Mobile Banking Fraud Is Up 87% in Kenya — What SMEs Must Do Now
- Kenya's mobile banking fraud is up 87% — and your M-Pesa Till is the front door
- What does an 87% fraud surge mean for a business doing KSh 2M–20M revenue?
- What are Nairobi's sharpest operators doing right now to stop mobile banking fraud?
- How AskBiz helps you spot mobile money anomalies before they become a KSh crisis
- What warning signs in the next 30 days tell you fraud risk is rising in your business?
- Your fraud prevention action plan for this week
Kenya's mobile banking fraud rate jumped 87% and Tanzania recorded a 317% spike in deepfake fraud — East Africa's 459 million mobile money accounts are now a primary attack target. If your business runs M-Pesa Till transactions or Pesapal payouts, your float, customer data, and KRA-linked credentials are all at risk. This week: audit your SIM-linked accounts, switch off SMS-only OTP where possible, and run a full access review on every staff member with Till or bank login rights.
- Kenya's mobile banking fraud is up 87% — and your M-Pesa Till is the front door
- What does an 87% fraud surge mean for a business doing KSh 2M–20M revenue?
- What are Nairobi's sharpest operators doing right now to stop mobile banking fraud?
- How AskBiz helps you spot mobile money anomalies before they become a KSh crisis
- What warning signs in the next 30 days tell you fraud risk is rising in your business?
Kenya's mobile banking fraud is up 87% — and your M-Pesa Till is the front door#
The Smartcomply/TechCabal AI & Cyber Frontier East Africa Report 2026 puts the number plainly: Kenya recorded an 87% rise in mobile banking fraud in the past year. Mobile money transactions in Kenya now exceed 53% of GDP. That is not a statistic about banks. That is a statistic about your business — your Paybill, your Till number, the KSh 340,000 you moved last month through M-Pesa STK Push. The attack chain is not sophisticated. Criminals buy stolen personal data — often from phishing links disguised as KRA iTax or Safaricom promotions. They walk into a Safaricom agent outlet with a fake ID and execute a SIM swap. They intercept your SMS one-time password. Your bank account or M-Pesa float is emptied before the fraud alert fires. Kenya holds 68% of the region's total cyber attack surface — 200,980 exposed systems tracked in the same report. Tanzania is not safer: it posted the region's highest breach rate at 20%, and deepfake fraud there jumped 317% in twelve months. These are not numbers from a distant corporate world. A Kisumu-based wholesale distributor lost KSh 180,000 in a single SIM swap incident in early 2026 — her Equity Bank mobile app was the entry point, her phone number was the key. SMS-based authentication is now a liability. Most Kenyan community banks and several tier-two lenders still use it as the primary security layer. If your business banking still sends you a six-digit code by text message and nothing else, you are one rogue Safaricom agent visit away from a serious loss.
What does an 87% fraud surge mean for a business doing KSh 2M–20M revenue?#
At KSh 2M annual revenue, you are moving roughly KSh 167,000 per month. A single successful SIM swap that clears your M-Pesa float or Pesapal settlement account does not just hurt — it can wipe out a full month's working capital in under ten minutes. Recovery from CBK or Safaricom takes weeks, requires a police abstract, and is not guaranteed. Here is what the exposure looks like for a specific type of business. A Westlands-based beauty supply shop doing KSh 650,000/month runs three income streams: M-Pesa Till collections, a Pesapal card terminal, and a WooCommerce store with monthly payouts to her KCB account. She has four staff with varying levels of Till access. Her KRA iTax PIN is saved in a shared Chrome browser on the shop laptop. Her Safaricom line is registered under her personal ID. Every one of those touchpoints is an active attack surface. The 48% share of identity attacks documented across East African mobile money infrastructure — out of 459 million accounts — means attackers are not guessing. They are using AI-driven credential stuffing to test stolen username-password combinations against banking apps at scale. The KSh cost of a breach goes beyond the stolen float. A ransomware attack on your accounting files — Kenya healthcare ransomware incidents rose 95% last year, and retail is next — can cost KSh 50,000 to KSh 400,000 in recovery fees plus the cost of business downtime. Africa loses USD 5 billion (approx KSh 646 billion) to cybercrime annually. A growing share of that is hitting SMEs, not multinationals.
What are Nairobi's sharpest operators doing right now to stop mobile banking fraud?#
Three concrete moves. Do all three before the end of this month. **1. Kill SMS-only authentication on every account that moves money.** Log into your Equity Bank, KCB, or Co-op Bank app today. Check whether you have the option to enable app-based authentication or biometric login — most tier-one Kenyan banks now offer it. For M-Pesa business accounts, Safaricom's Biashara platform allows device-pinning. Enable it. If your bank's mobile app still only offers SMS OTP with no fallback, call your relationship manager this week and ask what their multi-factor authentication roadmap looks like. That conversation on record matters if you need to escalate a fraud claim later. **2. Run a full access audit — names, numbers, and permissions.** Write down every person who has: your M-Pesa Till PIN, your Paybill admin login, your Pesapal dashboard credentials, your KRA iTax PIN, your Xero or QuickBooks login, and your bank app. If any former employee is on that list, change those credentials today. Safaricom's MySafaricom Business portal lets you manage Till access by user — use it. This takes forty minutes and has stopped more fraud than any software purchase. **3. Register your business SIM under your business PIN, not your personal ID.** Many Nairobi SME operators registered their Safaricom business line under their personal national ID years ago. This makes SIM swap easier for attackers — there is only one identity to fake. Safaricom allows business line re-registration under a company PIN. For sole traders, at minimum, add a secondary contact and a SIM swap freeze request at any Safaricom shop — bring your original ID. Takes twenty minutes.
