IST-Africa 2020 Conference Proceedings

Miriam Cunningham and Paul Cunningham (Eds)

IST-Africa Institute and IIMC, 2020
ISBN: 978-1-905824-64-9

Social Engineering Based Cyber-Attacks in

Kenya
James OBUHUMA, Shingai ZIVUKU
Africa Nazarene University, P.O. Box 53067, Nairobi, 00200, Kenya,
Tel.: +254 710 463 258, Email: [email protected], [email protected]
Abstract: Cybersecurity is a major challenge especially as the world transitions to
the fourth industrial revolution. Cybercriminals are always perceived to be using
complex sophisticated mechanisms to launch attacks to information systems. It is
however worth exploring Social Engineering as one of the arts used to exploit the
weakest layer of information security systems, who are the users. In the recent past,
the world has witnessed a gradual gain in popularity of Social Engineering attacks
propagated through varied forms, including, phishing, vishing and smishing. Hence,
this paper presents and demonstrates an analytical approach towards Social
Engineering. The study explored the level of understanding of three forms of Social
Engineering and the prevalence of Social Engineering attacks with their
countermeasures. Qualitative and quantitative data was collected from a random
sample through an online survey and face-to-face interviews. Data analysis showed
that vishing and smishing are the most commonly used forms of Social Engineering
in Kenya with the use of authority featuring as a persuasion strategy used by
attackers striving for financial gain. The lack of user education and awareness
outstandingly came out as the main reason behind a majority of successful attacks.
The study was limited to Kenya as a representative of developing Nations in Africa.
The resulting study outcomes could form a foundation for the development of
information security policies and awareness programs. This could further translate
into National or International Laws on Social Engineering based Cyber-attacks.
Keywords: Cyber-Attack, Social Engineering, Phishing, Vishing, Smishing,
Cybercrime, Cybersecurity.

1. Introduction
The Fourth Industrial Revolution is the current and developing environment in which
disruptive technologies and trends are changing the way we live and work. These include
the Internet of Things (IoT), robotics, virtual reality (VR) and artificial intelligence (AI)
among others. The question of how cyber resilient we are with all these disruptive
technologies is a concern for relatively every organization globally. Cyber-attacks are
perceived from a complex sophisticated perspective. The commonly notable forms of
attacks that come into our minds at the mention of cybercrime include password attacks,
Denial of Service (DoS) and Distributed Denial of Service (DDOS) attacks, man-in-the-
middle attacks, phishing and spear-phishing attacks, Drive-by attacks, SQL injection
attacks, cross-site scripting (XSS) attacks, eavesdropping attacks and malware attacks. One
other form of attack that is always overlooked is Social Engineering [1]. Social Engineering
can be described as the art of exploiting the weakest layer of Information Security Systems,
the people who use the systems [2], [3]. The victims are usually deceived to release
information or perform malicious actions on behalf of the attackers. While technical
security of most critical systems is high, the systems remain vulnerable to attacks from
social engineers [1]. Social Engineering is non-technical, hence, does not require any
advanced technical tools, can be used by anyone and is cheap [1]. The technique consists of

Copyright © 2020 The authors www.IST-Africa.org/Conference2020 Page 1 of 9

using social influences to convince people that the attacker, the social engineer is whom
he/she claims or pretends to be [4].
From a layered security perspective, Information Security Systems are always viewed
from many levels, namely, perimeter, network, host, application, data and physical defence.
On the other hand, defence in depth is a multifaceted strategic plan where the layered
security could be part of the plan. Defence in depth is concerned with more than just the
immediate intrusion, but assumes a broader and more variable source of defence. The
strategy includes monitoring and alerting, emergency response, authorized personnel
activities, disaster recovery, criminal activity reporting and forensic analysis. Most
organisations and companies depend on high-tech defence systems, such as firewalls,
internet server hardening and even use of secure internal file transfers, to guard their
systems and networks against unauthorized entry, while overlooking the social aspects [5].
It is emerging that the biggest risk to information security in an organization is not
technology-related, rather it is in the inaction or action of employees and other
organisational personnel that consequently leads to security incidences [5]. A proper
strategy must be put in place to take care of end-users who are vulnerable to Social
Engineering that in return becomes a launching point for critical attacks.
Over-reliance on complex security systems that form the layered security model and
defence in depth strategies that overlook end-users’ policies and awareness creates a
vulnerability to a given Information Security System. Bullee et al.’s [4] findings support the
view that security mechanisms should include not only technical but also social
countermeasures. In the recent past, our society has become more dependent on information
technology. This has resulted in the tightening of technical prevention. Conversely, Social
Engineering has become the greatest threat to any security system.

