M-Pesa has been huge for Kenya’s economy — and for scammers

In January 2022, Peter Mwanzo, a senior Nairobi police officer, became a high-profile victim of mobile money fraud. Scammers replaced his SIM card remotely, transferred 597,100 Kenyan shillings ($4,575) from his mobile banking wallets, and took out hefty loans in his name — all while he had his phone on him.

“I could not explain how it happened as I have never shared my PIN or personal details with anyone. This is madness. It seemed easy for the third party to use my SIM card,” Mwanzo told the Kenyan high court months later while testifying against the suspected fraudster, according to local reports.

In court, Mwanzo also pointed a finger at Safaricom, his cellphone provider. He said he couldn’t understand how his SIM card had been so easily replaced and his accounts accessed remotely. “Safaricom ought to take responsibility. There are many complaints of SIM swap,” Mwanzo said.

In 2007, Safaricom, Kenya’s largest telecommunications company, collaborated with Vodafone to launch M-Pesa. The mobile money transfer service allowed users to send and receive money using only a SIM card and a phone that didn’t need to be connected to the internet. Today, over 30 million people in the country use M-Pesa regularly. The service represents Safaricom’s largest revenue stream, bringing in 107.69 billion Kenyan shillings ($818 million) in 2022 — 36% of the company’s total revenue. According to data from the Central Bank of Kenya (CBK), mobile money transactions account for over half of Kenya’s $110 billion GDP, and M-Pesa controls 99% of the market.

M-Pesa’s ubiquity has attracted many scammers. In 2021, a FinAccess survey found that nearly half of the Kenyans using mobile money had fallen victim to fraud or accidentally transferred money to the wrong recipients. That figure was 8.4% higher than the previous year. In 2022, a CBK report showed that 6.1% of mobile banking users and 25.9% of mobile money users had lost money through cybercrime.

In February 2023, Kenya’s Directorate of Criminal Investigations (DCI) arrested eight men alleged to be members of a criminal syndicate that had defrauded mobile money users of more than 500 million Kenyan shillings ($3.8 million). Some towns, such as Mulot in Bomet County, have emerged as operating hubs for the M-Pesa SIM-swap fraud syndicates.

In 2022, Abdi Zeila, a Kenyan businessman, filed a class action suit against Safaricom and the country’s communications authority for exposing him to fraud. Zeila had lost 495,651 Kenyan shillings ($3,766) to SIM swap fraudsters. The court also opened the door for him to invite more victims of SIM swap fraud to join the suit.

Agnetta Makhoha is among those who have since joined Zeila in the class action suit. Scammers had defrauded her by taking out mobile loans totaling 49,881 Kenyan shillings ($79) in her deceased husband’s name.

“The estate and my family are in complete angst and anxiety as a result of these developments,” said Makhoha, according to the court documents. She also said she was taken aback by Safaricom’s “reluctance to admit liability and take action for violations which are clearly attributable to its negligence or complicity.”

Wachira Kangaru, Safaricom’s head of corporate communications, declined Rest of World’s request for comment, stating that the company could not discuss the ongoing class action.

Other victims include Farah Bashir, a medical lab scientist who was in Johannesburg on a two-week assignment when scammers remotely swapped his Safaricom SIM card and transferred 2.6 million Kenyan shillings ($19,756) out of his Absa mobile-banking accounts. According to media reports, Bashir was stranded in a foreign country, surviving on breakfast yogurt and snacks offered by the hotel he was staying at until family members bailed him out. Despite his best efforts and the media publicity around his case, Bashir struggled to get Safaricom and Absa to shoulder responsibility for his losses.

John, a 35-year-old planning officer in a Nairobi public hospital, told Rest of World he lost around 36,000 Kenyan shillings ($274) to mobile money fraud, despite never having shared his mobile money PIN or personal details with anyone.

“My phone was stolen in a matatu [public transport],” said John, speaking under a pseudonym for privacy reasons. “Once I realized it, I used the conductor’s phone to call my number, and it went through. They said they found it and could get it to me but were lying to buy time.”

