A global cybercrime syndicate operating from Kenya is targeting enterprises nationally and beyond through phishing – specifically Business Email Compromise (BEC). Criminals hack and impersonate corporate email accounts to defraud companies into sending money or sensitive data to the attacker’s account.
Globally, 30% of such emails get opened and responded to by targeted users and the impact of these attacks make up a significant proportion of the US$6 trillion in cybercrime costs to organisations and their customers.
Engineered by cyber criminals from Kenya, Fairfax County government in Washington DC was defrauded of over US$500 000 by following instructions it believed came from Dell, its Texas-based computer suppliers, to reroute payment to a new account in Ohio. The money was piped from Ohio to Nairobi. This incident was just one part of a well-organised and coordinated transnational criminal BEC phishing scheme that was uncovered and disrupted by the US Federal Bureau of Investigation (FBI).
Operation reWired was a 2019 effort by the FBI in cooperation with other countries to disrupt and dismantle international BEC schemes. It resulted in the arrest of 281 people globally, including from Kenya, Nigeria and Ghana, as well as European, Asian and North American countries. In addition to the Fairfax County US$500 000, nearly US$3.7 million was seized and almost US$120m disrupted and recovered in illicit BEC wire transfers.
Kenya – regarded as East, the Horn of and Central Africa’s ‘Silicon Savannah’ – is home to a US$1 billion tech hub and over 230 digital service provider start-up businesses. It is home to big information technology companies and is building a US$10 billion smart city. With all this robust information technology infrastructure in place, Kenya remains an attractive market for cybercriminals.
A report by a pan-African-based cyber-security and business consulting firm Serianu states that Kenya lost US$295m to cybercrime in 2018 with BEC being one of the main ways used to defraud local businesses. It notes that enterprises such as savings and credit cooperative societies, banks, financial services integrators, betting firms and Kenya’s government have lost money in the general increase of cyber-related attacks over the past three years. The report says Kenya lacks the technical manpower to provide cyber security.
Before the passing of the Computer Misuse and Cybercrimes Act in 2018, Kenya already had laws that addressed cybercrime offences, such as the Information and Communications Act and the Penal Code. In Kenya, any phishing offence such as BEC is punishable by a fine not exceeding US$3 000 and/or imprisonment not exceeding three years.
There is no authoritative data showing how many people have been fined from phishing-related crimes. Even though the 2018 act is more inward looking, with emphasis on protecting Kenya’s critical information infrastructure, the act makes provisions of legal assistance cooperation with other states, international entities and service providers in addressing cybercrimes. This is important in addressing cybercrimes that are mostly transnational.
However phishing through BEC isn’t going away any time soon. Kenya needs a cyber-resilience strategy that will mitigate the enormous effect such threats have to its well-established internet infrastructure.
Mohamed Daghar, Researcher, ENACT project, ISS