2. Social Engineering
Social Engineering is a psychological form of attack normally targeted towards users
perceived to possess rich knowledge or access rights to sensitive information. However, due
to varied intentions by attackers, any person can still fall victim to Social Engineering.
Social Engineering could best be viewed as an indirect attack [6] aimed at having people
reveal information by using psychosomatic techniques. Social engineers have three key
tasks to undertake, namely, understanding the targeted victim, developing a perfect plan,
and launching that plan [7]. Hence, Social Engineering attacks occur in two main phases,
namely, the information-gathering phase and the exploit phase. During the information-
gathering phase, crucial information such as organization details including internal
documents, organization structure, client details and telephone directories or individual
details like date of birth, contact number, address, and marital status and so on are collected
[3]. The information is later used in the exploit phase to perform an attack. The nature of
exploit depends on the nature of information gathered from the user.
Social Engineering can be accomplished through many forms, three of which are,
phishing, vishing and smishing. Phishing is a network type of attack where the attacker
fakes something, for instance, a webpage, to fool an online user to elicit personal
information [8]. Phishing attacks are very difficult to detect because they occur in many
ways that people are unaware of [8]. These include spoofing emails, fake social network
accounts, hacking, and Trojan horses. Many tools can identify phishing websites and warn
clients about the malware present on the websites, but most of the users tend to ignore such
warnings [8]. Karakasiliotis, Furnell and Papadaki [9] investigated whether users could
identify legitimate phishing emails amongst a set of legitimate and illegitimate emails.
Findings from the study depict a need for increased security awareness. This is however a
great challenge due to the technical unfamiliarity or the behavioural traits of each
information system user. Conversely, vishing is the fraudulent practice of making phone

Copyright © 2020 The authors www.IST-Africa.org/Conference2020 Page 2 of 9

calls or leaving voice messages purporting to be from reputable companies to induce
individuals to reveal personal information, such as bank details and credit card numbers.
According to Yeboah-Boateng and Amanor [10], vishing is a voice phishing attack,
whereby a voice call received from an assailant lures the target into providing personal
information with the intention to use that information to cause harm. On the other hand,
smishing relies on the use of text messages to lure victims into revealing sensitive
information. According to Yeboah-Boateng and Amanor [10], smishing attacks could
involve text messages prompting a user to either click on a link provided, which leads to a
fraudulent website or for the attacker to get access to the user’s contacts and/or any other
confidential information.
There are six general principles of social influence, namely, authority, scarcity, liking,
reciprocation, commitment (consistency) and conformity (social proof) [11]. These
principles could be referred to as persuasion principles and are heavily relied upon by social
engineers to launch attacks. A study by Bullée et al. [4] explored the extent to which
persuasion principles are used in successful social engineering attacks. Seventy-four
scenarios were extracted from four books on Social Engineering written and analysed by
Social Engineering experts [4]. Three main findings were noted from the study [4]:
authority, conformity, reciprocity, commitment, liking and scarcity are the key persuasion
principles often used in Social Engineering attacks; Authority is used considerably more
often than others and single-principle attack steps occur more often than multiple-principle
ones. Understanding how offenders use social influences to convince their targets to
comply is a key element in dissecting Social Engineering attacks [4]. Bullee et al. [4] used
the crime script concept to dissect attacks into attack steps to better understand the nature of
attack and persuasion principle used. The dissection of crime scripts showed that the
anatomy of Social Engineering attacks consists of five elements, namely, persuasion
principles, other social influences, deception, real-time communication and telephone
operation. Approximately 80% of the crime scripts analysed consisted of one or two attack
steps with approximately 80% of the attack steps consisting of one or two persuasion
principles.
The proliferation of smart phones, tablets and hotspots is the main driver towards the
prevalence of these Social Engineering attacks on mobile devices [10]. According to
Yeboah-Boateng and Amanor [10], most mobile device users are either slightly aware or
completely unaware of Social Engineering threats against their devices. Amusingly, 55%
would occasionally examine the messages received as perceived threats, while 35% would
never or almost never scrutinize messages. Yeboah-Boateng and Amanor [10] hence
provide a taxonomy of appealing and enticing words used in phishing attacks as a
benchmark to end-users to guard against becoming victims of Social Engineering attacks.
For instance, words like click, download, message, password, account, document, please
and many more.
A Social Engineering Optimisation algorithm proposed by [6], has five key phases:
initialization of the attacker and defender; training and retraining; spotting an attack;
responding to an attack and selecting a new person as a defender. Even though the
algorithm performed well upon evaluation, more comprehensive analyses may still be
required [6]. In addition, some other real scale optimisation problems can be utilised to
evaluate the performance of the proposed algorithm [6]. According to Beckers and Pape
[1], companies rely on two options to address Social Engineering: carrying out security
awareness training and hiring of penetration testing companies that attack their clients to
identify weaknesses. Unfortunately, the two approaches may not be adapted to employees’
weaknesses or may lead to employees becoming demotivated [1]. According to Beckers
and Pape [1], security consultants are more familiar with Social Engineering, but they have
to learn about the domain to elicit relevant context-specific threats. Hence the proposed

