In December 2020, while using Instagram, Michele Iradukunda received a direct message from someone with username "Instagram”, telling her that her page had to get a blue tick (verified) given that she was an influential journalist.
In all cases of phishing, malicious actors ensure there is an incentive or sense of urgency to ensure users do not take time to reflect, but act quickly and without caution.
"The account was named Instagram and I thought Instagram itself was writing to me,” she explains. "One couldn’t tell if it was someone else’s profile.”
The account user asked Iradukunda to provide different kinds of information and later, they told her she was about to receive a code which they asked her to send to them.
"At first,” she narrated. "I sent it to them and they said I had delayed. They told me that they were doing some stuff and were going to send another code, and then asked me to send it too. I did it without thinking, not knowing that I was giving them access to my account.”
Iradukunda’s case reflects social media phishing, where a malicious actor tries to steal personal data or gain control of your social media account.
"In a few minutes,” Iradukunda continues, "I couldn’t log in into my account. When I checked it, all my pictures were deleted and my names were changed and I realized it had become someone else’s profile. It became so hard for me to bring my page back. Even today, I still see it but I don’t know who stole it in that way.”
According to tech and cyber security experts, the most prevalent cybercrimes in Rwanda involve these online scams, such as phishing, smishing and vishing, and there is a need for increased awareness of these online dangers.
From the experience, Iradukunda learned that "everything we see online is not genuine”.
"You don’t have to think that everything online is genuine, and that there aren’t some people who do not wish you any well. They stole my account, but they can also steal money,” she said.
The month of October has been designated as the global cybersecurity awareness month. In Rwanda, the National Cyber Security Authority (NCSA), in collaboration with its partners, will run a national awareness campaign to sensitize the public on cybersecurity hygiene best practices that can equip users to respond to these kinds of scenarios.
The campaign titled Tekana kuri Interineti – Be Safe online will also inform citizens of their rights to personal data protection privacy, an important subject due to the amount of personal data that is now shared online, and its need to be protected, as guaranteed by Rwanda’s law on personal data protection and privacy.
Hacked social media profiles are common cyber incidents, and amongst other cybersecurity best practices, the campaign advises users to never act out of urgency, but take time to verify. When something seems suspicious, it most likely is, and it never hurts to double-check.
"I think us, people, need to be more careful. Anytime you see something online that you don’t trust and are not sure of, first ask other people or choose to delete or ignore it because it can lead you to cyber fraud. We have to be careful of everything we see online because it is not always genuine.”
To learn more about the campaign, use the hashtags #TekanaOnline or visit www.cyber.gov.rw.