Hackers drained Sh1.59 billion from Kenyan banks last year, exploiting the very technology that has made banking more convenient. According to the Central Bank of Kenya (CBK), the criminals relied on a mix of deception, technical trickery, and digital manipulation to outsmart customers and financial institutions.
One of the most common methods was the SIM swap. In this scheme, fraudsters trick mobile phone operators into transferring a victim’s number to a new SIM card under their control. The moment the swap goes through, the victim is cut off, while the criminals start receiving all calls, text messages, and the crucial one-time passwords (OTPs) that banks send for verification. With that access, the hackers simply log in to mobile banking apps and empty the accounts.
Another favourite tactic was phishing. Customers would get convincing phone calls, text messages, or emails claiming to be from their bank. Sometimes the message warned of a “security breach” and urged the recipient to confirm their PIN, password, or even share a code sent to their phone. The moment unsuspecting clients complied, the information was used to authorise transactions and transfer money instantly.
Malware was also widely deployed. Fraudsters sent out links disguised as legitimate offers or updates. Once clicked, these links installed hidden software that quietly tracked keystrokes and login details, sending them straight to the attackers. In other cases, malware gave hackers remote access to devices, allowing them to control banking apps as if they were the account holders themselves.
The criminals also perfected the art of identity cloning. Armed with stolen ID numbers and personal details, they created digital replicas of genuine customers. With these false profiles, they opened new accounts, applied for loans, and carried out transactions while the real owners remained oblivious.
Perhaps the most unsettling trick was late-night social engineering. On Friday and Saturday nights, when many Kenyans were out socialising, fraudsters would pose as bank employees and call revelers, claiming to need urgent confirmation of account details. Distracted and unsuspecting, many handed over critical information, only to discover the next morning that their savings had vanished.
Mobile banking bore the brunt of these attacks, accounting for more than half of the losses at Sh810.68 million. Card fraud, online banking scams, and computer system breaches added hundreds of millions more. Overall, CBK data shows fraud cases more than doubled in 2024, with nearly Sh2 billion targeted before banks managed to claw back a portion of the money.
The regulator warns that Kenya’s digital finance revolution—once celebrated for driving financial inclusion—has also opened dangerous back doors for cybercriminals. For now, the thieves are moving faster than the protections, leaving both banks and customers exposed in a high-stakes digital cat-and-mouse game.