Copyright © 2020 The authors www.IST-Africa.org/Conference2020 Page 3 of 9

card game kind of solution that employees of a company can play to elicit Social
Engineering threats, subsequent security requirements and be able to know the domain well
and learn about Social Engineering in a structured manner [1].
Classification of Social Engineering methods through a taxonomy aimed at helping
organisations to gain a better understanding of the attack methods and be vigilant is
provided by Ivaturi and Janczewski [12]. The taxonomy views Social Engineering in two
perspectives: first, Person-to-Person where it could be real person impersonation or fake
person impersonation and second, Person-to-Person via text, voice and video. Vishing was
categorised under voice while phishing and smishing fell under text. The best strategy [12]
to counter Social Engineering is to engage in activities that raise people’s awareness levels
through education. In this regard, organisations should employ a multi-layered strategy that
implements training to increase awareness and enforces policies like ‘need-to-know’
access. Social Engineering is a game and hence the goal should be to make things difficult
for the attacker and reduce or better remove the fun element so that the attacker moves on
to a different target [12]. Individuals and organisations still require support. Hence, this
study proposes an awareness model that could help reduce the chances of falling victim to
Social Engineering attacks.

3. Research Objectives
The main objective of this study was to present and demonstrate an analytical approach
towards Social Engineering in Kenya, then further develop a model for controlling Social
Engineering. To achieve this objective, the following specific objectives were put into
consideration: to explore the level of understanding of the various forms of Social
Engineering in Kenya; to determine the prevalence of Social Engineering attacks in Kenya
and to propose a model that could act as a countermeasure for Social Engineering.

4. Methodology
The study used random sampling to select 73 participants. Qualitative and quantitative data
was collected from the sample through an online survey and face to face interviews. The
data was then analysed using MS-Excel data analysis tools. Charts and descriptive
narratives were used to outline results based on the analysed data.

5. Results and Discussion

The study began with a pre-study for questionnaire validation, during which it was
determined that most respondents were unaware of the term Social Engineering and its
forms. Hence, the questionnaire was revised to include a definition of the term with a brief
explanation of each of the forms as a guide to respondents. As shown in Figure 1, 41%,
39% and 36% of main study respondents confirmed to be familiar with phishing, smishing
and vishing respectively.

Figure 1. Familiarity of Social Engineering

Copyright © 2020 The authors www.IST-Africa.org/Conference2020 Page 4 of 9

 Figure 2. Social Engineering Form Used
It should be noted that not all attempted attacks end up being successful, thus, 51% of
the study sample reported having ever fallen victims of Social Engineering. This was spread
over the three forms of Social Engineering as depicted in Figure 2, where, 47% were
propagated through vishing. It was determined that 57% of these attacks have been tried on
the same target on several occasions while 43% occurred only once.
The study revealed that out of the attacks attempted, whether successful or
unsuccessful, 78% of the attack motive was for financial gain, majorly through soliciting
victims for their mobile money transfer accounts details as evident in Figure 3. The study
further determined that identity theft was being used by attackers to pave their way to
financial gain as the overall attack motive. The data from this study shows a 22% attack
success rate with 78% unsuccessful attempts.

Figure 3. Attack Motivation

Figure 4. Persuasion Principle Used

It was worth identifying the strategies the attackers used that made the respondents not
to suspect that they were under attack. Figure 4 depicts the distribution among the various
persuasion strategies used. Authority tops at a prevalence rate of 44% as a persuasion
principle used to trick victims. This is followed by a tie at 17% between liking and social
proof, then 12% for scarcity while the remaining 7% and 2% is taken up by consistency and

Copyright © 2020 The authors www.IST-Africa.org/Conference2020 Page 5 of 9

reciprocity respectively. These findings hint that at some point, the respondents
subconsciously relied on the same persuasion principles to retaliate from attacks. Hence, the
high rate of unsuccessful attempts.
On the other hand, 49% who responded to have never fallen victims of Social
Engineering reported having ever detected suspicious phone calls, SMSes and/or emails
that could be treated as Social Engineering attempts. In this regard, 47% of the suspicious
attempts were propagated through smishing, 33% through phishing while vishing attempts
stood at 27%. 79% of these attempts have been tried on the same target repetitively.
Considering these results, it is evident that attackers make several occasional attempts
towards one target hoping to be successful at some point in time. 60% of sampled Kenyans
felt that there exist no proper laws to govern against Social Engineering acts, 11% felt that
there are proper laws while 29% felt that maybe there exist laws as shown in Figure 5.
Unfortunately, a total of 40% that felt that there exists or maybe exists laws, could not cite
any notable instances where such laws have been applied. This is a worrying factor that
may require attention.

