Phishing and M-Pesa: How Attackers Target Kenyan Mobile Money Users

A plain-English guide to understanding how mobile money scams work in Kenya, why even smart people fall for them, and exactly what you need to do to keep your money safe.

Kenya is widely regarded as the birthplace of mobile money. When Safaricom launched M-Pesa in 2007, it did not just create a product — it started a financial revolution (a big change) that reshaped the economic landscape of an entire continent. Today, M-Pesa processes billions of shillings in transactions daily, serving over 30 million active users in Kenya alone. It has become the backbone (the main support) of the Kenyan economy — people use it to buy groceries at a local kiosk, pay school fees, settle hospital bills, access loans, and save for the future.

But with great adoption (widespread use) comes great risk.

As M-Pesa has grown into an indispensable (necessary, cannot live without) financial tool, it has also become an irresistible target for cybercriminals (thieves who work through phones and internet). Fraudsters (cheats and liars who steal money) have developed increasingly sophisticated (cleverer and more complicated) methods to exploit (take advantage of) the trust that Kenyans place in the platform. Every year, thousands of Kenyans lose money — sometimes their entire life savings — to carefully planned phishing attacks (tricks designed to steal your information) that prey on human psychology (the way our minds work and feel).

M-Pesa mobile money logo
M-Pesa — used by over 30 million Kenyans daily

This guide takes a deep, thorough look at phishing as it relates to M-Pesa. We cover how these attacks work, the many forms they take, real-world examples, the psychology behind why they succeed, and — most importantly — exactly how you can protect yourself, your family, and your community.

⚠ The most important thing in this article

Safaricom will NEVER ask for your M-Pesa PIN. Not on a call, not by SMS, not ever. Anyone who asks for your PIN is a criminal. Hang up.

What Is Phishing? The Foundation of Mobile Money Fraud

Phishing (pronounced "fishing") is a type of attack where criminals pretend to be someone you trust — a bank, a telecom company, a government office, or even a friend — to trick you into giving them private information. This information includes passwords, PINs, account numbers, and personal details that they use to steal your money or your identity.

The word "phishing" comes from "fishing." Just like a fisherman throws a net or dangles bait hoping a fish will bite, a phishing attacker sends convincing messages hoping at least one person will fall for the trick.

How phishing has changed over the years

Phishing is not new. It started with crude (badly made, obvious) emails — things like "You have won a lottery in the UK, send us your bank details." Those were easy to spot. But today, phishing attacks are far more dangerous:

They are targeted. Attackers research their victims. They may know your name, where you work, or who your family members are. They are technically advanced. They use fake phone numbers, cloned (copied) websites, and software that intercepts (captures) your messages. They are psychologically manipulative. They play on your fear, your greed, your love for family, and your desire to help others. They come from everywhere. SMS, phone calls, WhatsApp, Facebook, Instagram, and even face-to-face encounters.

In Kenya, phishing has found a perfect hunting ground in the mobile money ecosystem (the whole system of mobile money — the apps, agents, networks, and users).

Phishing vs. other types of fraud

Phishing = tricking you into giving up information willingly. Hacking = breaking into a system by force, like breaking a door down. SIM swapping = convincing the phone company to move your number to a new SIM card the criminal controls. Insider fraud = a corrupt employee inside a company stealing data or money. Phishing is the most common because it targets the weakest point in any security system — the human being.

Why M-Pesa Is a Prime Target

The sheer scale of M-Pesa

Consider the numbers: over 30 million active M-Pesa users in Kenya. Over 600,000 M-Pesa agents (shops and kiosks where you deposit or withdraw) nationwide. Billions of shillings transacted every single day. M-Pesa accounts for roughly 50% of Kenya's GDP (the total value of everything the country earns) flowing through its platform. It is used by everyone — from office workers in Westlands to farmers in Nyeri, from boda boda riders in Kisumu to grandmothers in Machakos.

This enormous user base means attackers have millions of potential victims. Even if only one in a hundred people falls for a scam, the absolute number of victims — and the money stolen — is staggering (shocking, very large).

Person holding a smartphone in the dark
A smartphone is the gateway to M-Pesa — and a gateway that criminals try to break through every day.

Why M-Pesa users are particularly vulnerable

1. Everyone uses it, regardless of education level. M-Pesa is used by people with PhDs and people who have never been to school. Many users, especially in rural areas and among older generations, may not know how digital fraud works or how to spot a fake message.

2. Safaricom and M-Pesa are deeply trusted. These are among the most recognisable (well-known) brands in Kenya. When someone receives a message appearing to come from "Safaricom," the natural instinct is to trust it. Criminals exploit (take advantage of) this trust ruthlessly.

3. Transactions happen in real time. Once money moves on M-Pesa, it can be withdrawn within seconds. Unlike a bank transfer that takes hours and can sometimes be reversed (cancelled and returned), M-Pesa's instant speed works entirely in the attacker's favour.

4. The USSD interface has no advanced security. USSD (the simple menu you see when you dial *334# — the same way you access M-Pesa on a basic phone) has no fingerprint scanning, no app-based security codes, and no visual warning signs. It is accessible on any phone, which is wonderful for inclusion (making sure everyone can use it), but leaves fewer safety layers in place.

5. SMS is easy to fake. M-Pesa communicates mainly through SMS. But SMS can be spoofed (faked — made to look like it came from a real sender like "MPESA"). A criminal can send a fake M-Pesa confirmation message that appears in the same thread as your real M-Pesa messages.

How an M-Pesa Phishing Attack Works, Step by Step

Let us walk through a typical attack so you can see exactly how it unfolds. Think of it like watching a pickpocket at work — once you know the moves, they cannot catch you off guard.

01
Research and Preparation. The attacker studies their target. They may buy databases of phone numbers, look at social media profiles, or study how Safaricom writes its official messages — copying the exact wording and format.
02
The Bait. The attacker makes contact via SMS, phone call, WhatsApp, or social media. The message is designed to appear legitimate and to trigger an emotion — excitement, fear, or urgency.
03
Engagement and Manipulation. Once you respond, the attacker keeps you talking. They build your trust, sound professional, and steer you toward revealing sensitive information or doing something specific — like pressing a code or entering your PIN.
04
Exploitation. With your PIN or personal details, they access your M-Pesa account, transfer the money out, and withdraw it — all within minutes.
05
Disappearing. The money is withdrawn through multiple agents to hide the trail. By the time you report the theft, the cash is gone and the attacker is unreachable.

The Scams Themselves — Every Trick Explained

The Fake Promotion or Lottery Scam

You receive an SMS or call saying you have won a large sum of money in a Safaricom competition. The message often copies Safaricom's real branding and language so closely that it is almost impossible to distinguish from a genuine message.

Example fake SMS (do NOT respond to messages like this)
"Congratulations! Your M-Pesa number has been selected as the winner of KSh 500,000 in the Safaricom Mega Promotion! To claim your prize, call 0700-XXX-XXX or send your M-Pesa PIN to confirm your identity."

When you call, they ask for your PIN, your ID number, or a "processing fee" (a payment supposedly required to release your prize). There is no prize. Your money is gone.

Why people believe it: Safaricom does run real promotions like Bonga Points. The promise of a large windfall (unexpected money) is exciting. And the urgency — "claim before midnight" — stops people from pausing to think.

The Fake Customer Service Call

Someone calls you, speaking professionally, claiming to be from Safaricom support. They say there is a problem with your account — suspicious activity, a needed upgrade, a security check — and ask you to verify your details.

Example fake call script
"Good morning, this is James from Safaricom M-Pesa Support. We have noticed unusual activity (strange things happening) on your account. For your security, please confirm your M-Pesa PIN so we can protect your account immediately."

Remember: Safaricom will NEVER ask for your PIN on a call. Ever. A genuine Safaricom employee does not need your PIN to help you. The moment anyone asks for your PIN on a phone call, end the call.

The "Wrong Transaction" or "Accidental Transfer" Scam

This is one of the most clever scams in Kenya. You receive what looks like a genuine M-Pesa deposit notification — someone has apparently sent you money. Almost immediately, the "sender" calls, saying it was a mistake, and begs you to return the money.

The catch: the original deposit message was fake. It was a normal SMS sent by the scammer — not a real M-Pesa transaction. No money ever entered your account. When you "return" the funds, you are sending your own money to the criminal.

A more sophisticated version: the scammer actually does send you real money (often stolen from someone else). Then they ask you to return it to a different number. Either way, your money — or someone else's — ends up in their hands.

✓ How to protect yourself

Before sending any money back to someone who claims to have sent by mistake, dial *334# and check your actual M-Pesa balance. If your balance has not changed, no money was received. The message was fake.

The SIM Swap Scam

A SIM swap (when your phone number is moved to a new SIM card) usually begins with phishing. The attacker first collects your personal information — your ID number, date of birth, and other details — through a fake call or message. They then walk into a Safaricom shop and use that information to convince staff to transfer your number to their SIM card.

Once they control your number, they receive all your calls and SMS messages — including M-Pesa confirmation codes and one-time passwords. They reset your M-Pesa PIN and drain your account before you even realise your SIM has been deactivated.

Warning sign: If your phone suddenly shows "No service" or "SIM not registered" for no apparent reason, especially at night, contact Safaricom immediately from another phone. Do not wait until morning.

Fake M-Pesa Agent Scams

Some scammers set up fake M-Pesa agent shops, or they compromise (corrupt, work together with) real agents. You might be told the system is "slow," and the agent offers to "help" by taking your phone to "complete" the transaction — while secretly transferring your money. Or the agent gives you a fake receipt after pocketing your cash.

Always: Enter your own PIN yourself. Shield the screen with your hand. Never hand your phone to an agent for them to enter anything. Wait for the confirmation SMS before you leave.

Social Media Phishing

As more Kenyans use Facebook, WhatsApp, Instagram, and TikTok, criminals have followed. They create fake Safaricom pages that look almost identical to the real ones and offer "customer support," asking victims to send their account details. WhatsApp messages carry links to fake websites. Facebook ads promote fake promotions. Even romance scams (where someone pretends to be interested in you romantically over time) eventually end with a request for an M-Pesa transfer.

Malicious Apps and Fake Links

You receive an SMS: "Update your M-Pesa app now to avoid service disruption: [link]." You click the link. You download what looks like an M-Pesa app. In reality, the app steals your credentials (your login details) or reads your incoming SMS messages — including real M-Pesa confirmations — sending them to the attacker.

Only download the M-Pesa app from the official Google Play Store or Apple App Store. Never from a link sent by SMS, WhatsApp, or email.

Fuliza and Digital Lending Scams

Fuliza is M-Pesa's overdraft service (it lets you borrow small amounts when you do not have enough money for a transaction). Scammers send fake messages saying your Fuliza limit has been increased, or that you have been pre-approved (already selected) for a loan — but you need to "activate" it by sharing your PIN. Others access your account and take out Fuliza loans in your name, leaving you with a debt you never incurred (took on).

The "Help Me" Impersonation Scam

The attacker pretends to be someone you know — a child, a parent, a close friend — and sends an urgent message asking for money:

Example impersonation message via WhatsApp
"Hi Mum, I lost my phone and I'm using a friend's number. I'm in trouble and I need KSh 5,000 urgently. Please send to this number: 0712-XXX-XXX. I'll explain everything later."

In more advanced versions, the scammer has actually hacked your relative's WhatsApp account and is messaging you from their real account. Always call the person on their original number before sending money — do not just trust the WhatsApp message.

USSD Code Manipulation

You are told to dial a special code to "receive a promotion bonus" or "activate a feature." But the code actually sends money to the scammer, or activates call forwarding (redirecting your calls to another number) so the scammer receives your M-Pesa verification calls.

Never dial any USSD code given to you by a stranger. The only M-Pesa code you should ever need is *334#.


The Psychology Behind the Scams — Why Smart People Fall For Them

One of the hardest things for victims to accept is that being scammed does not mean you are foolish. Highly educated professionals, experienced business people, and tech-savvy individuals have all been victims. This is because these attacks are engineered (carefully designed) to exploit the way all human minds work.

Being scammed is not a sign of stupidity. These crimes are designed by professionals who study human behaviour for a living.

Authority. Humans are wired to obey authority figures. A confident caller who says "I am from Safaricom" and speaks professionally triggers a deep-seated (built into us from childhood) instinct to comply (do what they say).

Urgency. "Your account will be suspended in one hour." "Claim your prize before midnight." Urgency shuts down careful thinking. When we feel pressured by time, we act without fully considering whether something is legitimate.

Fear of Loss. People fear losing what they have more than they desire gaining something new. A message threatening account suspension is more powerful than one promising a reward. Scammers know this and lead with threats.

Greed and Hope. For many Kenyans living in genuine financial difficulty, the promise of KSh 100,000 in a "promotion" is tremendously tempting. The hope of improving one's life in an instant overrides (defeats) the suspicion that something seems too good to be true.

Reciprocity. This is the human desire to return favours. If someone (apparently) sends you money by mistake, you feel a natural obligation to give it back. You are not being greedy — you are being honest and decent. Scammers exploit your goodness against you.