How AskBiz helps you spot mobile money anomalies before they become a KSh crisis#
A Nairobi founder opens AskBiz on a Tuesday morning and types: 'Show me all M-Pesa Till transactions above KSh 15,000 in the last 30 days that happened outside business hours.' AskBiz pulls from her M-Pesa STK Push CSV export — uploaded once, refreshed weekly — and returns a flagged transaction list within seconds. Three transactions between 11pm and 2am total KSh 67,400. She did not authorise any of them. She calls her bank before 8am. That is the CFO Dashboard's anomaly detection at work. It does not replace a security audit, but it closes the gap between when fraud happens and when you notice it. Most Kenyan SME owners discover mobile money fraud three to fourteen days after the fact — usually when reconciling at month end. AskBiz's proactive daily briefing, delivered via WhatsApp each morning, flags: 'Your M-Pesa Till recorded 4 transactions between midnight and 6am totalling KSh 23,800 — this is outside your normal pattern.' For businesses on the Growth plan at KSh 3,800/month, that single alert — catching one fraud event — pays for twelve months of the subscription. Connect your M-Pesa CSV export, Pesapal, or Equity Bank statement and ask your first question in thirty seconds.
What warning signs in the next 30 days tell you fraud risk is rising in your business?#
Watch for four specific signals. **Your M-Pesa statement shows small 'test' transactions** — amounts like KSh 10 or KSh 50 sent to unfamiliar numbers. Attackers test accounts before executing large transfers. Pull your last 30-day Safaricom statement now. **A staff member reports receiving an unexpected OTP SMS they did not request.** This is a credential-testing attempt. Do not dismiss it. Change shared account passwords immediately. **Your Pesapal or bank account shows a login from an unrecognised device or location.** Both platforms log device access — check your security activity tab weekly, not monthly. **You receive a Safaricom SMS confirming a SIM swap you did not initiate.** This is the 60-second window you have to call Safaricom on 100 and freeze the line. Save that number in your phone today.
Your fraud prevention action plan for this week#
**Before Friday:** Log into every account that touches business money — M-Pesa, Pesapal, Equity, KCB, iTax — and enable app-based or biometric authentication where available. Remove any former staff from Till and dashboard access. Takes two hours. Do it today. **Set up once:** Upload your M-Pesa STK Push CSV to AskBiz and set a WhatsApp alert for any transaction above KSh 10,000 outside your trading hours. Visit app.askbiz.ai to connect your data. **Track monthly:** Your fraud exposure metric — total value of transactions that occurred outside business hours as a percentage of monthly Till revenue. If it rises above 2%, you have an active problem. Normal for a well-secured SME Till is under 0.3%. The CBK and Safaricom both have formal fraud reporting lines. Save them: CBK consumer hotline 0800 723 151 (free), Safaricom fraud line *100*100#. You want those numbers before you need them, not after.
People also ask
How do I protect my M-Pesa business Till from SIM swap fraud in Kenya?
Enable device-pinning on Safaricom Biashara, remove SMS-only OTP from your business bank account, and run a monthly access audit of everyone who holds your Till PIN. Register your business SIM under your company PIN at any Safaricom shop. Kenya's mobile banking fraud rate rose 87% in 2025 — the sharpest operators review Till access permissions every 30 days.
What is the biggest cybersecurity threat to East African SMEs in 2026?
Identity-based attacks on mobile money accounts are the top threat — 48% of all East African cyber attacks target identity credentials. With 459 million mobile money accounts across the region and Kenya alone accounting for 68% of the attack surface, SIM swap fraud combined with SMS OTP interception is the most common route into SME business accounts.
How much money do Kenyan businesses lose to mobile banking fraud?
Africa loses USD 5 billion (approx KSh 646 billion) to cybercrime annually. Kenya's mobile banking fraud incidents rose 87% in the past year. Individual SME losses from a single SIM swap event typically range from KSh 50,000 to KSh 400,000 — often wiping out one full month of working capital for businesses doing under KSh 5M annual revenue.
What is a SIM swap attack and how does it work in Kenya?
A SIM swap is when a criminal impersonates you at a Safaricom agent outlet using stolen ID details, transfers your phone number to a new SIM they control, then intercepts your SMS one-time passwords to access your M-Pesa float or bank account. It takes under ten minutes. Most Kenyan banks still rely on SMS OTP — making SIM swap the primary fraud vector for SME business accounts.
How does AskBiz help Kenyan businesses detect mobile money fraud?
AskBiz connects to your M-Pesa STK Push CSV export and flags transactions outside normal business hours via a daily WhatsApp alert. A founder can ask: 'Show me all Till transactions above KSh 15,000 that happened after midnight this month' and get an instant flagged list. The Growth plan at KSh 3,800/month pays for itself if it catches a single fraud event early.
Carolyne Kigathi leads AskBiz's East Africa strategy, tracking regulatory shifts, mobile money trends, and SME growth signals across Kenya, Uganda, Tanzania, and Rwanda — and turning them into briefings founders can act on before their competitors notice.
Your M-Pesa Till is your biggest fraud risk — know what moved through it last night
AskBiz connects to your M-Pesa data and alerts you to suspicious transactions before you open the shop — built for East African founders who cannot afford to discover fraud at month-end. Try it free — ask your first question in 30 seconds.
Connects to Shopify, Xero, Amazon, QuickBooks, Stripe & more in minutes