A few weeks ago, Anne, 45, came across two young men and a lady hawking SIM cards.
She was on her way to an M-Pesa agent when she was stopped by the smartly dressed group. They were offering what sounded like a great deal.
The SIM cards they had were for one of the country’s telecoms providers and came with a cheaper tariff than what she was currently on. Further, they were giving out the cards free of charge.
That was not all. Rather than her having to walk around looking for a place to register the SIM card, they would do it for her right there.
It was an easy decision to make. After all, the SIM cards were from a well-known company and the three looked nothing like fraudsters.
The lady who had taken Anne’s phone started firing questions. What were her full names? When was she born? What was her ID number? And on and on. All the while, the lady keyed in responses into Anne’s phone.
Being pursued
After she was done, they went their separate ways, with Anne looking forward to seeing a drop in her airtime expenses.
But as she got closer to the M-Pesa agent she was headed to, she got the urge to look back at the trio she had just met.
To her dismay, she noticed them moving in haste as though they were being pursued.
As she stood for a moment wondering what could possibly be wrong. She quickly pulled out her phone. Her hands began to shake as she called up her M-Pesa menu.
Her worst fears were realised. The money she was going to withdraw had been deducted.
She tried calling her mobile services provider to reverse the transaction, but realised she could not make any calls. Her phone had been deactivated.
It turns out the details she was asked for had been used to key in possible password combinations. Anne used her date of birth as her M-Pesa PIN. It was a lucky guess.
Immediately the funds were transferred to an agent for withdrawal, Anne’s phone was deactivated and returned. She ended up losing Sh2,000, money she could ill afford to go without.
Anne is just one of the thousands of victims in Kenya who have fallen victim to a brand of cybercrime known as social engineering. It is a global phenomenon, and it has taken firm root in Kenya.
It refers to the psychological manipulation of people into performing actions or divulging confidential information.
Although the term is associated with social sciences, its usage has caught on with computer information and security professionals.
There is extensive research on social engineering, with the global police agency, Interpol, noting that in the last two years, its occurrence has increased, with reported losses in 2015 doubling from the year before to $1 billion (Sh102 billion).
Not much has been published on social engineering locally, though, despite its pervasiveness and potential to reach crisis levels.
Its impact is particularly worrying in Kenya, which is globally renown for its mobile phone penetration (eight in 10 Kenyans own a cellphone) and popularity of mobile money platforms.
Dignified exit
Five years ago, the three swindlers Ann had the misfortune to meet would have likely broken into a run the moment they had her phone in their possession.
Today’s swindler, however, makes a more dignified exit and goes beyond the device’s exterior value to the information it holds.
Job, 30, was recently robbed of a smartphone by two young men in Nairobi, and there was nothing violent about it. He had posted an ad at one of the city’s popular malls to sell the device at Sh30,000.
He got a call about two days later and arranged to meet the potential customer at a crowded place to be safe. Two men arrived and identified themselves as students. They said had been sent by their cousin to purchase the phone on his behalf. He was held up in Eldoret, they said.
They then looked at the phone, said they liked it and told their cousin to send the money. As they waited, they got chatting on the latest devices technologies.
It was an engaging conversation and helped while away the time. At some point, one of the young men asked to see Job’s phone, and they discussed its specifications. The two kept throwing questions at him about it. A few minutes later, he got a text. It was an M-Pesa message confirming Sh30,000 had been transferred to his account.
He gave the two students the phone and bid them goodbye.
Job walked to a nearby M-Pesa agent to withdraw the cash only to realise his mobile wallet did not have enough funds. His balance was a measly Sh12.
It turns out that the man who had his phone had saved the ‘cousin’s’ number as M-Pesa’s, so when he sent a fake transaction message, it registered as a text from Safaricom.
Job quickly ran out to find the two fraudsters, but they were nowhere in sight.
Various studies estimate about 45 per cent of Kenya’s GDP in 2014 was transacted through M-Pesa. And according to the World Bank, six in 10 Kenyans use their phones as a bank.
These statistics have seen fraudsters devise all manner of cons to steal from unsuspecting victims like Job.
Have you received the text message: “Plz nitumie hizo pesa kwa hii namba (0792801338) ile ingine imeblock pin ya mpesa tafadhali nangoja sawa”?
Lonely, rich women
Fraudsters are also targeting Kenyans through social media, email and phone calls.
There are those emails from supposedly lonely, rich women looking for love. Sample this one sent through email service Gmail: “Hey there babe. I am a single 23/f. I just moved and found your email on Facebook I thought I would say hi and see if you were interested in meeting. Anyway here is my cell feel free to call or text me.. I don’t check my email much so it may take awhile for me to get back with you. The easiest way is my cell so feel free to call or text anytime :) 1 580.440.5882 look forward to talking to you soon.”
These messages are intended to steal personal information. Mobile phones, which are in active use almost all day, have become perfect conduits for this.
Cybercriminals have also sought to infiltrate organisations’ databases by hacking into their networks. A recent survey by audit firm PricewaterhouseCoopers found 33 per cent of firms had been affected by cybercrime in the last 24 months, and a third of these suffered “significant financial impact”.
The Ministry of Information, Communication and Technology reported that in 2014, cyberattacks increased 100 per cent over the previous year.
However, organisations are getting smarter and putting in place systems to curb cyberattacks, making it more difficult for hackers to gain access.
