Social engineering threats facing East African financial institutions

Technical vulnerabilities get most of the attention. Firewalls, penetration tests, patch management: these are all important. But globally, the majority of breaches involve a non-malicious human element (Verizon DBIR). In East Africa, where security awareness training is often limited and social engineering techniques are increasingly sophisticated, human manipulation is frequently the attacker’s first and most reliable entry point.

This article covers the social engineering threats most relevant to East African banks and fintechs, how we simulate these attacks during security engagements, and what effective training looks like.

What is social engineering?

Social engineering is the manipulation of people into taking actions that compromise security or divulge confidential information. Unlike technical attacks that exploit software vulnerabilities, social engineering exploits human psychology: trust, authority, urgency, fear, and helpfulness.

The key categories relevant to financial institutions:

• Phishing: deceptive emails that impersonate legitimate entities to steal credentials or install malware
• Spear phishing: highly targeted phishing using personal information to appear credible
• Vishing: phone-based manipulation (voice phishing)
• Smishing: SMS-based phishing
• Pretexting: creating a fabricated scenario to manipulate a target
• Physical intrusion: tailgating, impersonation of maintenance staff, posing as a regulator

Why East African banks are targeted

Several factors make East African financial institutions particularly susceptible:

• Rapid digital transformation outpacing security culture: Staff have been asked to adopt new digital systems quickly, but security awareness training has not kept pace.
• High-value authorisation flows: Finance teams routinely authorise large transactions. A single successful BEC attack on a payment officer can yield millions of RWF.
• Cross-border transaction relationships: Correspondent banking and international transfers create opportunities for impersonation of foreign counterparties.
• Regulatory impersonation: Attackers impersonating BNR examiners or NCSA officials requesting urgent information access is a known tactic observed in the industry.
• Mobile money agent networks: Agents are frequent targets for social engineering. They have the ability to process transactions and their training is highly variable.

The anatomy of a bank phishing attack

A well-crafted phishing attack against an East African bank typically follows this pattern:

1. Reconnaissance: The attacker researches the target: names and email addresses of finance staff from LinkedIn, organisational structure from the company website, current vendor relationships from press releases.
2. Infrastructure setup: Registering a lookalike domain (e.g., bnr-rwanda.org instead of bnr.rw), creating a convincing email and web page.
3. Pretext creation: Crafting a plausible scenario, such as a BNR compliance deadline, an urgent vendor invoice, or an IT system migration requiring a password reset.
4. Delivery: Sending the phishing email at a time when the target is likely to be distracted (Monday morning, end of month, day before a public holiday).
5. Credential harvest or malware installation: The target clicks a link, enters credentials on a fake login page, or opens an attachment that installs a keylogger.
6. Account takeover or lateral movement: Using captured credentials to access email, authorise transactions, or establish persistent access to internal systems.

Vishing (phone-based attacks) in East Africa

Vishing is particularly effective against financial institutions because it exploits the human instinct to be helpful on a phone call. Common pretexts we simulate in testing:

• Impersonating the IT helpdesk and requesting a password reset or MFA bypass
• Impersonating a senior executive requesting an urgent wire transfer or account detail
• Impersonating a regulator (BNR, NCSA) requesting urgent information disclosure
• Impersonating a vendor or correspondent bank requesting account number changes

Phone calls create time pressure and social compliance that email does not. A well-practiced vishing caller can defeat many security procedures that look robust on paper.

Pretexting and physical security

Physical security testing is an underutilised component of comprehensive security assessments. We have successfully:

• Tailgated into secure areas by following authorised staff through access-controlled doors
• Accessed server rooms by posing as air conditioning maintenance contractors
• Plugged rogue devices into network ports in meeting rooms left unattended
• Left USB drives labelled “Staff Salaries Q1” in a car park. Pickup rates in our red team exercises consistently exceed 40%, consistent with University of Illinois research showing 45-98% success rates in USB drop attacks.

Physical controls (visitor management, clean desk policy, access card validation) are often inconsistently applied, creating gaps that are trivially exploitable.

How we test for social engineering resilience

Our social engineering assessments are conducted with full written authorisation and defined rules of engagement. We offer three levels:

Phishing simulation

We send simulated phishing emails to your staff and measure click rates, credential submission rates, and reporting rates. The campaign is designed to reflect real attacker techniques targeting Rwandan banks. Results are provided by department so you can target training where it is most needed.

Combined phishing + vishing

We add phone-based follow-up calls to staff who clicked the phishing email, attempting to escalate access. This tests whether your helpdesk and finance team follow verification procedures.

Full social engineering assessment

Combining phishing, vishing, smishing, and physical intrusion testing. This is the most comprehensive assessment and is typically conducted as part of a broader penetration test engagement.

Training and awareness: the only real defence

Technology controls (email filtering, multi-factor authentication, access card readers) reduce the attack surface but cannot eliminate social engineering risk. The only reliable defence is trained, security-aware staff who know how to identify attacks, verify identities, and report suspicious activity.

Effective security awareness training for East African banks should:

• Use realistic, locally relevant examples, not generic Western phishing scenarios
• Cover mobile money agent fraud and vishing specifically
• Be conducted in English and local languages where appropriate
• Include a reporting mechanism that staff actually use
• Be refreshed at least annually and after major incidents
• Measure effectiveness with follow-up simulated phishing campaigns

We offer security awareness training programmes designed for East African institutions. See our security awareness training service page for details. The National Bank of Rwanda explicitly requires security awareness training for all staff of supervised institutions. This training satisfies that requirement.

How we can help

We are an OSCP-certified security firm based in Kigali. We combine phishing simulations, vishing campaigns, and hands-on training with technical penetration testing to give your institution a complete picture of its security posture. Our social engineering assessments are designed for the East African banking context, using realistic pretexts, locally relevant scenarios, and structured reporting that satisfies BNR requirements. Contact us to discuss a social engineering assessment or training programme for your institution.