In 2018, a Kenyan politician lost KSh 1,9 million while he was on an official tour out of the country after his SIM card was swapped and used to change his e-banking credentials. Following that, money was siphoned out of his bank account.

Many Kenyans have fallen prey to such scam, losing money in banks and mobile money accounts.

Mobile Phones as an enabler of crime

Since the advent of mobile money services and SMS based two-factor authentication for various websites and applications, the mobile phone has become a protected resource that if compromised, can result in huge losses. Today, people continue to fall victim to various mobile phone orchestrated scams.

The most common crime involving mobile phones is SIM jacking. This is when a SIM card is illegally swapped without the owner’s knowledge or consent. Once this is done, the person who has the new SIM card takes over the SMS messages and functions such as mobile money. With these, one can reset the M-PESA details, or even online banking credentials and take over the account.

This has been happening for a long time, however, there are new trends that leave gullible Kenyans exposed in today’s online world. These include:

Phone number spoofing

The newest scam that is happening today in Kenya is caller ID Spoofing. When someone calls a mobile phone, the identity of the caller is usually displayed, which is the mobile phone number, also known as the caller ID.

It turns out that the number can be manipulated by the caller to display a different number, and crooks take advantage of this by changing it to a familiar phone number such as one from a bank or a telecommunications company. Recently, some people have complained in Kenya that they have been called by criminals from the official number 0722000000 which Safaricom uses to contact its customers. The callers try to coerce one to reveal sensitive information such as M-PESA PIN, then proceed to swap their SIM and get access to their M-PESA account.

Safaricom is yet to comment on the matter, but since it is doable, it could be happening.

SMS sender ID scam

In one instance, several schools fell out with an individual who had sold them some School Management Software. What followed was an outright theft where the software provider sold the data including parents' contacts to third parties and also the SMS Sender IDs that he had registered on behalf of the schools.

Rogue people used the official schools’ sender IDs to send an SMS message to parents asking for money for various purposes.

The SMS Sender ID is the service that allows for the name of the sender to display on the SMS, usually a unique name such as “M-PESA” for M-PESA services. Users can register a Sender ID of their choice, especially for business purposes so as to allow for delivery of short messages that they send and build credibility with their customers.

When parents received the messages from the same sender ID that had been used to send them official communication from the school where their children are enrolled, they easily responded by sending the money they were asked to send. Unknown to them, the message had nothing to do with the school, and it was partially the ignorance of the school management that got them conned.

Phishing e-mails

Phishing attacks have been around for a long time. However, they are gaining popularity in Kenya as more people adopt online banking.

The evidence for this is an increase in the number of Kenyan domain names that are reported for phishing. Truehost Cloud which operates in both Kenya and Nigeria has often reported more cases of phishing from Nigeria, but lately, the cases from Kenya have sharply increased.

The phishing attacks usually involve emails that appear to come from an institution such as a bank requesting one to click a certain link, from where they are directed to a site where they are tricked to give their login credentials, usually thinking that they are in the right website. At the back-end, scammers get access to those credentials and use them on the real banking website.

Share this article via: