True Story: How I Was Scammed Through Social Engineering (With Illustrations)

-

Four years ago–2017–I was a victim of a well orchestrated social engineering attack that left me–and other students–a thousand shillings sorry. At this time, I was a 3rd Year student taking computer technology that would later, in hindsight, transition me to the cybersecurity profession. Now I know better and can perhaps laugh at how naïve I was, and by extension, how scammers know how to tap desperation and capitalize on the gullibility of campus students. Here is the narrative!

On Wednesday April 26, 2017, I applied for a data entry job that I had heard of by word of mouth and through social media platforms. Such opportunities were always hard to come by, and with the long holidays about to kick in, such a chance was bound to attract many students across public universities. So, as the rest of the comrades, I diligently applied for the position that had supposedly been advertised by the ministry of education seeking data entry clerks to work with.

 

Barely three hours after applying, I got a reply requiring me to download and fill a form that would include several of my personal details.


I filled the form, scanned, and sent it back promptly, awaiting further instructions. About a month later, I received a new email from the ‘ministry of education’ congratulating me for being approved as a data entry clerk. The mail further stated the terms of the contract and further instructions on training and working hours.

Further instructions from the ‘ministry of education’ were that I contact and obtain a standard data entry staff uniform from Stitch Experts Ltd. via stitchexpertske@gmail.com. I promptly wrote to the company.

For this, I would be charged 2000 shillings, 1000 deposited prior, and the rest payable on delivery. This plan sounded appealing enough for me to immediately commit 1000 shilling payable to the phone number +254703563829 (Felix Adala). The instructions also allowed for physical visits to a location along Mombasa road where measurements would be taken. But since I was far away, I opted to have my measurements done by a local tailor and sent via the same email. Meanwhile, many other comrades were also in the local campus tailor shops, getting busy with measurements to send with the hope of clinching the jobs. To make it more believable, applicants were to send evidence of payment once they paid the 1000 shillings. This was for verification purposes.


The measurement instructions were so elaborate that they had even attached an image of all the required measurements.


On sending my measurements and the required money, I was notified that my uniform was ready for collection. I was to either pick, or have it delivered via courier services. I made it known that I preferred the latter option.


Meanwhile, I had confirmed to the ‘ministry of education’ that my uniform was being made. I estimated the delivery time and asked that I be scheduled for training in line with my end of semester examinations.


Three days after stating my preferred mode of uniform delivery, I asked about the progress, but as it were, I did not receive any further replies from the stitch guys.


On the other side, the ‘ministry’ also failed to answer my queries about scheduling my training sessions, something they had promised to do soon as I stated that my uniform was ready. 


The last communication with the ‘ministry’ as it turns out, was on May 30 when they were issuing instructions to obtain uniforms from the stitch experts.

 Just over a month after my last email asking for the way forward, I got another email asking me to fill a form and send it to the email address elizabethmwaniki2011@gmail.com. This may have been the scammers' efforts to revive their campaign from another frontier, or give some sense of legitimacy to a process that had already proved dubious.

Naturally, I was angry and frustrated. So I sent my message of disapproval and forgot about the whole ordeal.


A promising engagement for a job opportunity broke down on July 15th 2017, just over two months after initial contact. By estimation, if the criminals had reached every university at the time, then they had made away with hundreds of thousands, if not millions of gullible comrades’ hard-earned money.

Looking back, the experience taught me to be suspicious of every job opportunity, more so, towards those that demanded for some kind of payment during the application process–Indeed, this has since become the number one red flag identifying scammers. What made this social engineering so sublime, however, was the conviction that the money was to be put into immediate use, i.e., making uniforms. They had even asked for only a fraction of the money as deposit. These alone would convince the younger me–plus many other unsuspecting students–that the process was legitimate. Everybody seemed to be making applications, almost in a frenzy-like manner. Whom would I blame if I stalled only to find out that it was legitimate?

Years later, having become a cybersecurity practitioner, I can confidently point out the scam since there are so many ‘red flags’ that would be hard to miss.

1.            Email headers – From early on, even without deep knowledge, the recruiters’ email addresses were suspicious. For example, there is no way a whole ministry of education would be using the email address ministryofeductaion0011@gmail.com or dataentryjobs@ministryofeducation.co.ke. These are generic addresses anybody can create and use as long as they are unique. Furthermore, the ministry’s domain would typically end with .go.ke country code top-level domain and not .co.ke which denotes a commercial entity.


2.            Communication Inconsistencies – The scammers used more than one email address for communication. Legitimate employers would typically maintain a consistent–usually one–email address for communication. The scammers used up to three email addresses– ministryofeducation0011@gmail.com, dataentryjobs@ministryofeducation.co.ke, and elizabethmwaniki2011@gmail.com–to coordinate their activities. Though well-coordinated, these should have raised early concerns over their legitimacy.

