ESET Africa Cybersecurity Engineer
Allan Juma /LINKEDIN
Africa’s mobile money
ecosystem processed an estimated $81 billion (Sh10.53 trillion) in transactions last
year and is expected to match or exceed this amount, with December driving the
biggest surge.
As transfers peak, with families sending money home over the festive season, a new report by ESET Africa has warned that cybercrime, mostly phishing scams, SIM-swap fraud, and social engineering attacks are set to rise.
According to the report, phishing scams disguised as holiday promotions, SIM-swap fraud targeting high-balance accounts, and social engineering attacks that exploit the urgency and goodwill of the season put millions of users at risk of financial loss.
“Trust in mobile money doesn’t happen instantly – it’s built one safe transaction at a time,” says Allan Juma, Cybersecurity Engineer at ESET Africa.
“But a single fraud incident can shatter that trust overnight. When someone gets scammed, they often stop using mobile money altogether, and warn friends and family to do the same, creating a ripple effect that stalls progress for everyone.”
According to Juma, part of the problem is that too many mobile money platforms have not kept pace with the trust users are placing in them.
“Unlike traditional banking apps, many services still lack advanced encryption and rely on simple four-to-six-digit PINs instead of stronger, multi-layered authentication.”
He adds that these vulnerabilities create openings that cybercriminals exploit, making it easier to intercept data, hijack accounts, and steadily chip away at the confidence users are trying to build in digital financial services.
The warning is coming at the time Kenya recorded cyber-related losses of Sh29.9 billion this year as attacks grew in frequency, sophistication and economic impact.
The report by cybersecurity firm Serianu shows that payment fraud remained the most common incident category, fuelled by real-time transfers, weak monitoring tools and rampant social-engineering attacks.
According to the report released last week, online and email fraud accounted for 40 per cent of all incidents and 32 per cent of recorded losses, underscoring persistent identity-management gaps.
The Africa Cybersecurity Report 2025, based on responses from 280 organisations, places continent-wide losses at Sh650 billion.
The report adds that threat actors are increasingly deploying coordinated, AI-enabled operations that blend phishing, credential theft and ransomware across financial and public-sector systems.
The report notes that marketplace scams, e-commerce manipulation and fake platform activity continue to rise, while supplier-invoice redirection, impersonation schemes, SIM-swap, and mobile-money fraud remain widespread despite improved controls.
Serianu CEO, William Makatiani, said the 2025 findings highlight the need for organisations to move from reactive controls to resilience-focused strategies.
“The rate at which organisations are investing is improving, but attackers are advancing even faster,” he said. “Artificial Intelligence has emerged as a central countermeasure, but it also forces us to rethink how we defend systems and data.”
Juma, on the other hand, says that consumer awareness is a crucial second layer of defense and can mean the difference between a secure festive season and disrupted holiday plans.
“Enabling two-step verification is a simple but effective way to protect money intended for holiday spending. Users should also remain alert to common red flags, such as unexpected messages requesting their PIN, calls, or texts from unknown numbers.”
