Savraj Singh Chana’s money vanished from his bank accounts on November 13, 2018.
It started with a network failure on his mobile phone a day before. However, it didn’t occur to him that this was the beginning of a well-orchestrated theft plan.
Chana told the High Court that it was not until the network to his phone returned that he found out Sh592,864 had surreptitiously been siphoned from two of his bank accounts.
The money was withdrawn through his mobile banking application.
Eight months earlier, Stephen Ouma lost Sh120,000 from his M-Shwari, a mobile lending and saving platform owned by NCBA and telecommunications provider Safaricom.
According to submissions in the High Court, the theft was carried out in a similar fashion as Chana’s.
However, unlike Chana, Ouma remembers getting a call from a man who claimed to be a Safaricom employee. The man identified himself as Antony.
Antony told Mr Ouma that his phone was interfering with that of another customer.
As a result, he needed Ouma to give him some of his personal details to fix the problem.
Ouma gave him his date of birth and the national identification number. He refused to give his M-Pesa Pin.
However, this did not stop the imposter from robbing him.
Not long after the call, Ouma’s phone suddenly went off. Fearing for the worst, he immediately contacted Safaricom. He was informed that his M-Pesa was intact.
Then he noticed that about Sh120,000 had been swindled from his M-Shwari, a mobile lending and saving platform.
The fraudsters had also taken a loan of Sh30,000 from M-Shwari, which is jointly owned by Safaricom and NCBA Bank.
Chana and Ouma were victims of a sim-swap fraud, where the culprit uses social engineering tools to mine critical personally identifiable information from a victim.
Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information.
Cases of sim-swap fraud, which often involve an employee of telecommunications firms or banks, are on the rise as Kenyans warm up to digital banking.
But experts say it is not only the adoption of digital transactions that is driving such fraud.
According to William Makatiani, the chief executive of Serianu Ltd, a cyber-security company, criminals are also exploiting the increased level of trust in these platforms by a majority of Kenyans to carry out their heinous acts.
Two years ago many people came forward with testimonies of how money had vanished from their mobile money wallets. The trend appeared to have died out, but it is now coming back.
And it is much lethal given the extent of digitisation occasioned by a pandemic that has spawned a cashless economy.
“There is a lot of social engineering going on. As opposed to previously where somebody maybe would go out and register lines on their own, now they have command centres where they are calling people,” said Mr Makatiani.
The cybersecurity expert further noted that a lot of people are falling for these scams because the culprits have gotten even better in their tactics and techniques.
Makatiani said the criminals have become good at playing with your psychology. They, for instance, like calling ladies on Sunday mornings as they prepare for church, while they target men in the evening at around five o’clock because that is when most of them like to hang out with friends over a drink.
Linda Bonyo, the chief executive and founder of the Lawyers Hub, which runs the Africa Digital Policy Institute, explained that older people are also becoming easy targets for scammers.
They also target their victims when they are not in the right senses like when they are asleep or when they are just waking up at around 7am.
“Because you are sleepy, and science proves that people lose their senses when they are sleepy, you will give information,” explained Ms Bonyo.
Even as the pandemic has pushed many people into remote working, it has left a lot of them jobless.
Sim-swapping, said Bonyo, is linked to identity theft. “How do you prove who you are in a digital environment?” she posed. The attorney noted that armed with a combination of your national identity card number and your phone number, fraudsters can easily access your bank account or M-Pesa wallet.
One such syndicate that was unearthed recently saw the scammers steal some Sh2.8 million through the various mobile apps of three of the top banks in the country.
The scammers used the mobile line of a dead person to steal from their victims after mining their personal details.
One of the biggest sim-swap heists saw a victim in the United States lose $1 million (Sh108 million) of their life savings, including their daughter’s college fund last year.
Even the founder of Twitter has been a victim of sim-swap fraud.
Following the latest wave of sim-swap fraud, local banks have mounted an aggressive campaign against the vice.
This even as the Central Bank of Kenya (CBK) in its 2021 Banking and Supervision Report noted that “there has been an increase in cyberattacks relying on weaknesses in the human element within the digital space.”
The weakest link in most cybercrimes are employees of banks or telecommunications companies.
On June 7, Safaricom got restraining orders against two of its former employees against selling or transferring confidential data for 11.5 million subscribers to a third party.
Simon Billy Kinuthia, Safaricom said in the court papers, as a senior manager, network and M-Pesa systems auditor, had access to confidential subscriber data to enable him to discharge his duties.
Safaricom alleges that Kinuthia, together with Brian Kamatu Njoroge, who was the head of regional expansion at the telco, “breached their contractual and statutory duty” to keep the data they accessed confidential and “decided to offer the data for sale to the highest bidder.”
The two are said to have enlisted the help of one Bernard Kabugi Ndung’u, who promised to organise the sale of the data to a leading sports betting company.
It is understandable why banks are issuing such warnings. Not only have the victims of sim-swap been going after them, accusing them of foul play; such attacks can also fester doubt in the entire financial system.
“There is only so much that banks can do,” said Bright Gameli, a cyber-security expert.
Even as commercial banks have inundated their customers with a barrage of texts warning them against divulging their personal details, investigators have been busy.
The Directorate of Criminal Investigation (DCI) says it arrested and detained Ahmed Said Abeid in connection with a swim swap case reported by one of the leading banks on January 7 this year.
Shared details
Mr Abeid is purported to have fraudulently received Sh2.8 million on his Bank and M-Pesa accounts from five victims.
But there have also been arrests of employees of banks or telecommunications providers who might have colluded with the hackers to defraud subscribers.
Jackson Maina Mwaniki, an employee of Equity Bank, Naivasha Branch was arrested, detained and arraigned in court for purportedly sharing account details of a victim of sim-swap fraud.
It is the same with Faith Mueni, who is a Territory Sales Executive for Airtel Kenya. She is being investigated for aiding and abetting theft from a mobile account and transfer to 35 Airtel Money Accounts amounting to Sh4.2 million.
This money, investigators say, was then cashed out by way of transfers to seven M-Pesa Accounts, bank accounts and direct withdrawals through Airtel Money agents.
“Investigations established that the suspect (Faith Mueni Mengi) received Sh100,000 on her bank account from one of 35 Airtel Money Accounts. She could not give a satisfactory account of source or purpose of the amount of money received.”
Experts say there are several areas where people leave traces of their personal details, including those given at the entrance of public buildings, M-Pesa agents, cyber-faces or even logging into a public wi-fi.
Armed with these details, somebody can convince your provider to switch your phone number to a sim card in their possession. With that, they can easily access your information, including your mobile banking, M-Shwari and M-Pesa.
Increased digitisation during the Covid-19 pandemic seems to have heightened cyberattacks.
Data from the Communications Authority of Kenya, the ICT industry regulator, shows that cyberattacks jumped by a staggering 159 per cent in the period between July and September last year.
Besides cyberbullying and internet trolling, the jump was also attributed to online fraud, which increased by close to a third.
Addressing the sim-swap scam has been derailed by, among other factors, a lack of capacity, according to Lawyer Hub’s Bonyo.
“The problem is tracing these specific criminals. You need to collaborate with different government agencies,” she said.