Distraction and Overload. A phishing SMS that arrives while you are cooking, nursing a child, or worrying about bills does not get the careful attention it deserves. Scammers time their attacks deliberately — often when people are busiest or most stressed.

Trust in Familiar Brands. You interact with M-Pesa multiple times a day. That familiarity creates deep trust. When a message uses M-Pesa's language, format, and name, your brain categorises it as safe before you have even read the content carefully.

Real-World Impact — Stories From the Ground

The scale of M-Pesa fraud in Kenya is enormous. The Communications Authority of Kenya (CA) receives thousands of fraud complaints each year. The Central Bank of Kenya has identified mobile money fraud as a serious national concern. Safaricom itself has invested heavily in fraud detection systems. Yet the attacks continue — and real people continue to pay the price.

Here are illustrative scenarios (realistic examples based on commonly reported patterns — not real named individuals):

The Retired Teacher in Nyeri. She receives a call from someone claiming to be Safaricom support. He tells her the system is being upgraded and she needs to verify her PIN. She provides it. Within minutes, KSh 45,000 — her savings for medication — disappears. She reports to both Safaricom and police. The money is never recovered.

The University Student in Nairobi. An SMS congratulates him on winning KSh 100,000. He is asked to send KSh 1,500 as a processing fee to claim the prize. He borrows the money from a friend and sends it. No prize ever arrives. The number goes silent.

The Mama Mboga in Kisumu. A customer hands over goods after receiving what looks like an M-Pesa deposit confirmation. She does not check her actual balance. Later she discovers her balance has not moved — the message was a fake SMS. She has lost both the goods and the money.

The Professional in Mombasa. Her personal details are leaked in a data breach (when a company's stored information is stolen by hackers). Criminals use that information to perform a SIM swap. They control her number, reset her M-Pesa PIN, drain her M-Pesa account, clean out her M-Shwari savings, and take a Fuliza overdraft in her name. She loses over KSh 200,000 and inherits a debt she never took on.

How Technology Enables — and Fights — These Attacks

How technology helps criminals

SMS Spoofing. Attackers can send messages that show "MPESA" or "SAFARICOM" as the sender. This makes the fake message appear in the same SMS conversation thread as your real M-Pesa messages on your phone. This is why you cannot trust the sender name alone.

Caller ID Spoofing. Similarly, attackers can make their phone calls appear to come from Safaricom's real numbers. When you see the caller ID, it looks official.

Fake Websites. Criminals build websites that look pixel-for-pixel (identical in every detail) like Safaricom's official site. You enter your details. They capture them.

Malware. (Malicious software — bad programmes installed on your phone without your knowledge). These can read your incoming SMS messages, capture your keystrokes (what you type), or display a fake screen on top of the real M-Pesa app to capture your PIN.

Bulk SMS Services. For a few thousand shillings, a criminal can send phishing messages to millions of Kenyan phone numbers. If only 0.1% of people fall for it, that is still potentially thousands of victims.

How technology fights back

Safaricom uses artificial intelligence (computer systems that can learn and make decisions) to monitor all M-Pesa transactions in real time (as they happen). The system looks for suspicious patterns — like many large transfers to new numbers in quick succession (one after another), or a SIM swap followed immediately by financial transactions. When suspicious activity is detected, transactions can be flagged or blocked.

Safaricom also operates stricter SIM swap procedures now, requiring customers to visit a shop in person with their original ID. After a SIM swap, M-Pesa services are temporarily suspended to give the real owner time to report any unauthorised (not approved by you) changes.

The Law — What Kenya Says About This

Kenya has real laws to fight cybercrime (crime committed through computers and the internet). You should know these exist, and you should use them.

The Computer Misuse and Cybercrimes Act (2018) criminalises phishing, identity theft (stealing someone's personal details to pretend to be them), computer fraud, and cyber forgery (faking digital documents or messages). Penalties include fines of up to KSh 20 million and prison sentences of up to 10 years.

The Data Protection Act (2019) requires organisations like Safaricom to protect your personal data, report data breaches, and allow you to access and correct your own information.

The National Payment Systems Act regulates payment systems like M-Pesa, with provisions for consumer protection and fraud prevention.

Who investigates these crimes?

The Directorate of Criminal Investigations (DCI) has a dedicated cybercrime unit. The Banking Fraud Investigations Unit (BFIU) handles financial fraud specifically. The Communications Authority of Kenya (CA) regulates telecoms and can act against fraud. Despite these agencies, enforcement (actually catching and punishing criminals) remains difficult — scammers use multiple SIM cards, fake IDs, and money mules (innocent people whose accounts are used unknowingly to move stolen money) to cover their tracks. Report anyway — it contributes to investigations and intelligence gathering.

