Inside Nigeria’s loan app spam machine: how lenders use BCC to flood your inbox

“I just got a loan offer from someone I’ve never met, never contacted, and who doesn’t know me.” This is becoming a daily experience for many Nigerians who open their inboxes to find bulk loan solicitations sent via BCC (Blind Carbon Copy) from unknown agents or fintech workers.

The messages often have no personalisation, but they are always urgent, persuasive, and oddly familiar.

Take this message from Augustine, a team leader at Rosabon Financial Services:
“You can always contact me for salary-based advance loans up to ₦10 million… No guarantor. No collateral. Just send me your bank statement, employment letter, work ID…”

The message ends with multiple contact options: email, WhatsApp, and two phone numbers, suggesting a scattergun approach to reach as many people as possible.

He isn’t alone. Other emails from reps at Renmoney, Sycamore NG, Oxygen X, and unnamed fintech organisations echo the same pattern:

• Subject lines promising pre-approved or personalised loan offers.
• Bulk emails with generic greetings like “Dear Esteemed Customer” or “Good Day.”
• Claims of instant disbursement, flexible repayment terms, and zero collateral.
• Promises to buy out your existing loan and offer you more.

These messages aren’t coming through targeted ads or app notifications. They’re slipping into inboxes uninvited, riding on blind email chains, cloaked from scrutiny, and not directed at any specific individual. Worse, most recipients have never signed up for these services.

And while it might seem harmless on the surface, this practice reveals a more worrying trend: mass data leaks or unethical data sales, leading to random Nigerians becoming targets in a massive fintech cold-calling game.

For emphasis, X and Y received nearly identical loan offers from unknown apps. Neither signed up for them. So, how did their numbers or emails end up on the radar?

A closer look at the spam messages reveals a troubling pattern. They often originate from non-official Gmail or Yahoo accounts and carry little branding, sometimes none.

Read also: Approved loan apps in Nigeria increase by 18.8% to 380 in February amidst economic palaver

Despite that, they all promise fast disbursement, zero collateral, and repayment periods of just a few months. Augustine isn’t the only one making these offers. So is Elijah from Sycamore NG, Victor from Oxygen X, and unnamed “loan teams” with no return address.

These messages do not come through official newsletters or sign-up forms. They are dropped en masse using the BCC function, meaning multiple recipients are blind copied. So, no one sees who else received the mail.

It’s a tactic that shields the sender from visibility and prevents the recipients from knowing how widespread the reach is. But it also raises questions: Where did they get your email? Who sold it to them?

“Unauthorised access to databases due to inadequate security measures can lead to personal data being exposed and subsequently misused. For example, the XpressVerify and AnyVerify debacle that caused an uproar in the public space, where data such as NIN, BVN, and phone numbers were being sold for N100 per data point to various elements. These loan companies could have obtained the information from such sources,” said Oladipupo Ige, Director, Data Privacy Lawyers Association of Nigeria (DPLAN).

According to him, most of these loan companies don’t get your number from a clean source. Instead, they piece together scraps from different channels.

Read also: Missing funds, unexplained loans and angry customers: Is GTBank still in crisis?

“Some fintech companies purchase bulk data from brokers who compile information from various sources, including online forms, contests, or other services where users may have unknowingly consented to data sharing. These data are sold and commercialised to these loan companies who utilise them for advertisement and promotional purposes.”

In other cases, the phone apps people download give permission to harvest data, often without them realising it. Some apps request access to your contact list or location in exchange for a service.

“Many mobile applications harvest data secretly,” Oladipupo explained. “The target will not know about such a breach unless quite savvy in data protection and cybersecurity.”

Sometimes, the data isn’t harvested; it leaks. In cases like the XpressVerify and AnyVerify debacle, entire user databases were sold off for as little as ₦100. Those databases included sensitive data like NIN, BVN, phone numbers and other personal information. “These loan companies could have obtained the information from such sources,” he added.

This data ends up in the hands of aggressive marketers trained to maximise conversions and who do not follow privacy rules. The result is an ecosystem where consumers receive messages from companies they’ve never heard of, selling services they never asked for.

This is not just unethical. It’s illegal. Under Nigeria’s 2023 Data Protection Act (NDPA), processing personal data, including phone numbers, for marketing purposes without prior and informed consent is prohibited.

“Sending unsolicited emails, even via BCC, without prior consent constitutes a violation of the NDPA,” Oladipupo said. “This practice infringes upon individuals’ rights to privacy and data protection as enshrined in Section 37 of the Nigerian Constitution.”

The law is very clear. Whether the data was obtained through scraping social media, leaked in a data breach, or sold via a third-party vendor, the sender must obtain specific consent to use it for marketing. And this doesn’t mean buried deep inside a user agreement either. It has to be “clear and informed,” Oladipupo stressed.

“If consent of the owner of the phone number was not obtained before the loan company sent such a message, then it is a violation of the individual’s privacy right,” he explained. “This means it is not a grey area. The law on the subject is unambiguous.”

And yet, the messages continue to come.

When consumers ask how to respond, Oladipupo suggests a three-step approach. “First is to react,” he said. “The citizen should write a letter of objection via email or whatever form to the loan company and request a stop to the messages and total erasure of the phone number from the loan company’s database.”

If the messages don’t stop, he recommends going to the Nigeria Data Protection Commission (NDPC), which has a complaint form called SNAG that can be submitted directly. And if that doesn’t yield results?

“Then the final step is seeking legal redress in a court of law,” Oladipupo said. “The best method is to approach the court using the route of infringement of privacy rights under Section 37 of the Nigerian Constitution.”

Read also: Exclusive: Personal data of over 840,000 customers allegedly leaked on loan app, iCredit

The law might be clear, but enforcement is still catching up. “The data protection sector of Nigeria is novel,” he explained. “The law regulating the processing of data was passed in 2023. This is 2025. The GAID, which is the implementation directive, was passed earlier this year. Some provisions will not be in full effect until 2026.”

That time lag has created a window where unscrupulous actors can exploit gaps in enforcement. “Some of these companies operate from outside Nigeria or use complex corporate structures, making it difficult to hold them accountable,” he added.

Even companies that operate locally sometimes view penalties as a cost of doing business. “For companies that profit significantly from aggressive marketing tactics, breaching such data laws might be a risk that is beneficial,” Oladipupo said. “They would prefer to breach these rights just to amass more financial gain while they await the possible sanctions, which might not have a significant effect on the profit made.”

As consumers become more aware of their rights, some have taken to social media to call out the companies behind these spam messages. Screenshots of unsolicited emails are being posted on X and Reddit, often with comments like “How did they even get my number?” or “This feels illegal.”

One user posted, “I’ve never used this loan app in my life, yet they keep sending me messages like we’ve been in a relationship. Who gave them my details?”

Another said, “This is harassment, not marketing. I don’t even live in Nigeria anymore.”

Digital rights groups like Paradigm Initiative and Tech Hive Advisory have also raised concerns.

This isn’t just a fintech issue. It’s a systemic data abuse problem, and until enforcement improves, it will only get worse.

Oladipupo agreed. “It’s not a matter of loopholes,” he said. “It is largely a matter of sensitisation and awareness of the Act, its prescriptions, and its violations.”

For now, the burden remains on consumers to fight back. But they’re not powerless.

“Nigerians have the right to object to messages, withdraw consent, request a stop, lodge complaints, and even sue for breach and get awarded monetary damages,” Oladipupo said. “And that’s what we’re encouraging them to do.”

The inbox has become the new battlefield. And every unsolicited loan offer is another violation waiting to be called out. The spam machine might be well-oiled, but it’s not unstoppable.