Thousands of M-Pesa users have lost money to SIM swap fraud in Kenya. Learn how M-Pesa fraudsters operate so you can protect yourself.
Imagine diligently saving your money for years, building up a tidy balance in your M-Pesa mobile wallet. And just when you have enough to buy that machine or car you have been saving for, you wake up to find that your M-Pesa has been wiped clean!
Not just that, you also realize that you now have Fuliza and M-shwari loans borrowed using your name. You will need to be strong to avoid falling into depression.
Unfortunately, many people in Kenya wish they had only imagined this gory circumstance. They have woken up to and lived through this nightmare.
SIM swap fraud in Kenya is real. Many people smarter than you have fallen victim. Because SIM swap fraud merchants are always devising cunning, new ways to get you to divulge your confidential information, you are not as prepared for them as you think.
The good news is there are ways to protect yourself from SIM swap fraud. We will share our top tips against SIM swap fraud in Kenya and answer questions most frequently questions about this menace that has stained our country’s proud reputation as a mobile payments pioneer and leader.
Let’s get started.
What is SIM swap fraud?
SIM swap fraud is where a criminal gains access to your mobile money wallet and bank accounts and steals your money after swapping your SIM with a new one and taking over your mobile phone’s number.
The fraudster convinces someone at your mobile carrier to move your cell number to a new SIM card, which deactivates the SIM card in your phone. The fraudster, therefore, does not need to steal your phone to swap your SIM. The swap happens remotely.
Once the SIM card hijack succeeds, you lose network connection on your phone and all the new messages will now go through the hijacker’s phone. The trouble is you may be too busy to notice that you have lost network connection on your mobile phone, which might alert you that something may be happening.
Once they have successfully hijacked your SIM, the criminal can access your M-Pesa and other mobile banking accounts with two-factor authentication. Banks and e-wallet services typically use your mobile phone number to communicate with you and to authenticate actions and transactions on your account.
Once they do that, they quickly go to work emptying your M-Pesa and even moving money from your bank to your M-Pesa for withdrawal.
In many instances they will proceed to take a Fuliza overdraft loan using your M-Pesa account. So besides emptying your savings, they will saddle you with debts from the loans they fraudulently take out in your name.
When you realize that your SIM has been hijacked, it will be too late. Your accounts will usually be empty, with the criminals on to the next victim already. They may also proceed to access your social media accounts and post lurid and salacious messages in your name to socially embarrass you.
How do fraudsters swap SIM cards?
To successfully swap your SIM card, the attacker essentially impersonates you. They use your mobile carrier’s self-care system or convince the customer care agent at your mobile network carrier that it is you, the account holder making the SIM swap request when it is them.
In Kenya, fraudsters typically swap SIM cards using social engineering techniques, which is when they deceive and manipulate you into revealing confidential personal information, like your name, ID number, M-Pesa PIN number, account balance, and last three transactions.
A common trick fraudsters use is calling you pretending to be a Safaricom customer care agent and telling you that your mobile phone line has been registered twice and that they need to deregister one.
They will then ask you to confirm your personal details to confirm if they are accurate and determine which line they should deactivate. This includes:
- Your date of birth and ID number,
- Residential address,
- M-Pesa PIN number, your last few transactions,
They will then ask you to make a payment to a specific Paybill number, convincing you that the transaction would not go through, supposedly because the account number was your SIM card’s new serial number. That payment, of course, will go through and is needed to authorize the SIM swap.
This is all the information you would need to request a SIM swap.
It’s also the type of information you are advised to never share with anyone, so the customer care agent at your carrier will assume that it is you who is requesting the SIM swap. Only in this case, it is the fraudster making the request.
After you have provided the requested information, you will be told to switch off your phone for a few minutes. When you switch on your phone, it will fail to get a network connection because the SIM card would have been swapped.
With social engineering, you are essentially talked into revealing information you should never share with anyone. Y
Other ways fraudsters can obtain your confidential information to swap your SIM.
The attacker may also gain your personal information through your social media profiles and content. Facebook profiles, for example, share too much personal information, including the high school you attended.
People also share too much personal information on social media, including their phone numbers, their own and their spouses and children’s names, birthdays, wedding anniversaries, and favourite sports teams. This is information people usually use for their passwords and PIN numbers.
So a diligent criminal will collect the information you unwittingly share on public platforms onto a file. With your phone number and all this information, they have all they need to convince even your mobile carrier's most conscientious customer care agent.
Another way attackers can gain access to your PIN numbers and other confidential information is through phishing. Phishing is when attackers send you scam links through SMS, instant messages, email, and social media.
If you click these links, you will be taken to websites that will download malware on your computer. This malware can be used for all manner of nefarious activities, including stealing your passwords and other confidential information. They can even be used to hijack your computer remotely.
What can SIM swap fraudsters get access to?
SIM swap and other M-Pesa fraudsters are only after your cell phone line, which they use to intercept one-time passwords and withdraw money from your mobile money wallets and internet banking accounts.
The fraudsters do not need to steal your phone to swap your SIM card. In fact, your SIM card, contacts, media, apps, and messages remain in your phone while the SIM swap takes place. You only lose your phone number, a fact that dawns on you when it is usually too late.
That’s because the fraudster will claim to the customer care agent that they have just lost their phone and must change the SIM to protect personal banking accounts that can be accessible through their mobile phone line.
