Mobile money has become the backbone of commerce in East Africa. Kenya processes over KES 1 trillion through M-Pesa monthly, and platforms like Airtel Money, T-Kash, and Equitel are growing rapidly across the region. But with this explosion in digital finance comes a parallel surge in mobile-targeting cybercrime.
At Netcaru, we've seen a dramatic increase in mobile banking fraud attempts targeting our clients over the past 18 months. This article breaks down the most active attack vectors and what your organisation should be implementing to defend against them.
The Most Common Attack Vectors
1. SIM Swap Fraud
SIM swapping is one of the most damaging attacks targeting mobile banking users. An attacker bribes or social-engineers a telecom employee to transfer a victim's phone number to a new SIM card under the attacker's control. Once they have the number, they can intercept SMS OTPs (one-time passwords) and gain full access to any account tied to that number.
Businesses can mitigate SIM swap risk by moving away from SMS-based 2FA for financial transactions and adopting authenticator apps or hardware tokens instead.
2. M-Pesa API Exploits and Daraja Abuse
Safaricom's Daraja API allows businesses to integrate M-Pesa into their systems. However, poorly configured Daraja integrations are a major source of financial loss. Common issues include hardcoded API credentials in public GitHub repositories, insufficient validation of callback URLs, and lack of IP whitelisting on API endpoints.
We routinely find client systems where M-Pesa API keys are accessible in source code or exposed in server logs. An attacker who gains these credentials may be able to initiate unauthorised transactions, manipulate payment flows, or abuse B2C payout endpoints depending on how the integration is implemented.
3. Mobile Banking App Phishing
Cybercriminals are increasingly building convincing fake versions of banking apps — complete with real logos, accurate UI clones, and even fake "security alerts" designed to panic users into entering credentials. These apps are distributed via WhatsApp messages, SMS links, and third-party APK sites targeting Android users.
4. Vishing and SMS Phishing (Smishing)
Voice phishing (vishing) campaigns impersonating bank customer service lines have become highly sophisticated. Attackers use spoofed numbers that appear identical to real bank numbers, and victims often can't tell the difference. Similarly, smishing attacks send convincing SMS messages appearing to come from M-Pesa, Equity Bank, or KCB, asking users to "verify" their accounts.
Protecting Your Business
Here are the key defences every business with mobile money integrations should implement:
- Rotate and vault API credentials — Use a secrets manager and rotate M-Pesa API keys regularly. Never commit credentials to version control.
- Implement IP whitelisting — Restrict Daraja API access to known IP ranges only.
- Move beyond SMS 2FA — Use Time-based One-Time Passwords (TOTP)-based authenticators for all financial system access.
- Monitor transaction anomalies — Set automated alerts for unusual transaction patterns, off-hours activity, or high-value payouts.
- Train your finance team — Regular simulated phishing and vishing exercises dramatically reduce staff susceptibility.
- Conduct API security testing — Include your payment integrations in annual penetration testing scope.
The Regulatory Angle
Kenya's Central Bank (CBK) and the Communications Authority have both issued guidance on mobile money security. Under the Kenya Data Protection Act 2019, The Office of the Data Protection Commissioner (ODPC) requires breach notification. Proactive security isn't just good business — it's becoming a legal requirement.
As mobile banking fraud continues to evolve, so must your defences. The businesses that invest in security now will be the ones that maintain customer trust and avoid regulatory penalties tomorrow.