Securing Mobile Money Payment and Transfer Applications Against Smishing and Vishing Social Engineering Attacks

Abstract

Social Engineering is the science of using social interaction as a means to persuade an individual or an organization to comply with a specific request from an attacker where either the social interaction, the persuasion, or the request involves a computer-related entity. Social engineering threats are the biggest threats facing cybersecurity because they exploit the natural human tendency to trust. Human-based social engineering requires a person-to-person interaction to achieve an objective. Mobile money users are target to most criminals. Smishing is a form of phishing where someone tries to trick a victim into giving their private information via a text message. A vishing attack is a type of criminal phone fraud that uses voice messages to obtain personal information or money from victims. Consumer-based fraud represents the most prevalent form across all stages of the mobile money services operation, where offending is enabled by a lack of system-based checks and awareness. Current mobile money transfer and payment applications design does not mitigate cybersecurity risks and specifically social engineering. This study establishes the gap and proposes a design that will mitigate these risks. The literature review describes the social engineering frameworks, defensive techniques against social engineering in mobile money, and establishes the knowledge gaps that need to be filled. A descriptive research design with a qualitative approach is employed in this study. Open-ended questionnaires were used to collect the data. Results of the analysis show that 66% of the respondents have experienced social engineering attacks either through phone or SMS. The effects of Social Engineering lead to the inability to recover money once sent. A mobile application prototype called SAFECASH that can analyze and hold unconfirmed transactions, blacklist suspected contacts and lock suspected transactions is implemented and tested.