Staying safe: Avoiding SIM and M-Pesa fraud

Staying safe online is quite a challenge to many and it will continue being so. After all, the online space is where some of us spend our time and can be found so… crime is inevitable.

Insecurity online, where things may not be out and out as “real” as they are physically, starts, well, physically.

How?

Well, for a start, you use physical infrastructure to get online, don’t you? Before you even get to the murky waters of other dominant cyber crimes (that have, unsurprisingly, also dominant long before the information age set in) where malicious people access your online “properties” maliciously and do whatever it is that they do, the same can happen to anyone without them ever engaging in any activity that can be deemed as an online activity.

Like owning a mobile phone, for instance. Simple as it is, the onboarding process, which involves the acquisition of an identification module (the SIM), has been abused and is a key player in fraudulent behaviour not just in Kenya but elsewhere as well.

Or, secondly, your phone could be stolen. And since our phones hold so much personal information and are easily a gateway to our private world, the possibilities are many.

READ: What to do when you lose your phone

SIM fraud is no longer a far-fetched criminal activity that Kenyans hear about from the developed world. It’s as real as real gets. With lots of cases in the news media over the last two months (June and July), about arrests being made in the same line, the stakes are much higher in Kenya than even in most other places.

This is because we are the home of mobile money. M-Pesa and the term “mobile money” almost mean one and the same thing. We use the service for just about everything. Paying court fines, paying school fees, buying groceries, paying for utilities, sending money to other people. Heck, as a result, mobile credit facilities, as well as mobile banking services, have taken root.

Simply put, when out and about, the SIM is probably the most powerful thing on you. Its loss could result in identity theft in an instant, a clean swipe of your savings whether on a mobile savings plan (like Safaricom’s M-Shwari) or on a traditional bank account since those tend to be linked to our mobile wallets these days.

As a result, how do you stay safe in the wake of all this?

Simple…

Avoid divulging your personal information to strangers. This scam has been going on for so long and it’s the subject of long-running jokes on social media and even in in-person conversations that we have daily: where someone calls you pretending to be either an employee with a mobile telephony company or a bank and telling some lies with the aim of getting your details. Social engineering, as the practice is known in information security circles, is one of the oldest tricks in the book. While some of the things me and you take for granted given, maybe, our level of understanding of these matters, the same is not common.
A good way of mitigating the risk of dealing with unscrupulous parties over the phone posing as either representatives of your service provider, financial institution or some government agency that can require your information is by saving the customer service lines of as many organizations and companies whose services you regularly seek, more so ones to do with money, as possible. For instance, Safaricom will only contact you through 0722 000 000. When there is an ongoing promotion, for instance, and the number used to notify winners is different, the same is usually communicated to the public, look out for such information. With how interconnected our lives have become, a fraudster doesn’t just stop at conning you of Kshts 100 or 3,000 to “process” your “win”, they go for the whole thing: they’ll use all the information you’ve willingly disclosed as well as any that they can gather in the public domain, to get even more money by swapping your SIM on the fly.
While it may be rather hard to decide which calls to pick and which ones to ignore, it is best to disconnect as soon as possible when the slightest hint of giving up sensitive information over the phone is made. Things like your PIN, death of birth etc should make you think twice. The problem is, the chaps on the other end of the line are smart and that’s why you’re probably in line as victim number 1,067. As such, the social engineering happens in such a smooth manner you may not notice. By the time you realize what just happened, the worst has probably happened.
Flag any suspicious messages. A promotional message whose origin you don’t know? Keep off it. A message from someone you’ve never contacted? Be wary as you read and, probably, respond to it. There is no template here. It is all pegged on individual judgment. It is not a good idea to ignore messages from contacts you don’t know since you may be ignoring someone you know who’s using a different number and whose communication is important (like, say you’re a job seeker and recruiter is getting in touch). However, there’s also the bit where this loophole is what fraudsters use to nab us. The more paranoid you are when approaching such, the better. Paranoia could save you a great deal. While being a better judge of character is not inborn, it is something we can develop and grow to become. It is these elements that make us human, and not tech in its entirety, that will save us a lot of trouble in the short term. Of course, in the long term, the AI (Artificial Intelligence) we keep talking a lot about will be of great help.
Change your PIN. A while back, the trend was to use one’s year of birth as the 4-digit PIN code for both the SIM and the mobile money account. Change!
Changing is one thing but, never share your PIN, period. This sounds rather basic and obvious but, really, sharing one’s PIN, for whatever reason, is the genesis of a lot of avoidable problems.
Look out for some other not-so-obvious telltale signs like when your device is in and out of network. This could be for various reasons, most likely just coverage issues but that can only be assumed to be the case when you’re in an area that is known to have poor network coverage and not your usual spots. When it happens where you usually have good network reception, that should be cause for alarm. Instead of speculating, your service provider is mostly a call, tweet or message away. Use those avenues to seek clarification and answers. You’re better off spending 2 minutes of your time waiting for a customer service rep to pick up your call than a whole week (maybe longer) cleaning up the mess that could be created.
Be vigilant. Monitor any activity on your mobile money transfer services as well as others like mobile banking and even betting, if the latter is your cup of tea. Fraudsters, as has been widely reported, are usually interested in the financial returns. These are mostly direct. If one is able to take hold of your bank account through your phone then they’ll siphon your money. Same with mobile money.
Embrace biometrics. With biometrics, there is always the risk of physical harm or injury in the real world but in the virtual world, it’s a much-needed extra layer of security that can be a lifesaver. For instance, if someone wants to make some critical request regarding your M-Pesa line and J itambulishe, Safaricom’s voice biometrics system kicks in, things become a little thick.