Zimbabwean’s Continue To mistake WhatsApp And EcoCash Hacks With Social Engineering

  • Hackers get away with USD 100 million through WhatsApp and Ecocash fraud,
  • Tips for defending against social engineering and hacks,
  • How individuals can hack your WhatsApp.

According to a report by The Herald, “When the criminals hack the Ecocash and WhatsApp account, the hacked person’s phone loses network connectivity. The criminals then use that hacked number in the WhatsApp groups the hacked person belongs to, offering US dollars at lucrative rates. Others in the group, assuming the person making the offer is their trusted friend, respond and offer to buy the currency. They transfer money by Ecocash to their friend’s number, but the fraudsters now controlling that number clean out the Ecocash account and vanish. When the WhatsApp group members confront their friend, it becomes clear that the group member would be unaware of the transactions and there will be no network on their mobile phone.”

Over the past two months, police have received several complaints totalling the equivalent of US$100 million.” Said the report.

Since no one can hack either WhatsApp or Ecocash, what these tricksters are doing is using social engineering techniques to gain access into victims WhatsApp accounts, when in control the hackers then offer US dollar exchange at lucrative rates in the victims WhatsApp group where they are trusted. In the hope of a good deal, the members might then go on to send their money to a number provided by the hacker and will attempt to get their money to no avail.

To further their attack and make it easy to conduct, social engineers also use social media platforms like Facebook, Twitter Instagram and LinkedIn to gather a lot of details about their victim and use that information to their advantage.

The best way to combat these criminal activities is through security awareness training and campaigns. People need to know that social engineering exists, be familiar with some of the commonly used tactics and how to beef up their security online.

Enable two-factor authentication for additional security where possible e.g WhatsApp. The feature will send a code through a number that will have provided and you use it to verify that it’s you every time you log in. However, this added security feature is useless if you just go on to share the code with someone else.

Secondly, you should never share confidential information such as usernames, credit card details, OTPs, passwords and verification codes with anyone else, even with your family as they can also carry out these social engineering attacks.

Social media platform users should also be aware of the information they post while online. You should never post identifying information and information that you wish to stay private. Identifying information includes original birth dates, family members, schools attended, birthplace, close friends. As I mentioned before, social engineers can use this info to trick you into making you a cybercrime victim. 

Another recommended security recommendation is using strong passwords. Once a hacker has your email address or phone number which they can simply find on social media platforms, they can try to login into your accounts by pairing your email with simple passwords which they can find on the leaked data or try the top 100 most common passwords. Simple and common passwords include date and year of birth, peers name, your names, phone numbers, pets name, and others. A strong password has 12 characters that include numbers, symbols, capital letters and lowercase letters.

To easily create a very strong hard to guess the password, You can alternatively use a password manager such as Googles password manager to create unique, long and difficult passwords for your accounts, and store them for you so you don’t have to remember them. Websites such as passwordgenerator.net and strongpasswordgenerator.com also generate strong passwords however, unlike googles password manager, you will have to write the password down or remember it. To make it easy to remember, you can simply go ahead and modify it in a way that you will easily remember. Change your password today.

To check if your email address has been compromised. You can visit HaveIBeenPwned.com. The site only needs your email address, which cross-references with accounts that have been breached in the past to find if your details were leaked online.

You should also stay alert for news of any other breaches.

To the business community, enrich your employees with cybersecurity awareness training that addresses social engineering and targeted cyber threats. 

Keep your employees up to date on the latest online fraud techniques. Anyone who has the authority to make wire transfers or other financial transactions should have common knowledge about how these cases occur. Many of the true stories involving fraud occur with lower-level staff who get fooled into believing an executive is asking them to conduct an urgent action and usually bypassing normal procedures in the process.

A good example of social engineering in business occurred in January when a Steward bank accountant was fooled into releasing ZWL$22 million that belonged to TM supermarkets into four different accounts. The perpetrator used the retail group’s financial manager Mr Raymond Matsetsa’s email address to carry out their attack and trick the accountant hence it is of vital importance that employees get cybersecurity training frequently.