So the fraudster’s soft spot remains the human mind.
To gain access to an organisation’s sensitive information, such as client passwords or account details, these criminals have resorted to social engineering.
Veronica, a second-year student at Kenyatta University, was conned by someone with a Coastal accent who claimed to be a business mogul dealing in the export of laptops, cars and motorbikes.
Veronica remembers the man’s voice was mature, not the kind she associated with a conman.
“If it were a young man, I would have thought he were trying to seduce or con me,” she said.
It all started with an SMS that appeared to have been mistakenly sent to her phone. According to Veronica, the appeared official and was full of passwords and serial numbers.
Worried that someone might lose his or her money, Veronica forwarded the message back to the sender and said it had been forwarded to her erroneously.
The sender called her beseeching her not to share the text as it contained sensitive information on his multi-million businesses.
Anne assured him she would not. He told her he would only believe her once his shipment arrived safely in the evening.
“If the shipment does arrive safely, I will reward you handsomely,” he promised.
In the evening, the man, who called himself James Muraja, called back to tell her the shipment had arrived safely. He thanked her and asked God to bless her for kind-heartedness.
Intimate relationship
He then started calling her regularly.
“In three days the guy had built an intimate relationship with me, and I had never even met him,” says Veronica.
He wanted to know how her day was going, and wished her a good night every night. At some point, he asked her if she had an account number. She had just opened one, and she shared the details with him.
He told her he would send some cash into her account in dollars that would be equivalent to about Sh150,000 to ‘thank’ her. She was elated.
Before long, someone who said he was from Dubai Bank called. He asked if she knew James Muraja. Was he her boyfriend?
Veronica thought perhaps James had lied and said she was his girlfriend. So she answered in the affirmative. The banker said James had sent her some money in dollars. He, however, had forgotten to add extra funds to exchange the dollars into shillings. He needed Sh8,000.
Veronica phoned James, and he was annoyed the bank was being so cruel to her. There was nothing he could do as he was outside the country, he said, but he would try and convince them to deduct the money for the forex transaction from the principal sum.
After a few minutes, James called back asking if she could get some money to send to the bank. She rushed to her mother and narrated the story, and was loaned Sh8,000 to sort out the mess.
But then doubts started to creep in. Was this really genuine? She decided to go and confirm with her bank. She told a receptionist the story who was skeptical as they had heard many such stories, but in Veronica’s case, she was not very sure it was a con.
Veronica took a while at her bank contemplating what to do. The Dubai Bank employee called again and took on a harsh tone.
“He told me he did not have all the time in the world to wait, and had other customers to attend to. This made me think that if it were a scam, the guy would not have spoken so harshly to me,” she said.
After some time, the banker turned polite again. This time round he asked how much she had with her. She said Sh2,000.
Veronica was told to just send the cash and then top up later once she received the money.
She sent the Sh2,000 and asked for the cash from James to be released.
However, the banker said he could not get out of the banking hall with money as it was against the rules. Veronica was told to just send the remaining Sh6,000 so the entire transaction could go smoothly.
As she already had the money and was getting tired of the back and forth, she sent the balance.
Once the cash was sent, she decided to call the number the money was sent to ensure it was not a scam. Before she could hit redial, she got a call from the number.
The banker said had forgotten something. James had added a zero to the money he had sent. So more money was needed for foreign exchange fees.
Veronica refused to fall for this line and it began to dawn on her that there was something fishy going on. The banker got harsh again, and that is when Veronica decided to hang up and call James.
The response was chilling. The number she was calling was out of service.
Weak spots
Someone she had never met had won her trust via her mobile phone.
“Many Kenyans generally believe that people from the Coast are honest, so I never thought of James as being a con,” Veronica said.
The fraudster, who discovered her weak spots and exploited them, now knows a lot about her, including her full name, bank details, her hobbies and that she was a self-sponsored student.
Unfortunately, most local organisations are unable to help with such incidences.
After Ann realised she had been conned, she contacted her mobile services provider to try and reverse the transaction to the banker. Unfortunately, the agent told her that at the time, he could not see any transaction. It showed up 24 hours later.
And the fact that Veronica had reached out to her bank but still ended up being swindled is unfortunate.
The CEO of Kenya Bankers Association (KBA) Habil Olaka said commercial banks have different ways of dealing with such cases, depending on their analytical capabilities.
Safaricom said it understands the enormity of social engineering, which has been eroding its “overall trust as a brand”, according to Nick Mulila, the director in charge of risk at the telecoms firm.
“We have a toll-free fraud reporting line [333], which you can call or message with information on a fraudster,” said Mr Mulila, adding that Safaricom works with regulators and law enforcement agencies to take the appropriate steps to resolve any incidents.
The steps taken include blocking lines used by fraudsters.
“Safaricom continuously commits a significant portion of its annual budget to ensuring we invest and leverage the most advanced technologies in the world to keep our network and customer data safe,” added Mulila.
Firms like Facebook and Google post warnings on their sites. For instance, Facebook temporarily removes accounts that have not been verified and are used to try and trap lonely users. Gmail flags suspicious emails with the warning: “Contains content that’s typically used to steal personal information” written in red.
Locally, a lot more needs to be done to prevent scammers from creating social engineered cons that even the most cautious will not see coming.
