Why Kenyans are sitting ducks as hackers take aim at weak systems

Mercy was at home when she got an alert from her bank that a transaction has been made through her debit card.

“I was puzzled since I had my card with me at the time, and I had never used it for online shopping,” she explained. 

Mercy reported the fraud to the bank, which blocked the card immediately and promised to investigate.

But it was too late; about Sh80,000 had been stolen from her savings account.

“I still get notifications that the person is trying to make transactions on the card even as it remains blocked and any efforts of tracing or recovering the money through the bank have been fruitless,” she said. 

Mercy is just one of the many Kenyans who have fallen victim to cybercrime in the recent past, with reports indicating the Covid-19 pandemic has driven up cases to record highs. 

According to technology service provider Liquid Telecom, cases of cyberattacks and theft of personal or confidential corporate data have spiked in recent months following the outbreak of the virus.

“In the past, organisations had a server room, users were connected to the server and the company’s cybersecurity needs were confined in one place,” explained Liquid Telecom Chief Executive Nic Rudnick. 

“It was slightly reassuring for the Chief Information Officer (CIO) to lock the server room and put the key away and know that things are generally under control,” he added. 

Today, however, corporate networks have expanded to include social media apps that employees download and install in their devices, often with little oversight from the company’s IT department. 

Liquid Telecom estimates close to half of corporate data today is in the “cloud”, with both customers and employees interacting across numerous platforms and applications. 

However, only 10 per cent of applications have been sanctioned by the IT departments and 20 per cent are user-led (such as social media apps), significantly increasing the risk and exposure to cybercrime. 

In its latest quarterly analysis of global online fraud trends, credit scoring firm TransUnion found that while fraudsters had decreased their schemes against businesses, they had increased scams against consumers online during the Covid-19 pandemic.

Based on an analysis of billions of transactions and more than 40,000 websites and apps, the firm notes that the percentage of suspected fraudulent digital transactions against businesses worldwide decreased nine per cent from the beginning of the pandemic (from around March 11 to May 18) to when businesses began reopening (between May 19 and July 25).

This is in comparison to a 10 per cent increase in digital Covid-19 schemes targeted at individual consumers of financial services. The survey on consumers ranged from the early days of the pandemic (the week of April 13) in the region to the end of July.

“If we bring it home, Kenya is not spared for two reasons,” explained TransUnion Kenya Chief Executive Billy Owino. “First, it is the technology hub of the region with over 200 digital services businesses. The robust information technology infrastructure that comes with this makes the country an attractive market for cybercriminals,” he said.

“Second, Kenya has been at the forefront of digitisation with mobile money and digital financial services. As such, most consumers are digitally savvy and embrace these services much more.”

The proliferation of unregulated Internet Service Providers (ISPs) has also been cited as a catalyst, especially in estates on Thika Road and Eastlands. 

With many estates left unserved by the major broadband service providers, numerous ISPs have mushroomed, giving users eye-watering deals on high-speed Wi-Fi. According to John Gichuki, a cybersecurity expert based in Nairobi, unsafe Wi-Fi connections can be used by hackers to deploy a “man in-the-middle-attack.”

“What happens is the hacker can install a keylogger, a malicious programme that allows them to see your traffic and record keystrokes so they can follow your financial transactions and get your passwords,” he explained.  

In the past few months, several firms have fallen victim to this as the hackers target unsuspecting employees working and transacting online to plant malware in the corporate network. 

In two instances, the CEO of a major organisation in the country is reported to have paid a significant sum to hackers that were holding the firm’s corporate data for ransom.   

A recent report by Liquid Telecoms estimated that Kenya loses around $300 million (Sh30 billion) annually to cybercrime.

Owino warned things could get worse in the wake of the pandemic. 

“What we know is that Kenya’s financial services sector remains a target for cybercriminals and fraudsters due to its robust nature, especially when it comes to digital services,” he said. 

“In Kenya, 34 per cent of business moved transactions online, and overall there’s been a 24 per cent increase in the value of mobile money transactions within the financial sector since the beginning of the pandemic.”  

The company noted that 10 per cent of the disputes it handles are in relation to fraudulent loan facilities taken using identity theft.

Another report by Kaspersky showed that Kenya accounted for one in every four reported online attacks in Africa. 

As such, it’s critical that financial services providers put in place strong measures to mitigate fraud and cybercrime as they accelerate their digitisation.

“The other challenge is lack of awareness by consumers on the what and how when it comes to protecting their identity and transacting safely online. More needs to be done in this space to educate consumers,” he said.

The surge in fraud online could harm the fast adoption of online financial services as providers take caution to avoid loss of customers’ funds. This is especially the case for the “less sophisticated” players like Saccos and microfinance institutions, while the bigger players who have already adopted digital service provision will have to further invest in additional layers of protection for their customers to safely transact online.

[email protected], [email protected]