The study, The Anatomy of the New Fraudster, published by tech company Banking Payments Context (BPC) shows apart from targeting corruptible employees, scammers are now targeting untrained personnel to share private data of top executives unknowingly and end up purloining billions of money, which is hidden in cryptocurrency form.
“Card fraud and particularly identity theft have gone rampant. Fraudsters also use cryptocurrencies to buy credit card data on the darkweb, data that has been stolen through phishing or hacking,” reveals the research.
According to Nairobi-based author of Understanding the Blockchain Benjamin Arunda, the ever rising stature of data and digital currencies like Bitcoin and Ethereum in Kenya is the key motivation for online thugs to convert stolen money into cryptos.
“Bitcoin wallets provide ‘semi-anonymity’ to individual or corporate entities, so they can stash funds in Bitcoin off the regulator’s radar. This is a very convenient way to launder money,” he told Digital Business.
Last February, German prosecutors confiscated more than Sh6 billion worth of Bitcoin from a fraudster, but police could not unlock the money because the man refused to give them the password.
In 2019, more than Sh400 billion was lost through crypto scams around the world, with Ponzi schemes being the leading form of Bitcoin fraud where huge platforms such as PlusToken drew large sums of money.
In January, 53-year-old Rossen Iossifov, the owner of a Bulgarian Bitcoin exchange, was sentenced to prison in the US for his role in a transnational multimillion-dollar online auction fraud scheme that conned people out of more than Sh700 million.
Iossifov, who owned cryptocurrency exchange RG Coins, was found guilty of knowingly and intentionally engaging in business practices designed to both assist fraudsters in laundering the proceeds of their fraud and to protect himself from any criminal liability.
“Since the inception of cryptos in 2009, criminals have been using blockchain technology to launder large sums of money to finance global crimes. With their identities being hidden, it is difficult for regulatory and anti-money laundering authorities to track their identities and sources,” says Alice Anangi, chief executive of Nairobi-based Zeden Technologies.
She adds that as much as regulatory bodies may relate blockchain technology to such illegal activities, it would be more productive for them to embrace the technology instead and make use of its distinct features such as transparency and immutability in fighting cyber criminals.
Card-not-present (CNP) ATM payment transactions remain fraudsters’ preferred target during the pandemic, for the simple reason that the buyer and seller do not meet in person.
The anonymous nature of CNP payments, the survey notes, makes it much more vulnerable, leading to unauthorised use of specific credit or debit card numbers, security codes, expiry dates and billing addresses to purchase products and services via e-commerce websites or apps.
According to Frank Molla, managing director and head of Sub-Saharan Africa for BPC, fraudsters are also pretending to be financial institutions.
“They even go as far as replicating the website of your bank, which looks exactly the same as the real one. They are obtaining huge chunks of data from Facebook and Google, leading to identity theft,” he told Digital Business.
And as millions of people continue adapting to working from home, cyber attack gangs have devised even more sophisticated software using Artificial Intelligence that is able to transact business on behalf of a company, thereby cashing in on the various cyber security loopholes.
Many organisations have ditched traditional data storage methods and moved to the cloud. However, while backing up their data offline, other virtual machines gain access to their confidential information.
These attacks come as snares in the form of file hashes, Internet Protocol links, zip files, execution files, applications. Spear phishing, botnets, malware, ransomware, Dedicated Denial of Service (DDoS) and Advanced Persistent Threat (APT) have made the cyber security space complex for many corporates.
Transaction laundering, where a merchant aggregates payment transactions on behalf of another merchant’s website, without the knowledge of the merchant acquirer, has also been soaring.
With a February Mastercard study indicating that 79 percent of Kenyan consumers are shopping online since the pandemic began, cyber criminals find Kenya, a tech savvy nation with low online security skills, an attractive target.
Instead of investing millions in cyber security plans that can thwart an attack in real-time, local companies, banks, saccos and telcos have been known to choose not to undermine the ravages of a cyber attack gang, and have ended up losing billions in the process.
A 2019 survey of more than 150 Kenyan companies by tech consultancy firm, Serianu, shows that 60 percent of firms surveyed had no real strategy in place to tackle cyber crime while 84 percent had no formal standards for IT governance at their institutions.
The report also shows that 44 percent of companies only set aside Sh100,000 or less as part of their annual cyber security budget.
A further 36 percent of firms invested between Sh100,000 and Sh500,000 in cyber security while only 6 percent spent at least Sh1 million.
“You will never hear reports of mass cyber hacking, but they occur every month, and victim companies conceal the loss as it would translate to customer mistrust and loss of business,” says Ms Anangi.
The Communications Authority of Kenya (CA) data shows that more than 56 million cyber threats were detected nationwide in 2020, in comparison to 37.1 million in 2019.
In 2017, Kenya’s digital economy lost Sh21.1 billion to cybercrime, which increased by 39.8 percent in 2018 to Sh29.5 billion according to pan-African based cyber-security consultancy firm Serianu.
“As the world continues its march into the Fourth Industrial Revolution, banks and businesses operating in the digital sphere must remain alert and prepare for more attacks. The economic and reputational risks are simply too big to ignore,” says Emmanuel Obinne, head of growth and partnerships, at BPC West Africa.