Figure 5. Social Engineering Laws

Figure 6. Kenyan’s Vulnerability Status

The study determined that Kenyans remain vulnerable to all the three main forms of
Social Engineering with vishing on the lead, closely followed by smishing as shown in
Figure 6. The outstanding reason was pointed out to be due to illiteracy. Additionally, most
Kenyans are desperate to get certain things and would often not spend much time thinking
and considering the authenticity of messages or voice calls. Furthermore, all three forms of
Social Engineering lack the face to face element, limiting on authenticity checks. The study
established the following aspects as the main reasons behind the dominance of vishing and
smishing:
i) It is much easier to convince someone via phone conversation. Hence, vishing thrives.
ii) Vishing denies victims time to think through a conversation.
iii) Smishing is a cheaper form due to the low cost of SMS in Kenya.

Copyright © 2020 The authors www.IST-Africa.org/Conference2020 Page 6 of 9

iv) Vishing and smishing thrive due to the growth in mobile phone users and the booming
of mobile money transfer services.
v) Vishing and smishing thrive due to lots of personal data being collected by financial
institutions and mobile money transfer agents. This aids attackers to get more
information about target victims.
vi) Vishing and smishing can be used even for mobile phone users possessing feature
phones.
vii) Vishing and smishing are always associated with idle prisoners carrying out random
attempts.
Although vishing and smishing take the lead, phishing gives enough room to write long
convincing messages with clickable links to phishing sites. This factor gives phishing an
advantage over vishing and smishing.
Figure 7 shows a total of 13 possible solutions to Social Engineering suggested by study
respondents, where, user education and awareness topped. Some of the suggested options
under the innovative solutions category included: use of Artificial Intelligence (AI) systems
that can predict Social Engineering acts and use of biometrics for all identifications. Such
biometrics could extend to the use of mechanisms for voice identification of both mobile
phone users and callers. The Jitambulishe service by the leading Mobile Service Provider in
Kenya, Safaricom, featured as one of the innovative voice biometric security solutions. The
service allows users to register their voices and use the voices to access services such as
unlocking mobile money transfer accounts and getting mobile money transfer account
PINs. It was however suggested that an innovative service of this nature that could detect
voices for callers for identification purposes could help reduce vishing attacks. This could
be an enhancement to the Jitambulishe and/or truecaller services, where the truecaller
service identifies callers based on their phone numbers against online user data.

Figure 7. Suggested Solution to Curb Social Engineering

6. The Proposed Model

Considering study results with user education and awareness being the main proposed
solution, it is paramount to develop an innovative solution that could facilitate user
education and awareness on Social Engineering. Figure 8 shows the proposed Social
Engineering awareness model that takes the form of an expert system. The model was
validated by a set of randomly selected samples. The entire process takes the knowledge

Copyright © 2020 The authors www.IST-Africa.org/Conference2020 Page 7 of 9

engineering process format that encompasses the following key phases, namely, knowledge
acquisition, knowledge representation, knowledge validation, inferencing and explanation
and justification.
Acquisition, representation and validation of knowledge require a knowledge engineer
whose role is to elicit knowledge from domain experts and turn it into rules and guidelines
that less experienced people can use. They also have to play the role of validating
knowledge with the domain experts. The knowledge base should have appropriate rules that
will enable the inference engine to associate users’ actions against the persuasion
principles. The training and testing engines should have self-paced tests that link to the
knowledge in the knowledge base via the inferencing engine. The user interface should be
in the form of a chatbot that could be a web application or mobile app. This should facilitate
efficient, user-friendly interaction for any user. The model should provide a capability for
users to go through an awareness and training session with rewards in the form of badges
and/or themes based on knowledge rating.

Figure 8. Social Engineering Awareness Model

7. Industrial Significance and Eventual Benefit

Lack of awareness on cybersecurity leads to finances losses and disclosure of Personal
Identity Information (PII). The proposed innovative awareness model will lead to a
knowledgeable society that will in return reduce the rate of successful Social Engineering
attacks. This will be a benefit to both individuals and organisations that have been
recording losses attributed to Social Engineering attacks targeted at the weakest link to
information systems, who are the users. The resulting study outcomes could also form a
foundation for the development of information security policies and awareness programs.
This could further translate into National or International Laws on Social Engineering based
Cyber-attacks.

