Outsmarting MPESA Fraudsters

By Chris Orwa
Data Science Lab
  Published 11 Jan 2016
Share this Article

Just read a fascinating paper titled ‘Why do Nigerian Scammers Say they are from Nigeria?, authored by Cormac Herley from Microsoft Research. The paper explores strategies employed by e-mail scammers to maximize their returns from millions of spam e-mail sent around the world. The most intriguing aspect of the paper is how machine learning techniques are used to analyze the scammers’ pay-off strategies. Here is a parallel to the Kenyan MPESA scam situation.

The Game
MPESA fraudsters in Kenya unknowingly face a problem already familiar to data scientists all over the world – the problem of false positives. In the scamming world, a false positive would be someone targeted for a con but they don’t fall for it. In data science, it is categorizing a data-point as belonging to group A while it belongs to group B – a misclassification.

To create accurate prediction models, data scientists endeavor to minimize false positives. Similarly, successful con-artists have to reduce their false positives since they incur a cost, C (both time and money) in every pursuit of dishonesty. A functional approach for fraudsters involves calculating a value; let’s call it X, that reveals a user’s vulnerability thus enabling targeted cons and thereby reducing false positives.

The Jinx
Still, a conman experiences two types of problems. Sometimes he will attack a non-vulnerable user and gain nothing (thereby losing C), sometimes he will decide not to attack a vulnerable user (thereby foregoing a net gain of G). Thus, he faces a binary classification problem. Every attack result in either a true positive (vulnerable user found) or false positive (non-vulnerable user found). Ideal classification requires that the attacker knows exactly which users will repay the effort and which will not, and never makes the mistake of attacking unnecessarily or of leaving a vulnerable target alone.

The Trap
The MPESA con normally involves an initial SMS campaign, which has a cost per recipient. When potential victims respond a labor-intensive and costly effort of following up by SMS or phone call commences. The con-artist aims to separate vulnerable users from non-vulnerable ones with luring anecdotes. However a remedy exists, by baiting the con-artists into time-wasting conversations it increases their false positives and deteriorates their prospects of a successful con.

The Experiment

Armed with the facts above, I knew it wouldn’t be long before I tested the remedy. So, I received the usual spam SMS that purport an MPESA transfer. I decided to ignore it. Ten minutes later, I got a phone call inquiring if I got the message, I responded that I haven’t and he should call me back in 5 minutes – which he did. I then took him on a roller coaster ride pretending not to know how to use MPESA, and requested he takes me through the process via phone.

After 10 minutes on the phone, he gave-up, I suppose he proceeded to his next target. If the subsequent targets used a similar deceitful strategy, the con artist would be increasing his false positives thereby cost of business, and at one point the venture would not be viable. So let’s all play a game of cat and mouse with the villains.

Image by http://blogthinkbig.com




comments powered by Disqus