What Safaricom Is Doing About It

Safaricom has invested heavily in fighting fraud. Their AI-powered systems monitor every M-Pesa transaction in real time. Their enhanced KYC (Know Your Customer — the process of verifying who you are) procedures now include biometric verification (fingerprint or face scanning) for SIM registration. They run public campaigns like "Jichanue" (Kiswahili for "know yourself" or "verify yourself") to warn users about scams.

Safaricom provides multiple fraud reporting channels:

How to ReportDetails
Call234 (fraud reporting line) or 100 (customer care)
SMSSend "SCAM" followed by the suspicious number to 456
In-AppThrough the M-Pesa app directly
VisitAny Safaricom shop with your ID

In some cases, Safaricom can reverse fraudulent transactions if they are reported immediately and the funds have not yet been withdrawn. The window is very small — act the moment you realise something has gone wrong.

How to Protect Yourself — The Golden Rules

1
Never share your M-Pesa PIN with anyone

Your PIN is the key to your money. No one — not Safaricom, not police, not your bank, not a family member — ever needs your PIN. Anyone who asks for it is a criminal.

2
Never share your ID number or personal details with unknown callers

Your national ID number, date of birth, and mother's name can be used to perform a SIM swap. Guard them as carefully as you guard your PIN.

3
Always verify before you act

Check your actual M-Pesa balance by dialling *334# before believing any message. If in doubt about a call from "Safaricom," hang up and call 100 yourself using the official number.

4
Never send money to claim a prize

No legitimate promotion ever requires you to pay money to receive your winnings. If someone asks for a "processing fee," "tax," or "activation charge" to release a prize, it is a scam — always.

5
Check your balance before returning "accidentally sent" money

If someone says they sent money to you by mistake and asks you to return it, dial *334# first. If your balance has not gone up, no money arrived. The message was fake.

6
Never dial USSD codes given by strangers

Unknown codes could transfer your money, forward your calls to criminals, or do other things you never intended. Only use *334# for M-Pesa.

7
Be suspicious of urgency

Whenever a message or caller pressures you to act immediately, stop. Take a breath. Verify independently. Real emergencies can wait five minutes for a verification call.

Additional practical steps

Use the M-Pesa app. If you have a smartphone, download the official M-Pesa app from the Google Play Store or Apple App Store. It has better security features than USSD. Set a strong lock screen. Use a fingerprint, face lock, or a PIN that is not your birthday. If your phone is stolen, a good lock screen protects your M-Pesa. Change your PIN regularly. At least every few months. Do not use 1234, your birth year, or any number that others might guess. Use a unique PIN for M-Pesa. Do not use the same PIN for your phone lock screen, your ATM card, and M-Pesa — they should all be different. Set a SIM card PIN. Go to Settings → Security → SIM Card Lock. This means even if someone steals your SIM card, they cannot use it without the PIN. Monitor your transactions. Regularly check your M-Pesa history. Report anything unfamiliar immediately. Educate your family. Share what you have learned here with your parents, grandparents, and children — they are all potential targets too.

What to Do If You Have Already Been Scammed

Act immediately — every minute counts

The faster you report, the higher the chance the transaction can be reversed or the scammer's account frozen.

1
Call Safaricom immediately. Dial 234 (fraud line) or 100 (customer care). Explain what happened. Ask them to freeze the receiving account.
2
Change your M-Pesa PIN right away. Dial *334# → My Account → Change PIN. Do this even while you are on hold with Safaricom.
3
If you suspect a SIM swap — call from a different phone. Visit a Safaricom shop with your ID and request your line be blocked immediately.
4
File a police report. Go to your nearest police station. Bring your M-Pesa transaction messages, the scammer's number, and any screenshots. Get a copy of the report (called an OB number — occurrence book number) for follow-up.
5
Document everything. Screenshot every suspicious message. Write down dates, times, amounts, and numbers involved. This evidence helps with investigations.

On the emotional side

Being scammed is emotionally devastating (crushing, very painful). Victims often feel shame and embarrassment, as if they did something wrong. Please know: you are not stupid for being scammed. These attacks are engineered by people who study human psychology professionally. Thousands of Kenyans — including educated professionals — fall victim every year. There is no shame in being targeted. The shame belongs entirely to the criminal.