John also called Safaricom to block his number. By the time he reached his office 40 minutes later, he said the scammers had stolen around 10,000 Kenyan shillings [$76] from his M-Pesa wallet, asked for — and received — an overdraft of 16,000 Kenyan shillings from M-Pesa’s sister service Fuliza, and taken out a loan from microcredit service M-Shwari. “Safaricom told me that I was careless with my PIN,” said John. “I almost insulted them.”

A 2021 analysis by global cybersecurity company Evina found that mobile payment fraud in Africa was most prevalent in Kenya, with 51% of transactions flagged as suspicious, followed by South Africa at 30% and Cameroon at 10%.

In March, Safaricom CEO Peter Ndegwa acknowledged that fraud had grown in tandem with the fintech sector in Kenya. “The rapid growth of Kenya’s fintech sector has been accompanied by a rapidly evolving threat environment targeting both customers and fintech operators,” Ndegwa told local media. “It is therefore necessary for different players to partner around innovations that protect customers and their funds to safeguard the gains made.”

Most of the scams involve some element of social engineering. On social media, for example, hundreds of profiles pretending to be official Safaricom representatives sometimes respond to customer requests faster than the company’s verified customer care accounts. The fraud accounts copy Safaricom’s branding and language to get unsuspecting customers to disclose personal information, including ID numbers, transaction details, and PINs.

“The rapid growth of Kenya’s fintech sector has been accompanied by a rapidly evolving threat environment targeting both customers and fintech operators.”

According to Kevo, a 34-year-old mobile money fraudster who spoke to Rest of World on condition of anonymity, many Kenyans are oblivious to the capabilities and security features of M-Pesa, mobile banking, and fintech apps. Meanwhile, scammers study these systems intensely to identify loopholes, said Kevo, who runs a fraud syndicate alongside his friends in Nairobi’s low-income Kibera neighborhood.

“If you black out and I take your phone in the club, for example, or even if I get it just for a few moments and put it back, without struggling, I can see your M-Pesa balance in your messages and your Fuliza [overdraft] limit,” he said. “Remember, I can also get your ID, which has your ID number. With those details, I can go to the M-Pesa USSD [unstructured supplementary service data] menu, reset the M-Pesa PIN, access the account, and transfer funds wherever I want.” He added that this also allows him to take out mobile loans while posing as the victim.

Kevo told Rest of World he also regularly uses fake messages and reversal scams to defraud people. Many mobile money scammers register multiple fake phone numbers using stolen personal information. To rein in the misuse of SIM cards for criminal activities, Kenya’s communications authority led a controversial, mandatory mass registration exercise that saw over 124,000 SIM cards deactivated as many people flagged other SIM cards registered with their details. In the aftermath of crackdowns by local law enforcement, officials parading the thousands of SIM cards found in the scammers’ possession for media cameras has become a common sight.

In response to the increase in fraud and related complaints, Safaricom has ramped up mass awareness campaigns to help customers identify potential scams early. Most major financial service firms in Kenya offer mobile money-linked digital banking services, and banks are also under pressure to secure customers’ funds better.

Safaricom’s anti-fraud initiatives include introducing a new code in May 2022 that enables users to block fraudulent attempts to swap their SIM cards. In March 2023, Safaricom also signed up major banks to its new SIM-Swap-Check anti-fraud service, which allows them to check when a customer’s SIM card was last swapped. With that information, banks can determine whether a customer’s transaction is fraudulent and take additional steps.

Some of the M-Pesa scams have come from within Safaricom. In the financial year ending March 2022, the company sacked 24 employees for fraud, with 10 fired in connection with SIM swap cases.

Kevo, the scammer from Nairobi, said fraud is inevitable in the current system. “You can’t escape it,” he said. “There [are] so many loopholes in the system, and a lot of Safaricom’s customers are exposed.”