It’s open season for cyber criminals

Some customers who contact Safaricom for help on Facebook include their mobile and ID numbers in their public posts even though the telecommunication company advises people to share personal details through direct message to keep them private. This has led to many of them being defrauded or falling victim to other scams online.

A spot check by Nation Newsplex on Safaricom’s Facebook account on January 15 this year found about 30 customer comments that included phone numbers, while responding to a video post by the company. Some of them also had ID numbers. A second review of the account on April 13 found that 1 in 50 comments to a new post included phone numbers.

When it comes to cyber fraud, the compromise is mostly at the client’s level.

Cybercriminals exploit such personal details to SIM-swap then take loans on various digital lending platforms. Owners of the mobile phone number realise they have been victims of fraud when it’s too late. 

Cybersecurity experts warn that many Kenyans fall victim to cybercrime because of either sharing too much information online or carelessness. Even though most social media networks have specific privacy settings that allow users to control what information they share publicly and privately, many people ignore the options, thereby exposing themselves to risks. 

With your mobile number a fraudster can easily access your bank website or email account and request for a password renewal. Depending on what you share on social media, the fraudster can guess the answer to your security question. “For example, if you like sharing about your favourite football team on social media and your security question is ‘what is your favourite football team?’  I can easily get the answer. Thereafter, I can change your password to access and control of your account,” says Mr Oscar Okwero, a cybersecurity expert.

There is an increase in cybercrimes such as phishing, malware and exploitation of new teleworking structures. As the Covid-19 pandemic raged in 2020, nearly 140 million cyber threat events were reported, a jump of about 40 per cent over the previous year, finds the latest data from the Communication Authority. 

Mr Okwero says one should only install mobile applications from verified stores to avoid malware. “As you install applications to your computer or mobile devices pay attention to the permissions it requests to enable it to work. If it asks for irrelevant permissions like a camera application or contact list do not install it as it may be a malware,” he says.

Recently, a link to a website mimicking the Carrefour Supermarket site that claimed the retailer was giving out free iPhone 12s made the rounds on Facebook and WhatsApp.  

The fake website asked users to complete an online survey then send the link to five groups and 20 friends before receiving the prize. It was a scam intended to prey on naive individuals.

The cost of cybercrime

Kenya lost about Sh29.5 billion to cybercrime in 2018, an almost 40 per cent increase from Sh21.4 billion in 2017, according to the 2020 Annual Report to Parliament on the State of National Security. Cybercrime damages will cost the world $6 trillion annually by this year, according to an Africa cybersecurity report by Serianu, a business and cybersecurity consultancy.

The banking sector is particularly prone to data breaches.  According to a 2019 Global Banking Fraud survey done by KPMG, the top challenges facing banks the world over are cyber and data breaches. 

Mobile money users have considerably more challenges than users of regulated financial services like banks and mobile banks. Over five million of them reported that they lost money or were defraud, mostly through hoax SMSs or phone calls, according to a 2019 FinAccess survey, the fifth in a series of national household surveys on access and use of financial services in Kenya.

During the Covid-19 pandemic, social media has been awash with stories of Kenyans who have lost money through cybercrime. One of the victims was Ms Nyarwai Nyarwai, who one day received multiple messages on her phone informing her that transactions had taken place from her bank account.  

“I called the bank immediately and asked what was happening because I was not using my card. I was advised that the bank had sent error messages and that I had nothing to worry about. The small debit was credited later the same day,” says Ms Nyarwai.

But what happened in the next four days shocked her to the core.

“The second time round, my money was being debited in big amounts to what seemed like a United Kingdom number. I asked the bank if this was another error message. The bank employee who responded to my call told me my money had been debited. I asked her to stop the payments as I was not the one making them but she said there was nothing that could be done apart from blocking my card immediately, “she recalls.  The bank official advised her to go to the bank to fill a dispute form.

After waiting for over a month for her savings to be refunded, she was told that the case had been closed because the beneficiary of her money declined to refund it. She was told to report the matter to the police.

After sharing her story on Facebook page Buyer Beware, in March last year, the bank involved contacted her and refunded her money.  

Last month, Mr Karanja Kiarie,30, fell victim to cybercrime. According to the filmmaker, money was debited from his account to an account in Europe without his approval.

“I noticed an online transaction of Sh0.00 using my card being approved via text and I called the bank to investigate the matter. The customer care representative said the transaction was paid to an account in the Netherlands and were not really Sh0.00. Money had actually left my account,” says Mr Karanja.

While he was on phone with a customer care staff, six more online transactions were made from his card. By the time the card was blocked, Sh4,000 had been siphoned within the two minutes that he was on call. 

Standard Chartered Bank Head of Financial Crimes in Kenya and East Africa Mary Runana says when it comes to cyber fraud, the compromise is mostly at the client’s level. “One of the greatest challenges is that most of these frauds occur because customers are giving their personal information easily and falling prey to these social engineering schemes. Unfortunately, recovering funds that have left the banks is very difficult,” says Ms Runana.

She says one should activate two factor authentication and possibly device based authentication to reduce fraud possibilities. “In this situation getting that second credential requires access to something that belongs to you like your mobile phone or separate email,” explains Ms Runana.

Cybersecurity expert Mr Okwero agrees with Ms Runana that the weakest link in cybersecurity are people. “Most people are not so careful when somebody sends them a meme or a link to click on their WhatsApp or Facebook. When people click on these links, the fraudster installs a backdoor to allow them access a mobile device at will in the future. They use the access to defraud people,” says Mr Okwero.

According to Ms Runana, having multiple bank accounts also exposes one to financial fraud. “The more accounts you have with different banks the more exposed you are. It is also very difficult to keep up with all the communication from various banks,” she says.

Data security 

Kenya’s first data protection law came into force in November 2019. The Data Protection Act No.24 of 2016 sets out restrictions on how personally identifiable data can be handled, stored and shared.

Cybersecurity experts have pointed out a number of shortcomings in the Act. However, it still provides a foundation from which a stronger legal framework on data protection can be built.

The easiest way to compromise technology has always been through a person, for instance, when using credit and debit cards for shopping. “It may be convenient to use it, but there might be unscrupulous staff that use other machines to tap your details. Use a prepaid card for online and other transactions as it is not connected to your bank account,” says Mr Okwero.

Recently, Facebook suffered a major cyber and data breach that resulted in information of over 267 million Facebook users, including email addresses, names, Facebook IDs, dates of birth and phone numbers, were made public. The data trove was sold on the dark web for Sh63,581 last year, according to Cyble, a cyber threat intelligence firm.

This data can be used to craft a text or email phishing campaign and claim it is on behalf of Facebook, according to Mr Okwero.  “If a user clicks the link and enters their details into a fake Facebook login page, much more valuable data can be stolen from them,” he says.

Attackers can also match such information against other breaches that included passwords and then try other sites.

Cybersecurity experts say that password reuse is the single biggest enabler of account hijacks.