USSD remains one of Nigeria's most important financial access channels. It reaches customers without smartphones and operates on any mobile network, making it the backbone of financial inclusion for millions of Nigerians who do not use mobile apps. But USSD's accessibility is also its vulnerability. Because it operates over GSM signalling infrastructure without end-to-end encryption, it presents fraud risks that app-based channels do not face in the same way.
How USSD Works and Why That Matters for Security
USSD sessions are initiated by dialing a short code, which establishes a real-time connection between the user's handset and the bank or fintech's application server via the mobile network's signalling infrastructure. The session is text-based, interactive, and ephemeral. It does not require data connectivity, which is why it works on basic handsets in areas with limited internet coverage. Security on USSD relies primarily on the SIM card as the authenticator: if you have the SIM, you are assumed to be the account holder. This assumption is the root of most USSD fraud.
Common USSD Fraud Patterns in Nigeria
SIM swap fraud is the dominant attack vector. A fraudster obtains a victim's SIM card through a fraudulent replacement request at a mobile network operator outlet, often armed with stolen identity documents or through a compromised MNO staff member. Once they have the replacement SIM, they can initiate USSD sessions on the victim's bank accounts and transfer funds before the victim even notices their phone has lost network service. A second common pattern is social engineering: convincing a victim to dial a USSD code under the guise of receiving a payment, completing a verification, or activating a feature. The code actually initiates a transfer or grants account access. A third pattern exploits shared or public devices: in environments where a single phone is shared among multiple users, USSD session history and PIN entry may be visible or interceptable.
Detection Signals for USSD Fraud
Several signals are particularly useful for detecting USSD fraud. A recent SIM swap on the MSISDN is one of the strongest red flags available: most MNOs can confirm whether a SIM was recently replaced, and many Nigerian banks have established API integrations to check this before allowing high-value USSD transactions. Transaction velocity spikes after a SIM swap are a near-certain indicator of fraudulent activity. Geographic impossibility, where a USSD session originates from a cell tower far from the customer's typical location, is another useful signal where network data is accessible. Session pattern anomalies, such as an account that typically has no USSD activity suddenly initiating multiple transfers, also warrant automatic friction. Combining USSD session data with device fingerprinting signals from app sessions can further enrich the risk picture when the same customer uses both channels.
Prevention Measures Fintechs Can Implement
The most effective prevention measures operate at multiple layers. At the channel level, applying a mandatory cooling period of 24 to 48 hours on USSD transactions following a SIM swap prevents most SIM swap fraud from succeeding even when the attacker has the replacement SIM. Transaction limits on USSD specifically, set lower than app channel limits, reduce the damage ceiling for any successful attack. At the monitoring level, integrating SIM swap check APIs into your real-time transaction evaluation means every high-value USSD transaction triggers an automated SIM age check. Platforms like Remllo Watchtower can apply these checks automatically as part of the transaction risk scoring flow, flagging or blocking suspicious USSD sessions in supported transaction workflows.
What the Regulator Expects
The CBN has issued directives specifically addressing SIM swap fraud, requiring licensed institutions to implement controls that prevent unauthorized account access following a SIM replacement. Institutions are expected to have documented policies for USSD channel security, to monitor for SIM swap-related anomalies, and to have incident response procedures covering USSD fraud scenarios. Failure to demonstrate these controls during examination creates regulatory exposure, particularly in cases where customer losses occurred and the institution lacked documented evidence of adequate controls.
