Experience in social engineering by ecommerce platforms in Kenya

Abstract

eCommerce systems have been targeted by cyber criminals as they receive and use the money, rely on technology, outsourced services and use of payment technologies like mobile money and online banking channels to carry out their day-to-day transactions. This study sought to investigate social engineering and its mitigation in eCommerce platforms in Kenya. An existing Social Engineering Defensive Framework was adopted and its dimensions were used to create questionnaires and interview guides. The study used 30 out of the 34 pure-play eCommerce firms operating in Nairobi, Kenya. The results indicate that phishing/spear phishing as the leading threat followed by baiting/Trojan Horse, social media/fraudulent websites, search engine poisoning among others. Mitigation measures indicate organizations need to regularly check their website listing in hacking sites (such as pastebin.com and ghostbin.com) and periodically document and update new policies regarding social engineering and information security. This paper proposes social engineering mitigation best practices, emphasizing the need for organizations using the derived best practices and incorporating security culture.