How Scammers Are Finessing Unsuspecting Mobile Money Users Of Their Monies And Laughing All The Way To The Bank

A while back, I was woken up from my deep depression sleep caused by the raging financial struggles that are a trademark of this our Nairobi by a sweet text message that claimed I had won Ksh.100,000 from a competition I knew nothing about and another Ksh.5,000 for being such a loyal customer to my phone company by having not changed my line since I bought it. I became elated. Imagine the whole of me, from having less than a hundred shillings in my possession to an instant thousandaire! Finally God had seen me and came in person. Hallelujah!

In my now overjoyed and motivated state, I placed my phone back on the bed and immediately stood up, trying to see if I was asleep and dreaming or maybe I already ‘went’ in my sleep because clearly, this life had taught me better than to expect such good things coming my way. Upon confirming I was truly wide awake by slapping my right cheek as hard as I could, I started seeing how my Bonyezaring a few years ago might have finally paid off. How I was to pay all my debts and finally pay for that class that has me denied of peace and a degree…You know - the usual.

In my calculative bedazzlement, I heard the phone ring and immediately went over and picked it up. So I am standing there and I look at the phone and the phone says: New Number…Who the f* is this? Mostly I am not one to talk first because man, it might be someone trying to collect a debt from me by using a new number since I’ve been MIA but eff it, I’m rich G. I go all in and say “Hello!” at which a voice from the other end introduces itself and very professionally addresses me using my official name and continues to inform me of how I was chosen as the winner of the 105K, and what I need to do in order for me to receive the said cash in my M-Pesa pronto. Finally we are talking, and it’s not even lunch.

Happy Cat

As I continued to listen and digest the information I was receiving from the other end, I heard a process that really required me to send money from my poverty stricken account to a number that was being read in a somehow concealed manner. I lost it! This ninja is here trying to social engineer his way to my account and all this while I thought he was a God-sent employee of Safaricom. “Gat-tin*! Tumia akili mbwa hii unajaribu ku-con nani sasa?” I furiously blasted the idiot as he in turn reciprocated with an equal dose of vulgarity on my person and hanged up. SMFH...The nerve!

So what is social engineering?

Social engineering is a nontechnical method of breaking into a system or network. It is the process of deceiving users of a system and convincing them to perform acts only useful to the hacker (social engineer or in this case, scammer), such as giving out sensitive information that can be used to defeat or bypass security mechanisms of a system – a system here can be a building such as a bank premise or account, residential suits, a website or even your own personal and convenient mobile money account e.g., M-Pesa. By this method, social engineers exploit the human element like the natural tendency of a person to trust their word, the desire to be helpful or even the fear of getting in trouble rather than them having to exploit computer and systems security holes directly. Hackers who are able to blend in and appear to be a part of the organisation are the most successful at social-engineering attacks. This ability to blend in is commonly referred to as the art of manipulation, and generally, it is agreed that users are the weak link in information security; a principle that makes social engineering very effective and one of the hardest forms of attacks because a company can’t protect itself by hardware or software alone.

Social engineering can be broken into two common types:  Human-based and Computer-based social engineering.

Human-based Social Engineering:

This refers to person-to-person interaction either by phone, texts or emails in a bid to try and retrieve the desired information from the victim of the attack. For example, by calling the support desk trying to find out a password or you know, the classic “Nitumie kwa hii number please ile ingine imeharibika mahali pa M-Pesa…”


This attack can further be broadly categorised as follows:

