Why growth can become a security risk for fintechs

In Africa, the founder who doesn’t care about growth and expansion is the real unicorn — rare and almost impossible to find. Operations across multiple countries, growing headcount, and an expanded product suite are bragging rights most founders aim for.

But in many cases, the growth that founders desire also carries within it the seeds of a startup’s challenges, according to Olaoluwa Eweje, Chief Information Security Officer at Kora.

When conversations about growth and expansion are had, the focus is frequently on the opportunities they present: an ability to hedge performance and revenue, protect against macroeconomic shocks, capture a larger market share, grow revenue, and pursue other lofty ideals.

Even when challenges are recognised, the focus tends to be on regulatory risks and differences in markets. But Eweje argues that expansion also comes with a security risk that many startups fail to consider until it is too late.

In Nobody, Nigerian musician Tuface Idibia sings, “If nobody talk about you, then you are nobody.” That holds as much truth in social relations as it does in cybersecurity. Inasmuch as growth is desired and expected, it puts a target on your back.

Small businesses hold minimal interest for cybercriminals because attacking them may not yield significant results. But as you grow, that changes. Visibility becomes a signal not just to customers and investors but also to bad actors scanning for opportunity.

When Kora begins planning to expand into new markets, Eweje shares that the team also remains alert to new threats that arise.

“When a business is trying to grow, one of the things they do is increase marketing activities. That alone is a risk to us because while you are announcing yourself to prospective customers, you’re also announcing yourself to cybercriminals. And when cybercriminals see your marketing, they just assume you are doing well, and you get their attention.”

In other words, growth doesn’t just scale revenue; it scales exposure. The same signals that indicate traction — partnerships, campaigns, new market entries — can also act as indicators of value for attackers.

Beyond putting a target on your back, expansion also creates entirely new threat environments. Fraud patterns, for example, may differ from one region to another or even from one sector to another. What works in one market may expose vulnerabilities in another.

For fintechs expanding across Africa, this becomes especially pronounced. Different countries have different dominant payment behaviours, infrastructure, and user habits. In Kenya, for instance, mobile money plays a far more central role than it does in Nigeria. That difference alone can influence how fraud is executed and where vulnerabilities lie.

As a result, expansion isn’t just a business or regulatory challenge; it’s also a security challenge. Teams must first understand what threats are prevalent in a new market and then adapt their systems accordingly. This often involves refining fraud detection systems, updating internal controls, and, in some cases, redesigning parts of the product itself.

Growth means scale — more customers, more transactions, and more systems interacting at once. Each of these introduces additional entry points that attackers can exploit.

As fintechs onboard more users, the risk of account takeovers, unauthorised access, and fraudulent transactions increases. A larger customer base means a larger attack surface. And in many cases, attackers don’t need to break the system entirely; they only need to find one weak point.

This is particularly evident in the evolution of fraud. Increasingly, fraud is moving beyond onboarding — where identity verification occurs — into account-level activities such as logins and transaction authorisation. That change forces companies to rethink where and how they apply security controls.

To counter this, fintechs deploy layered security systems, including multi-factor authentication, behavioural monitoring, and location or device-based restrictions. For example, if a user logs in from Nigeria and then attempts another login from a different country within minutes, that activity can be flagged as suspicious.

But even with these controls, scale introduces complexity. Monitoring millions of transactions and behaviours in real time is significantly harder than doing the same for a few thousand users. And complexity, more often than not, is where vulnerabilities emerge.

Most startups today don’t operate in isolation. They rely on a web of integrations — payment processors, identity verification tools, banking infrastructure, and other APIs — to deliver their services.

While these integrations enable speed and scalability, they also introduce third-party risk. A fintech’s security posture is no longer defined solely by its internal systems. It is also influenced by the security standards of its partners. If a partner system is compromised, that compromise can cascade through integrations.

APIs, in particular, represent a critical point of vulnerability. They enable communication between systems, but they also create pathways that attackers can exploit if not properly secured.

“If I’m integrated with you and your system is compromised, it can affect me,” Eweje explains. “That’s why you don’t just look at your own environment; you also need to assess your partners.”

To mitigate this, companies conduct due diligence on partners, enforce strict authentication mechanisms, and implement controls like IP whitelisting, ensuring that only approved systems can communicate with theirs.

Growth and expansion are often accompanied by increased hiring as startups try to fill new roles and build new capabilities. But as teams grow, so do internal risks.

“I usually tell people it’s easier to trust 20 people than it is to trust 800,” Eweje says. “Fraud can always happen from someone out there trying to hack into your systems, but it can also come from internal fraud.”

In the early days of a startup, teams are small and tightly knit. Visibility is high, and trust often substitutes for formal controls. But as organisations scale, that dynamic changes. More employees mean more access points, more opportunities for error, and, in some cases, intentional abuse.

In Nigeria, while external actors are often blamed for fraud, insiders at financial institutions have also played significant roles in facilitating fraudulent activities. Eweje notes that managing this risk starts even before an employee is hired.

“In the financial space, you don’t just hire anyone into your team,” he says.