No amount of technical security can protect your organisation if your employees can be manipulated into handing over access, money, or sensitive data. Social engineering — the art of exploiting human psychology rather than technical vulnerabilities — is now the leading initial access technique in cyberattacks globally, and Kenya is no exception.
In our penetration testing and phishing simulation work, we see firsthand how effective these attacks are against Kenyan organisations. This article covers the most active social engineering threats and what you can do about them.
The Most Dangerous Current Threats
Business Email Compromise (BEC)
BEC is devastating and growing rapidly in Kenya. In a typical BEC attack, a criminal compromises or impersonates a company executive's email account and uses it to instruct finance staff to make urgent wire transfers or change payment details on outstanding invoices. The requests often involve pressure tactics: "I need this done urgently before I fly," or "Don't go through the normal process for this one."
Kenyan losses from BEC attacks run into billions of shillings annually. The targets are often finance teams, accounts payable staff, and HR departments — anyone who handles money transfers or holds sensitive employee data.
WhatsApp Vishing
Voice phishing over WhatsApp has become extremely common in Kenya. Attackers impersonate bank officials, IT support, or tax authorities (KRA) and pressure victims into revealing OTPs, account credentials, or making immediate transfers. WhatsApp's perceived informality makes people lower their guard.
A key technique is "number spoofing" combined with a WhatsApp profile picture matching the institution being impersonated. Victims often can't distinguish these calls from legitimate ones.
Targeted Spear Phishing
Gone are the days of obvious mass-spam emails full of spelling errors. Modern spear phishing is highly targeted and researched. Attackers use LinkedIn, company websites, news articles, and social media to craft emails that reference real projects, real colleagues, and real business contexts. Our phishing simulations consistently show click rates of 20-40% on well-crafted spear phishing emails, even in organisations with some security awareness training.
IT Support Impersonation
Attackers call employees claiming to be from "IT support" and report a problem with their account. They then request remote access credentials, ask the employee to install a "security tool" (actually malware), or walk them through disabling security software. This works remarkably well when employees have no clear procedure for verifying IT contact.
Building a Human Firewall
Verification Procedures
Establish clear, mandatory verification procedures for high-risk actions. Before making any wire transfer above a threshold amount, require a callback to a known number (not a number provided in the email). Before giving any caller remote access, require a ticket number that can be verified in your IT system.
Security Awareness Training
Annual security awareness training is insufficient. People forget. Run regular (monthly or quarterly) micro-training sessions and phishing simulations. The goal isn't to embarrass people who click — it's to build instincts and confidence to question suspicious requests.
Create a Culture of "It's OK to Verify"
Many employees comply with suspicious requests because they're afraid of appearing difficult or incompetent. Leadership must actively communicate that it's always acceptable — expected, even — to verify requests through an independent channel, regardless of who appears to be asking.
BEC-Specific Defences
- Implement DMARC, DKIM, and SPF on your email domain to make it harder to spoof your domain
- Set up alerts for emails from lookalike domains (e.g., company-ke.com vs company.co.ke)
- Require dual approval for wire transfers above a set threshold
- Train finance staff specifically on BEC patterns and red flags