True Story: How I Was Scammed Through Social Engineering (With Illustrations)

Four years ago–2017–I was a victim of a well orchestrated social engineering attack that left me–and other students–a thousand shillings sorry. At this time, I was a 3rd Year student taking computer technology that would later, in hindsight, transition me to the cybersecurity profession. Now I know better and can perhaps laugh at how naïve I was, and by extension, how scammers know how to tap desperation and capitalize on the gullibility of campus students. Here is the narrative!

On Wednesday April 26, 2017, I applied for a data entry job that I had heard of by word of mouth and through social media platforms. Such opportunities were always hard to come by, and with the long holidays about to kick in, such a chance was bound to attract many students across public universities. So, as the rest of the comrades, I diligently applied for the position that had supposedly been advertised by the ministry of education seeking data entry clerks to work with.

 

Barely three hours after applying, I got a reply requiring me to download and fill a form that would include several of my personal details.


I filled the form, scanned, and sent it back promptly, awaiting further instructions. About a month later, I received a new email from the ‘ministry of education’ congratulating me for being approved as a data entry clerk. The mail further stated the terms of the contract and further instructions on training and working hours.

Further instructions from the ‘ministry of education’ were that I contact and obtain a standard data entry staff uniform from Stitch Experts Ltd. via stitchexpertske@gmail.com. I promptly wrote to the company.

For this, I would be charged 2000 shillings, 1000 deposited prior, and the rest payable on delivery. This plan sounded appealing enough for me to immediately commit 1000 shilling payable to the phone number +254703563829 (Felix Adala). The instructions also allowed for physical visits to a location along Mombasa road where measurements would be taken. But since I was far away, I opted to have my measurements done by a local tailor and sent via the same email. Meanwhile, many other comrades were also in the local campus tailor shops, getting busy with measurements to send with the hope of clinching the jobs. To make it more believable, applicants were to send evidence of payment once they paid the 1000 shillings. This was for verification purposes.


The measurement instructions were so elaborate that they had even attached an image of all the required measurements.


On sending my measurements and the required money, I was notified that my uniform was ready for collection. I was to either pick, or have it delivered via courier services. I made it known that I preferred the latter option.


Meanwhile, I had confirmed to the ‘ministry of education’ that my uniform was being made. I estimated the delivery time and asked that I be scheduled for training in line with my end of semester examinations.


Three days after stating my preferred mode of uniform delivery, I asked about the progress, but as it were, I did not receive any further replies from the stitch guys.


On the other side, the ‘ministry’ also failed to answer my queries about scheduling my training sessions, something they had promised to do soon as I stated that my uniform was ready. 


The last communication with the ‘ministry’ as it turns out, was on May 30 when they were issuing instructions to obtain uniforms from the stitch experts.

 Just over a month after my last email asking for the way forward, I got another email asking me to fill a form and send it to the email address elizabethmwaniki2011@gmail.com. This may have been the scammers' efforts to revive their campaign from another frontier, or give some sense of legitimacy to a process that had already proved dubious.

Naturally, I was angry and frustrated. So I sent my message of disapproval and forgot about the whole ordeal.


A promising engagement for a job opportunity broke down on July 15th 2017, just over two months after initial contact. By estimation, if the criminals had reached every university at the time, then they had made away with hundreds of thousands, if not millions of gullible comrades’ hard-earned money.

Looking back, the experience taught me to be suspicious of every job opportunity, more so, towards those that demanded for some kind of payment during the application process–Indeed, this has since become the number one red flag identifying scammers. What made this social engineering so sublime, however, was the conviction that the money was to be put into immediate use, i.e., making uniforms. They had even asked for only a fraction of the money as deposit. These alone would convince the younger me–plus many other unsuspecting students–that the process was legitimate. Everybody seemed to be making applications, almost in a frenzy-like manner. Whom would I blame if I stalled only to find out that it was legitimate?

Years later, having become a cybersecurity practitioner, I can confidently point out the scam since there are so many ‘red flags’ that would be hard to miss.

1.            Email headers – From early on, even without deep knowledge, the recruiters’ email addresses were suspicious. For example, there is no way a whole ministry of education would be using the email address ministryofeductaion0011@gmail.com or dataentryjobs@ministryofeducation.co.ke. These are generic addresses anybody can create and use as long as they are unique. Furthermore, the ministry’s domain would typically end with .go.ke country code top-level domain and not .co.ke which denotes a commercial entity.


2.            Communication Inconsistencies – The scammers used more than one email address for communication. Legitimate employers would typically maintain a consistent–usually one–email address for communication. The scammers used up to three email addresses– ministryofeducation0011@gmail.com, dataentryjobs@ministryofeducation.co.ke, and elizabethmwaniki2011@gmail.com–to coordinate their activities. Though well-coordinated, these should have raised early concerns over their legitimacy.

3.            Vague job titles – The scammers did not have convincing job titles. A typical recruiters’ email should be accompanied with a clear job title, e.g. John Doe, human resource manager, or head of ICT, and so on. The scammers only used their names–which were obviously fake– and generic tags for the institution they represented.


Furthermore, the scammers did not outline the specific job roles expected of the applicants, nor did they outline clear deliverables for the job, including the expected work period.  

Now, the law is very clear

The computer misuse and cybercrimes act (2018) would find the scammers guilty of computer fraud (section 26) and cybersquatting (section 28). By making unlawful gains, wrongful loss to other people, and obtaining economic benefit at the expense of other people, the scammers would be guilty of computer fraud and consequently, liable to fines not exceeding 20 million shillings and/or 10-year imprisonment. By using a name or domain that is similar, identical, or confusing (as is with the username ministryofeducation.co.ke), the scammers would also be guilty of cybersquatting and therefore, liable to a fine not exceeding 200,000 and/or a 2-year imprisonment.  

Under the Data Protection Act (2019), the scammers would be guilty of unlawful collection of personal data including names, email addresses, telephone numbers, ID, age, and kin parent/guardian details, including physical addresses. Such kind of data collection would require clear explanation including their reason for collection, intended use, storage, processing, and eventual destruction. Since the objective of the process was to scam applicants, the perpetrators would automatically fall short of lawful data collection and use.

Find more on these two Kenyan cybersecurity laws here.

Take-aways

At some point in life, we have all been faced with social engineering attacks–whether simple or sophisticated. With time, the nature of these attacks has become sophisticated enough, even for tech-savvy and IT experts to discern. It is no wonder then, as I pointed out here, that cybersecurity roles need to become deeply entrenched in every organization and institution to promote, amongst other objectives, training and awareness. Alongside this, individuals need to know how to detect phishing emails and other social engineering campaigns. This is especially necessary since email communication is the most used formal means of communication at both personal and enterprise level. 

While this social engineering incident happened a while ago, I now appreciate that I can no longer fall prey. As they do say, once bitten, twice shy.

Now that I know I was hurt; will I seek justice? What more can I unravel? stay tuned!

 







Comments

Was that insightful? Read more articles below

Enough with Numbers and Versions!

Password Attacks: How Much do you Know?

Top 5 Things you are probably doing wrong with your phone - A cybersecurity perspective