Poor precaution to blame for increase in cyber-crime

If you use a mobile phone with internet connection, especially to carry out transactions, you are a potential victim of cyber-crime, according to a new report.

Chances are that there are cyber-criminals lurking in the shadows of the Internet waiting for you to reveal your passwords.

Once they get their hands on your password, they will use the information to skim your hard-earned cash from your account.

Experts estimate that cyber-crime cost Kenya about Sh17 billion in 2016.

“People should not look at the Sh17 billion as money lost by banks through cyber-crimes,” says Mr William Makatiani, the Managing Director of Serianu Limited, an IT services and business consulting firm.

“That is the cost of cyber-crime. That is money that could have been used to do something else.”

The Africa Cyber Security Report (2016) published this month by Serianu said the Sh17 billion includes the costs of anticipating cyber-crime — such as antivirus software — the consequences of cybercrime — such as direct losses and indirect costs in response initiatives and reputation damage to victim firms.

Indeed, cyber-crime is closer to the average Kenyan than many care to admit.

“Cybercrime is a big problem in the country but the challenge is that people do not know,” says Mr Makatiani.

According to him, many fail to take precautionary measures until cyber-criminals raid their bank accounts or other forms of data banks, including sensitive business information.

In an age where banking, procurement, government services, hospitality and many other industries have been automated, cyber-criminals are now not just targeting individuals but institutions as well.

“Cyber-crime is no longer the exclusive domain of computer prodigies. Crimeware-as-a-service, a term used to describe the many ready-made services available to execute a variety of cyber-attacks, has made perpetrating cyber-crime easier and cheaper than ever,” says Raymond Isiaho, a Senior Manager at Deloitte Cyber Risk Services for East Africa.

“Any organisation with information worth stealing is a target.”


A society that is increasingly using mobile phone-based services, some of which are exposed to vulnerable ICT infrastructure are just the few pointers that make Kenya susceptible to cyber-crime.

The ICT Sector Quarterly statistics for the first quarter of 2016/2017 by the Communications Authority of Kenya paint the country as an upwardly mobile society, with mobile subscriptions having hit 38.5 million.

Mobile commerce transactions stood at Sh447.3 billion as at September 2016.

With an Internet penetration of 85.3 per cent, there are an estimated 37.7 million Internet users in the country.

These statistics mean that Kenya is the perfect hunting ground for cyber-crime.

“Mobile means moving from network to network, including Wi-Fi-spots that can easily be infected or offer a chance for unwanted intruders. The levels of security that are applied for traditional networks and personal computers is not applied to mobile,” says Erik van der Dussen, Deloitte East Africa Industry Leader for Technology, Media and Telecommunications.

Mr Dussen also attributes Kenya’s vulnerability to cyber-crimes to a relatively vibrant economy.

“Kenya’s loot is worth the crime. The middle class is growing and the same goes for rich individuals and companies. As burglars tend to go to the houses of the wealthy, cyber-criminals like (relatively) rich countries,” he says.

In 2016, Kenya was ranked 69 among the most vulnerable countries in the Global threat Index out 127 countries.

This is an improvement from the previous year, in which it was ranked 45th.

However, Kenya still has a long way to go with low awareness, under-investments and talent shortage in fighting cyber-crime.

While the main targets of cybercrime in the country are banks, public institutions, mobile money, betting sites, e-commerce and hospitality and retail industries, the most common form of cyber-crimes are attacks on individuals, where the victims’ passwords are used to commit fraud.

Phishing, email-spoofing, denial of service (DOS), theft of credit or debit card data and financial scams are also common cybercrimes targeting individuals.

Phishing is the fraudulent sending of e-mails purporting to be from reputable companies or individuals in order to have the recipient reveal sensitive information.

Theft of credit or debit card data affects digital payments where your credentials and money are stolen from your bank account.

Mr Makatiani adds that CEOs are also being targeted.

“We have heard cases of cyber-criminals sending fake e-mails to financial officers asking them to transfer money to a certain account,” he says.

Cyber-criminals are generally young, ambitious, tech-savvy individuals.

However, the cyber-criminal of today is much more shrewd than those who prowled the internet in the past.

It is worth noting that the greatest advantage that cyber-criminals enjoy is not their technical know-how but the veil of anonymity.

“To profile the cyber-criminal or indeed any other fraudster, you need to understand the driving force behind their actions,” says Moses Kiarie, a Senior Manager at Deloitte Forensic.

“With this understanding, organisations could proactively put in place systems and processes that help prevent and detect cyber-infiltration.”

Every expert in the field has their own classification of the typical cyber-crime.

What remains constant is that there are generally two types of cyber-criminals; the amateurs who are out to have some fun and prove a point and the professionals who make a fortune from cyber-crime.

Mr Kiarie categorises cyber-criminals into two broad groups; the opportunistic and the determined criminal.

While both are typically smart and tech-savvy, the motivation behind the opportunistic cyber-criminal is simply peer recognition and a sense of accomplishment.

Like a wild animal, the opportunistic cyber-criminal is always on the move, prowling through the cyberspace for weak and vulnerable systems, especially those with public interest.

“However, penetrating a weak environment in itself may not be intellectually stimulating if it is not accompanied with recognition! For recognition, these individuals want to broadcast their accomplishment which is done through ‘de-facing’ websites and other attacks, to leave their mark,” says Kiarie.

The other kind of cyber-criminal is more ‘serious’ and is in the business for the money.

They are more aggressive and targeted, which could either be for protest (hacktivism), for financial gain or for political or espionage reasons.

The good news, however, is that Kenya is making some steps towards legislations and in particular with the Cyber Security and Protection Bill 2016, which is yet to be passed by the Senate, pending public consultations.

The Bill, if passed, will see Kenyans protected from unauthorised access, child pornography, cyber stalking and fraudulent online transactions.

Laptop project ongoing despite delays – PS Kipsang says

Court criticises land agency for illegal probe