From the example we gave above, they will ask you to switch off your phone, which is what thieves do when they steal phones. So, in this case, the fraudster paints you as the thief who has stolen their phone.
While you have the phone switched off, they will call your number multiple times, which again is what you would do when you lose your phone. This way, they will be building the story they will sell the customer care agent at Safaricom.
They will have all the information you provided them, including the last transaction on your M-Pesa they tricked you into making. They even know the number of times they called while you had the phone switched off and the number used. They know people at Safaricom will have that information and may ask for it to ascertain the authenticity of their claims.
It will not be hard to complete the SIM swap as the fraudster essentially has everything Safaricom needs to authorize a SIM swap. The SIM swap will go through without a hitch.
How do you know if you have been SIM swapped?
Your phone loses network connection once the fraudster successfully swaps your SIM with a new one. Your messages and calls will not go through. These are all tell-tale signs that your SIM may have been hijacked.
If you notice that your mobile phone has lost network service when you are in an area that usually has good reception and other phones have service, contact your carrier immediately.
Find a way to go online and freeze all your internet banking accounts and e-wallets, and change passwords on your social media accounts.
Can you protect yourself from SIM swapping?
Yes, you can protect yourself from SIM swapping. Here are several ways you can do so:
1. NEVER disclose your PIN to anyone.
It’s called a personal identification number for a reason. It is personal, which means you should never disclose it to anyone. Even the people at mobile network carriers should never know it. In fact, if you get a new SIM card, you should immediately change the PIN to what only you will know and remember.
2. Do not share confidential information over the phone
No one from Safaricom will ever call you asking for your PIN and other personal information. If you get such a request over the phone call, that person is not from Safaricom and is mostly likely a scammer. Report their number immediately by dialling so their number can be deactivated before someone falls for their tricks.
As Safaricom notes, there is no such thing as double SIM registration. It never happens. If anyone who calls you pretending to be from Safaricom and asking you to provide confidential information to ascertain which one is the correct one to keep on the network is a scam artist. Do not entertain them.
Also, take note of the numbers supposed Safaricom customer care agents use to call you. Safaricom only ever calls using the number 0722000000. If the caller claims to be from Safaricom and they are not using that number, they are out to con you. Report their phone number to 333 immediately.
3. Don’t disclose personal information on social media
Not everyone that comes on your social media timeline is looking to socialize and pass the time. Some are fraudsters looking for personal information to use for SIM-swapping activities. Personal information you disclose on Facebook and Twitter can be used to guess your passwords and hijack your digital accounts.
4. Be careful where you seek help with your SIM card and M-Pesa issues
Many of us spend a lot of time on social media, even selling and making a living there. So it’s normal that we should want to conduct all our communications there, including raising support issues with our different service providers. However, when you do that, ensure you deal with official, verified accounts.
Social media is an unregulated jungle where criminals and trolls can set up social media accounts imitating your favourite brands and government agencies right down to their logos, brand colours, and brand voice. You could unwittingly share confidential information with criminals thinking you are talking to official customer support agents.
In case you need to raise an M-Pesa-related support issue, these are the verified Safaricom social media handles to use:
- https://www.facebook.com/SafaricomPLC
- https://twitter.com/SafaricomPLC
- https://www.instagram.com/safaricomplc/
5. Use strong passwords
If you have used a personal detail about yourself on social media or another public platform, it is unwise to use the same as your password. In fact, anything that can be guessed or assumed about you makes a bad password.
For example, if you are a big Christiano Ronaldo fan and frequently share content about him, CR07 is a bad password. Your birthday, which Facebook knows and usually celebrates publicly, also makes a weak, insecure password.
Mixing letters, numbers, and special characters in your password is a good idea. Make it as hard as possible to get, but make sure you will remember it. Safaricom advises registering your voice as your password.
Mobile money wallets are not great for holding your savings
How many M-Pesa scams have you come across where people have lost their entire savings? According to this survey, nearly half of the Kenyan population has been victims of fraud or financial loss involving M-Pesa. The platform is a magnet for fraudsters and is simply not secure enough to hold your savings.
M-Pesa is great for transacting, but consider holding your savings in a secondary e-wallet like IntaSend. Less ubiquitous, thus less of a target for fraudsters, and more secure than M-Pesa due to its bank-level security features, an IntaSend e-wallet gives you multiple ways to manage your money without exposing yourself to fraudsters.
If you find it more convenient to transact with M-Pesa, you can do so without over-exposing yourself by only transferring what you need from your IntaSend wallet to your M-Pesa mobile wallet.
Transfers between IntaSend and M-Pesa are quick and easy and can be done online. So you never have to keep large amounts of money in your M-Pesa mobile money wallet and risk losing it to fraudsters. Even if the fraudster swaps your SIM and gains access to your M-Pesa, there will be nothing to steal.
IntaSend also allows you to request a Visa or Mastercard virtual card in minutes. You can use this virtual card to make payments online and access your clients' payments. Virtual cards are more secure as they don’t physically exist, so you can keep the information they hold in your head where no one can access it.
Sign up for an IntaSend account and enjoy a safer way to save, pay, and get paid from anywhere. Once your account is active, be sure to request your virtual Visa or Mastercard card to enjoy the ultimate convenience in online shopping.
