Kenya’s Digital Trust Crisis: How Criminals Are Weaponising WhatsApp to Defraud M-Pesa Users
Kenya is rightly celebrated as a global leader in mobile money innovation. But with innovation comes vulnerability, especially when the people using these technologies are not properly protected, empowered, or educated.
A new cyber threat is emerging across Kenya, and it’s taking advantage of the very platforms we trust most: WhatsApp and M-Pesa. Criminals are now using WhatsApp API links to impersonate banks, telcos, and even government programs to trick users into handing over personal data, or worse, their money. And this isn’t just theory. It’s happening every day.
Unlike traditional SMS scams or phishing emails, WhatsApp carries an illusion of legitimacy. Kenyans trust it, it’s part of our everyday life. Cybercriminals know this, and they are exploiting it ruthlessly.
The Scam That Doesn’t Look Like One
Here’s a message I recently received, forwarded by someone who genuinely believed it was real:
“Hello, my fellow members. I tried Inua Jamii Empowerment and won Ksh 95,000 into my MPesa account. Click below to claim yours.”
https://api.whatsapp.com/send?phone=254XXXXXXX07&text=REWARDS
At first glance, the message looks like a harmless referral or campaign message, maybe even exciting. It also mimics the tone of official reward programs and carries the familiar look and feel of WhatsApp’s interface. In reality, it’s a digital trap. Behind this message lies a growing digital threat, a new breed of scam exploiting Kenya’s most trusted technologies.
This is not just random noise. It’s targeted. And it’s working.
Once clicked, the link opens a pre-filled WhatsApp chat with a spoofed identity, where a scammer, often posing as a Safaricom, bank or telco agent, engages the user with scripted responses. These fraudsters are trained, fluent in Kiswahili and English, and skilled at creating urgency. Within minutes, victims are prompted to:
- Share their national ID number
- Reveal M-Pesa PINs
- Confirm recent transaction histories
- Follow malicious links that may install malware or spyware
One Click, Ksh 63,000 Gone
If you can remember, last year, Safaricom offered cash back to customers following a disruption on the M-Pesa platform.
A group of criminals picked this up and started distributing fake cash-back offers. One Nairobian entrepreneur fell for a fake “Safaricom Cashback” scam that criminals were distributing. On clicking the link, it led him to a fake WhatsApp account with the Safaricom logo and a persuasive representative. Within 15 minutes of “verifying his identity,” over Ksh 63,000 had vanished from his M-Pesa account. This highlights a significant trend of cybercriminals using messaging platforms to target individuals and steal money.
The criminal used the collected information to:
- Reset his SIM credentials
- Temporarily gain access to his wallet
- Execute multiple transfers before the breach was detected
This was not a technical failure or a careless mistake. It was a well-engineered trap and a psychological hack.
Why It Works So Well
This isn’t about careless clicking or tech illiteracy. These scams work because they exploit trust, a human instinct rooted in visual cues and familiarity. Key psychological tactics used include:
- Brand impersonation
- Contextual language fluency
- Time pressure or urgency bias (“Offer expires in 30 minutes”)
- Authority bias (“You have been selected by Safaricom…”)
- The human tendency to trust visual cues (logos, names, official tones)
It’s not about poor judgment, it’s about being outmanoeuvred by criminals who understand behavioural engineering as well as, if not better than, tech vulnerabilities.
According to a recent study by the KPMG, mobile banking and digital platforms are frequently mentioned as channels through which scams occur. This suggests that mobile money transactions are a prime target for fraudsters. In Kenya, specifically, this has evolved to include the use of social messaging platforms, with WhatsApp as the primary vehicle.
- What Can Kenyans Do? A Three-Front Strategy.
- For the Public
- Stop trusting API links from unknown sources or forwarded messages, even if they look like a trusted brand.
- Never share personal data (ID, PINs, transaction details) over WhatsApp.
- Verify with official channels or hotlines before responding to financial claims.
- Enable multi-factor authentication (MFA) for both SIM and M-Pesa access.
- Report suspicious activity. If you receive a suspicious message or encounter a fake website, report it to your mobile network provider
- Stay informed. Keep up to date with legitimate promotions and know what to expect from official communications.
2. For Telcos and Banks
- Launch targeted awareness campaigns on the WhatsApp API, scams, or fraud
- Invest in systems to flag and block suspicious numbers
- Work with Meta (WhatsApp’s parent company) to verify business accounts and crack down on impersonators
3. For Leaders in Business and Government
- Recognise that cybercrime today is more about manipulating behaviour than breaking through systems
- Make human-centric security training part of organisational culture, especially for nontechnical teams. NMCYBER can help.
- Push for policy frameworks that hold platforms accountable and protect citizens.
The Real Threat Is not the Technology; It’s the Blind Spot.
Finally, Kenya’s digital progress is remarkable, but it is fragile. If we fail to defend it through public education, institutional accountability, and behavioural resilience, we risk more than financial loss, we risk public distrust in mobile finance itself. We cannot afford to treat these incidents as isolated. We must understand them as signals. And we must respond, not with fear, but with awareness, empowerment, and urgency. Why, because Kenya’s Digital Trust is on the Line.
If we allow criminals to exploit everyday platforms like WhatsApp, we risk eroding public trust in digital finance, mobile payments, and online communication. As a cybersecurity consultant who has helped different companies across the globe build human-first cyber defence programs, I urge policymakers to act fast, Businesses to lead with education, and the media to shine a brighter light on this emerging threat.
This article was written by Dr Nickson M. Karie, Founder of NMCYBER and an award-winning cybersecurity consultant who specialises in human-centric digital defence strategies. He has helped different organisations, businesses and institutions across the globe transform their teams into frontline defenders against cyber threats. He is available for expert commentary, interviews, and panels on digital trust, mobile fraud, behaviour-based security and public education campaigns.
Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke
