective rather than from a trust architecture perspective,” Oladoja says.

“A lot of platforms focus heavily on passing regulatory requirements, implementing basic KYC, or adding visible security layers like OTP verification, but underneath that, many systems still lack mature behavioural security controls and proactive fraud intelligence mechanisms.”

The distinction matters. Compliance is a checkbox. Trust architecture is foundational. And the difference is already showing up in how platforms respond to real threats.

Read also: 1 phone, 1 bank app: Inside CBN’s device binding rule and what it means for Nigerian users

The security debt building quietly

The CBN’s device binding mandate, set to take effect in July, is forcing the conversation into the open. But Oladoja’s assessment is that most of the ecosystem isn’t ready.

“Larger institutions and more mature fintechs have already invested in device intelligence, fraud monitoring systems, and adaptive authentication workflows, so integrating device binding into their architecture is more of an operational transition,” he explains. “But many early-stage or fast-scaling fintechs are still carrying significant security debt.”

That debt looks specific. Weak device fingerprinting infrastructure, fragmented authentication systems, limited behavioural analytics, poor fraud telemetry visibility, and legacy onboarding architectures built entirely around speed rather than resilience.

“The real issue isn’t simply adding device binding,” Oladoja says. “It is whether organisations have the surrounding trust infrastructure necessary to make device intelligence meaningful. If a platform lacks strong anomaly detection, transaction risk scoring, or behavioural monitoring, device binding alone becomes only a partial control rather than a comprehensive fraud mitigation layer.”

The founders who have been reactive about security (implementing controls only when regulators demand them) are now facing a reckoning. The ones who built trust architecture early are simply moving to the next layer.

The invisible emerging threat

AI-assisted fraud isn’t a future problem in Nigeria. It’s already happening. What keeps it from feeling urgent is that it hasn’t scaled catastrophically yet.

“I would describe it as rapidly emerging rather than fully mature at scale but the trajectory is very clear,” Oladoja says. “We are already seeing increasingly sophisticated scam operations leveraging automation, social engineering psychology, and AI-enhanced content generation across fintech and creator ecosystems.”

In fintech specifically, the mechanics are straightforward. Attackers are getting better at creating highly convincing phishing workflows, fake customer support interactions, cloned interfaces, and impersonation campaigns. AI significantly lowers the barrier to doing this at volume.

The danger is the scalability, not the sophistication.

“Deepfake fraud in Nigeria is still in its relatively early stages compared to some global markets, but the infrastructure enabling it is becoming more accessible,” Oladoja observes. “The concern is less about isolated deepfake incidents today and more about how scalable these attacks could become over the next few years as AI tooling becomes cheaper and easier to deploy.”

Where trust actually breaks: The Creator Economy

But Oladoja’s most grounded observations come from direct engagement with creator communities, that is, the place where trust erosion happens fastest and most visibly.

Through TikTok Live discussions and fraud awareness sessions, he has watched account compromise play out at scale. What struck him most wasn’t the technical sophistication of the attacks. It was how they exploited human trust.

“I have observed situations where scammers impersonated creators or platform representatives using highly convincing social engineering tactics to gain account access or financial information from followers,” he says. “In many cases, victims trusted the interaction because the attacker understood how creator-audience relationships function psychologically.”

This is the insight that separates his observation from abstract security theory. Modern attacks don’t necessarily exploit code. They exploit behaviour.

“Many attacks were not exploiting advanced technical vulnerabilities, they were exploiting human trust patterns,” Oladoja says. “This reinforced my belief that modern security cannot rely solely on technical controls. Platforms must also design systems that account for behavioural manipulation, trust exploitation, and user psychology.”

The stakes on creator platforms are higher than most people realise. Account compromise doesn’t just affect a single profile. It extends beyond a hacked account to audience trust, monetisation opportunities, brand partnerships, and community credibility.

“Once users lose confidence in platform safety, recovery becomes extremely difficult,” Oladoja says. “That broader ecosystem impact is something many platforms still underestimate.”

What forward-ready platforms look like

The platforms that will survive the next phase of digital risk won’t be the ones that check compliance boxes fastest. They’ll be the ones that embed trust into their architecture from the beginning.

“The next phase for Nigerian fintech will involve moving from basic authentication toward contextual trust systems, where platforms continuously evaluate user behaviour, device integrity, transaction patterns, and environmental signals together in real time,” Oladoja says.

This requires three things working together:

• intelligent fraud detection,
• transparent governance, and
• community education.

None of them alone is sufficient.

“Platform resilience depends not only on infrastructure security but also on how effectively communities are educated about digital risk,” he says. “In emerging digital economies especially, this combination becomes critical.”

For creator platforms specifically, the challenge is even sharper. As AI-generated content, synthetic identities, and automated engagement systems become more sophisticated, verification can’t stop at surface-level identity indicators anymore.

“The platforms that successfully combine intelligent fraud detection, transparent governance, behavioural analytics, and community education will likely define the next generation of resilient digital ecosystems,” Oladoja says.

The founders who are moving early, that is, who are building trust architecture rather than adding security features, will be the ones whose users still trust them when the next wave of AI-assisted fraud scales. The rest will be playing catch-up to a problem that’s already in motion.