3.            Vague job titles – The scammers did not have convincing job titles. A typical recruiters’ email should be accompanied with a clear job title, e.g. John Doe, human resource manager, or head of ICT, and so on. The scammers only used their names–which were obviously fake– and generic tags for the institution they represented.


Furthermore, the scammers did not outline the specific job roles expected of the applicants, nor did they outline clear deliverables for the job, including the expected work period.  

Now, the law is very clear

The computer misuse and cybercrimes act (2018) would find the scammers guilty of computer fraud (section 26) and cybersquatting (section 28). By making unlawful gains, wrongful loss to other people, and obtaining economic benefit at the expense of other people, the scammers would be guilty of computer fraud and consequently, liable to fines not exceeding 20 million shillings and/or 10-year imprisonment. By using a name or domain that is similar, identical, or confusing (as is with the username ministryofeducation.co.ke), the scammers would also be guilty of cybersquatting and therefore, liable to a fine not exceeding 200,000 and/or a 2-year imprisonment.  

Under the Data Protection Act (2019), the scammers would be guilty of unlawful collection of personal data including names, email addresses, telephone numbers, ID, age, and kin parent/guardian details, including physical addresses. Such kind of data collection would require clear explanation including their reason for collection, intended use, storage, processing, and eventual destruction. Since the objective of the process was to scam applicants, the perpetrators would automatically fall short of lawful data collection and use.

Find more on these two Kenyan cybersecurity laws here.

Take-aways

At some point in life, we have all been faced with social engineering attacks–whether simple or sophisticated. With time, the nature of these attacks has become sophisticated enough, even for tech-savvy and IT experts to discern. It is no wonder then, as I pointed out here, that cybersecurity roles need to become deeply entrenched in every organization and institution to promote, amongst other objectives, training and awareness. Alongside this, individuals need to know how to detect phishing emails and other social engineering campaigns. This is especially necessary since email communication is the most used formal means of communication at both personal and enterprise level. 

While this social engineering incident happened a while ago, I now appreciate that I can no longer fall prey. As they do say, once bitten, twice shy.

Now that I know I was hurt; will I seek justice? What more can I unravel? stay tuned!

 







Location: Nairobi, Kenya

Comments

Post a Comment

Impressed? Leave a comment!

Was that insightful? Read more articles below

Enough with Numbers and Versions!

-
Image
It is now emerging that Apple will release iPhone 12 in the coming months, much to the delight of those able to afford and of course, to the envy of those who can't or have never owned an iPhone in their lives (me included). But that's not the point. The point is, this next release will be iPhone 12. That is about 12 years since the release of the first iPhone, iPhone 1 (iPhone 2G). That is roughly an iPhone every year. Very impressive. By 2050, assuming we go by the 'an iPhone a year' trend, we should see iPhone 42. Right?  iPhone is just one example. Other phone makers are hot on this trail. Since an emphatic re-entry into the android market, Nokia has released a whole range of flagship devices, from Nokia 1 to Nokia 9 pureview. In between, there are insane devices and versions. Number 6, for example, is taken by Nokia 6, Nokia 6.1, Nokia 6.1 plus, and Nokia 6.2. Isn't this overwhelming? This is the trend for just about any Nokia released recently.  Now consider
Read more

Password Attacks: How Much do you Know?

-
Image
source:lifars.com There are a variety of ways hackers can get hold of your passwords to compromise the confidentiality, integrity, and availability of your system/accounts. The type and severity of the attacks will depend on the willingness to get hold of your accounts and whether you present anything of value to the attacker's course. Nonetheless, everyone needs to know the methods hackers can use to get breach the integrity of their passwords. Whether you are a clueless toddler with a tablet or a tech-savvy CEO, understanding password attacks will better help you know how to protect yourself.  Non-Electronic Password Attacks Non-electronic password attacks are a common tool for attackers without any deep technical knowledge. Such malicious actors will use subtle ways to get wind of your passwords, more so without your knowledge. One such way is through social engineering , where the individual will manipulate and trick you into revealing your password. The attack might for exampl
Read more

Mobile Viruses - The Stronger Foes

-
Hi there!  You have probably heard of a plethora of antiviruses sufficient enough to keep the Corona virus at bay. One such antivirus is the Astrazeneca vaccine that is widely available, and for free. Why not get a jab at the nearest designated health facility? You may not believe it, but we need you around. For taxes.  See, when I was young, I wanted to become a doctor. So far, not so good. Here's the flipside though, I still get to talk about viruses, albeit computer viruses. A virus is a type of malicious software (malware) that upon execution, acts to harm your computer by damaging programs, compromising their functionality, and more broadly, doing anything it is designed to do by its creator. A virus may for example, delete your files, replicate and spread itself to slow down system activities and services, and disrupt the overall performance of your computer. No wonder you hear comments over the association between a slowing machine and the presence of computer viruses. There
Read more