8. Conclusion
This paper examined the level of resilience by Kenyan against Social Engineering attacks.
Vishing stands out as the most commonly used form of Social Engineering, closely
followed by smishing attacks. Some of the outstanding reasons behind the prevalence of the
two forms include: the growth in mobile phone users, the blooming of mobile money
transfer, availability of massive unprotected personal data and the ease of convincing
potential victims via phone conversations. Alongside financial gain as the striking motive
behind these attacks, the success rate was noted to remain drastically minimum, although,
attack persistence is maintained at a high rate. Authority featured in the reviewed studies as
the leading persuasion principle used by social engineers to convince their target victims.

Copyright © 2020 The authors www.IST-Africa.org/Conference2020 Page 8 of 9

This study affirms the same position since authority came out as the outstanding strategy
used by attackers in Kenya too. This was followed by social proof and liking at a long
range. It was further observed that Kenyans fall victim of Social Engineering due to lack of
awareness and/or user education. This makes them vulnerable and easily submissive to
authoritative, social proof and liking kinds of persuasions.
The study yielded promising results and on a wider level, leading to a proposal of a
Social Engineering awareness model, in form of an expert system. The model could be used
by individuals and organisations to instill a secure mindset on how to avert from Social
Engineering attacks. Future work should lead to implementation and validation of the
model by a larger sample size.

References
[1] K. Beckers and S. Pape, “A Serious Game for Eliciting Social Engineering Security Requirements,”
Proc. - 2016 IEEE 24th Int. Requir. Eng. Conf. RE 2016, pp. 16–25, 2016.
[2] M. Huber, S. Kowalski, M. Nohlberg, and S. Tjoa, “Towards automating social engineering using
social networking sites,” in Proceedings - 12th IEEE International Conference on Computational
Science and Engineering, CSE 2009, 2009, vol. 3, pp. 117–124.
[3] A. Chitrey, D. Singh, and V. Singh, “A Comprehensive Study of Social Engineering Based Attacks in
India to Develop a Conceptual Model,” Int. J. Inf. Netw. Secur., vol. 1, no. 2, 2012.
[4] J. W. H. Bullée, L. Montoya, W. Pieters, M. Junger, and P. Hartel, “On the anatomy of social
engineering attacks—A literature-based dissection of successful attacks,” J. Investig. Psychol. Offender
Profiling, vol. 15, no. 1, pp. 20–45, Jan. 2018.
[5] I. Ghafir, V. Prenosil, A. Alhejailan, and M. Hammoudeh, “Social engineering attack strategies and
defence approaches,” Proc. - 2016 IEEE 4th Int. Conf. Futur. Internet Things Cloud, FiCloud 2016, pp.
145–149, 2016.
[6] A. M. Fathollahi-Fard, M. Hajiaghaei-Keshteli, and R. Tavakkoli-Moghaddam, “The Social
Engineering Optimizer (SEO) Facilities Interdiction Problem View project Metaheuristic View project
The Social Engineering Optimizer (SEO),” Eng. Appl. Artif. Intell., vol. 72, pp. 267–293, 2018.
[7] A. Algarni, Y. Xu, T. Chan, and Y. C. Tian, “Social engineering in social networking sites: Affect-
based model,” 2013 8th Int. Conf. Internet Technol. Secur. Trans. ICITST 2013, pp. 508–515, 2013.
[8] S. Gupta, A. Singhal, and A. Kapoor, “A literature survey on social engineering attacks: Phishing
attack,” Proceeding - IEEE Int. Conf. Comput. Commun. Autom. ICCCA 2016, pp. 537–540, 2017.
[9] A. Karakasiliotis, S. M. Furnell, and M. Papadaki, “Assessing end-user awareness of social engineering
and phishing,” pp. 4–5, 2006.
[10] E. O. Yeboah-Boateng and P. M. Amanor, “Phishing , SMiShing & Vishing : An Assessment of
Threats against Mobile Devices,” J. Emerg. Trends Comput. Inf. Sci., vol. 5, no. 4, pp. 297–307, 2014.
[11] W. Wosinska, R. Cialdini, D. Barrett, and J. Reykowski, The practice of social influence in multiple
cultures. 2000.
[12] K. Ivaturi and L. Janczewski, “A Taxonomy for Social Engineering attacks,” Proc. CONF-IRM, 2011.

Copyright © 2020 The authors www.IST-Africa.org/Conference2020 Page 9 of 9