On September 4th, 2020, one of our customers, Funmi Oyatogun, posted a tweet regarding a security incident involving her account with Cowrywise. We would like to share an update on this case and reassure our users of the security of their accounts.
First and foremost, we would like to acknowledge that we highly value our customers and thank everyone for their immense support over the years, as well as to publicly apologize for the time it has taken to get this issue resolved. As of today, we are glad to report we have come to a resolution following the completion of a thorough investigation into the reported incident. The customer now has full value for the sum, recovered from the bank accounts the funds were moved to.
On April 16 and April 23, 2020, funds were transferred out of Funmi’s Cowrywise account without her knowledge. Her correct personal credentials were used to access her account on the two different occasions. Cowrywise sends email alerts to customers for every withdrawal transaction. We also send push notifications to customers who enable this on their phones. This is why we encourage our customers to enable this feature on their phones. Because Funmi didn’t see these emails in her account, we suspect the perpetrator had access to her email account and deleted the notifications to conceal the withdrawals. On April 17th, Funmi made a withdrawal from her Cowrywise account using the same credentials and confirmed the receipt of the withdrawal notification in her email account.
When the incident was brought to our attention on April 27, 2020, we took the necessary steps to resolve it in accordance with Nigerian law. We were required to collaborate with the banks where the transfers were made, and work with the appropriate law enforcement agents to reveal the identities of the intruders before funds could be reconciled. This took a long time. Towards the end of the investigation, we discovered that the two suspects had earlier given reversal mandate for the bank to return the funds after a lien was placed on their accounts since April and May. However, the banks didn’t act nor honour these mandates.
This investigation has now been completed and the total sum of the fund recovered. We have shared all the private details of the outcome with the customer to give her better clarity of what exactly happened and the suspects behind this.
We do, however, acknowledge that throughout the course of this investigation, we failed to keep the customer properly informed of progress as much as we should have, and address her ongoing concerns. As a result of this, we are improving our escalation process on any incident like this to ensure all parties involved are properly carried along and resolutions are reached much quicker.
We would also like to take this opportunity to further educate our users about their overall web security and the safety of their private information. To this end, we have also published a guide which outlines different methods scammers deploy to defraud innocent users on digital platforms generally and how users can avoid these scams to remain safe.
We remain highly committed to the security of our customers, their funds and their information. That commitment is reflected in the multiple security layers we have in place on Cowrywise. To all our users, we appreciate your commitment to Cowrywise, your commitment to pushing us to be a better version of who we were yesterday and for your advocacy in making Cowrywise a company you are proud of.
We empathise with Funmi for being a victim of this unfortunate experience. We thank her for being a Cowrywise advocate and for her patience during the period of resolution. We will always have the back of all our customers. We wish you well.