  1. Impersonating an Employee or Valid User – Where a hacker tries to gain access to a system by pretending to be either a janitor,  employee or a contractor and once successful proceed to gather information from dustbins, desktops, physical unsecured files or even computer systems.
  2. Posing as an Important User – Here the hacker pretends to be an important user such as a high-level manager who needs immediate assistance to gain access to a computer system or files. The hacker will use intimidation so that a lower-level employee such as a help desk worker will assist them in gaining access to the system because most people won’t question someone who appears to be in a position of authority.
  3. Using a Third Person – By using this approach, a hacker pretends to have permission from an authorized source to use a system. This attack is especially effective if the supposed authorized source can’t be easily contacted for verification.
  4. Calling Technical Support – This is a classic social-engineering technique where since the help desk or technical support personnel are trained to help users, they will easily fall prey to these attacks.
  5. Shoulder Surfing – This technique involves an attacker watching over a person’s shoulder while they log in to the system and try deciphering the entered credentials.
  6. Dumpster Diving – This involves looking in the trash for information written on pieces of paper or computer printouts. The hacker can often find passwords, filenames, or other pieces of confidential information. People with personal identifying data like mobile money agents, are you with me?
  7. Reverse Social Engineering – This is a more advanced method of gaining confidential information where a hacker creates a persona that appears to be in a position of authority so that the victim asks the hacker for information, rather than the other way around. For example, a hacker, already with a good chunk of information about a user, can impersonate a support employee and get the user to further divulge more sensitive information such as their password.

Computer-based Social Engineering:

This can also have a number of vectors but mostly refers to having computer software that attempts to retrieve the hacker’s desired information. An example is where a user receives a login page after clicking on a malicious link asking them to reenter or confirm their password. It is also commonly known as phishing.


This attack type can also be broken down into different categories:

  1. Identity Theft – Here, a hacker can pose as an employee or an authorized user to perpetrate an attack. Information gathered in dumpster diving or shoulder surfing in combination with creating fake ID badges or stolen legitimate user documents can gain the hacker entry into an organisation or system. Creating a persona that can enter a system unchallenged and perform other illegal activities is the goal of identity theft.
  2. Insider Attacks – Here an attacker will infiltrate a system or organisation either by getting hired as an employee, bribing or coercing an employee, or even finding a disgruntled employee who is ready and willing to help in the attack.
  3. Phishing Attacks – These attacks involve a user clicking on a seemingly legit but malicious link sent either by email, DMs (Twitter), or in a webpage that then redirects to a fake website requiring the user to confirm or enter their details. The hacker is then able to retrieve this information for financial gains or to further their attack.
  4. Online Scams – In seemingly legit websites, users can register and use the same information that they use in other systems like their social media accounts or even their workplace systems. The attacker can then use those details on the other systems that the user is registered with to try and see which one will work. Mail attachments can also be included in cleverly crafted emails to entice a victim to open the attachments that can then be used to send malicious code to a victim’s system, automatically executing malicious software’s like keyloggers to capture passwords, viruses, trojans and worms. In a similar manner to these attachments, pop-up windows with special offers or free stuff can encourage a user to unintentionally install malicious software.
  5. URL (Universal Resource Locator) Obfuscation – Also URI Obfuscation for those who would wish to exhibit their professional pedantry, can involve a number of obfuscation techniques but on the surface, and might look the same to an unsuspecting eye but they are clearly not.

So, how can an organization or users protect themselves from these types of attacks? By having clearly documented and enforced security policies and security awareness programs.

Corporate security policies should address how and when accounts are set up and terminated, how often passwords are changed, who can access what area or information and how policy violations are to be handled. For example, it is necessary to know who initiated which action and why and where the said action originated from. In addition, the destruction of paper documents and physical access restrictions to sensitive information are additional areas those security policies should address. Otherwise we will continue having 20+ active registered SIM cards using the same ID number and that were not registered by the real owner of the ID used in the registration.

Wahome Thuku

In reiteration, the best defense against social-engineering attacks is security-awareness training for all employees and users of a system and by having tight security procedures for securing the said systems. Yes, security awareness for all.

Below is a recording of a phone conversation we received of where an armature scammer pretending to be a Naivas supermarket employee tried to finesse an M-Pesa user of his monies, and by the ‘hear’ of it, they had already succeeded in scamming another person(s), showing how social engineering attacks can be effective as long as you can be able to initiate and hold a conversation. We do apologise for the use of the N word in the conversation but gaadamnit!



©2020 PML®

‹  Pakawa ♠ Media  ›

 All Rights Reserved