Everyone Has a Role to Play

Telecom companies must invest in fraud detection, educate customers, and provide responsive reporting channels. Government and regulators must strengthen and enforce cybercrime laws, fund digital literacy education, and invest in law enforcement capacity. Communities and civil society can spread awareness through churches, mosques, barazas, chamas (community saving groups), and neighbourhood networks. Media can report on new scam techniques and debunk fake promotions. Every individual — including you, right now — can share this knowledge and protect the people around them.

What Is Coming Next — Emerging Threats to Watch

AI-Powered Phishing. Artificial intelligence can now write convincing phishing messages that perfectly mimic official communication styles. Voice cloning technology (software that copies someone's voice) can fake a family member's voice on a call. These attacks will become harder to spot as the technology improves.

Deeper Social Media Attacks. As more Kenyans join social platforms, scammers follow. Fake profiles, hacked accounts, and romance scams that build over weeks before requesting money are all on the rise.

Attacks on M-Pesa Business Integrations. As more businesses connect to M-Pesa through digital APIs (programming connections that allow different systems to talk to each other), those connections become new targets.

Fuliza and Digital Lending Exploitation. As more Kenyans borrow digitally, scammers are creating fake lending apps and fake loan approval messages to steal personal information.

A Cultural Note — Building a Security Mindset

Kenya's M-Pesa fraud problem is not purely a technology problem — it is a cultural one too. Kenyan culture values trust, generosity, community, and mutual assistance (helping each other). These are beautiful qualities. But criminals exploit them ruthlessly.

When someone calls and says they are from Safaricom, the default Kenyan response is to trust them — because Kenyans are trusting people. When someone sends money "by mistake," the natural impulse is to return it — because Kenyans are honest people. When a "relative" calls in distress, love overrides (wins over) caution — because Kenyans are caring people.

Building a security-conscious culture does not mean becoming cold, suspicious, or unhelpful. It means developing a healthy habit of verifying before acting. It is like locking your door at night — not because you distrust your neighbours, but because you live in a world where not everyone has good intentions.

Digital literacy (understanding how to use and stay safe with digital technology) must become a national priority. It should be taught in schools, discussed in churches and mosques, shared at barazas, and included in adult education programmes. The more people understand these threats, the fewer victims there will be.

Important Numbers and Resources

PurposeNumber / Action
Safaricom Customer CareCall 100
M-Pesa Fraud ReportingCall 234
Report a Scam Number by SMSSend "SCAM [the suspicious number]" to 456
Check Your M-Pesa BalanceDial *334# → My Account → Check Balance
Change Your M-Pesa PINDial *334# → My Account → Change PIN
View Your M-Pesa StatementDial *334# → My Account → M-Pesa Statement
Police Emergency999 or 112
Communications Authority Kenyawww.ca.go.ke
Safaricom Official Websitewww.safaricom.co.ke

Conclusion — Knowledge Is Your Greatest Weapon

The battle between M-Pesa phishing attackers and the people trying to stop them is ongoing. It is an arms race where both sides continuously adapt. As Safaricom improves its security, scammers develop new techniques. As users learn about one scam, criminals invent another.

But here is the empowering truth: the vast majority of M-Pesa phishing attacks succeed not because of a technology failure, but because of human error — error that can be prevented through awareness.

You cannot be phished if you never give your PIN to anyone, ever.

By reading this article, you have already taken an important step. You now understand what phishing is, how the specific attacks against M-Pesa users work, the psychology behind why they succeed, and exactly what to do to protect yourself and what to do if the worst happens.

Now share this knowledge. Talk to your parents. Share it with your grandmother. Discuss it at your church or mosque, at your chama meeting, with your boda boda riders' group, with your colleagues at work. Forward this page. The more people who understand these threats, the fewer victims there will be.

M-Pesa has been a force for genuine good in Kenya — lifting millions out of financial exclusion and powering economic growth that Africa watches with admiration. We cannot let criminals steal this progress. By staying informed, staying vigilant, and looking out for one another, we can protect ourselves and our communities.

Remember this always

Safaricom will NEVER ask for your PIN. If in doubt, hang up and call 100.
Stay safe. Stay alert. Protect your M-Pesa.

This article is for educational and cybersecurity awareness purposes. For specific security concerns about your account, contact Safaricom directly. If you need professional cybersecurity advice for your business, contact VUNVAULT.

Does your business handle M-Pesa or customer payment data?

A VUNVAULT security assessment shows you exactly where you are exposed — before someone else finds it first. We work with Nairobi SMEs, SACCOs, and fintechs.

Book an Assessment Read More Articles