Scale up efforts to prevent cybercrime and digital fraud

Digitalisation has revolutionised how Kenyans manage their finances and their lives, leading to a transformative shift in the continent’s progress. Yet, while such innovation has democratised access to banking and other services, it has also unveiled new vulnerabilities, with fraud attempts surging from 10 per cent in January to 17 per cent in June 2023 – putting Kenya at the highest-risk country for ID fraud compared to other African countries.

This has prompted a reimagining of how to deal with digital fraud and cybersecurity — with new questions arising around what Kenya should examine to control and curb the key issues that need to be addressed. While most companies focus on controls, deterrence can also serve as an effective safeguard.

Today, more than 30 million people in Kenya regularly use M-Pesa – which dominates 99 per cent of mobile money transactions. Its popularity among consumers has made it equally popular for criminals. In 2021, data from a FinAccess survey showed that nearly half of Kenyans utilising mobile money have either been defrauded or mistakenly sent funds to unintended recipients.

In Kenya, SIM card swap and mobile money fraud schemes have grown so sophisticated that perpetrators don't even require physical access to your phone. SIM swap fraud involves the fraudster posing as the customer, either by manipulating the mobile carrier's self-service options or deceiving a customer service representative at the telecom provider and requesting the SIM swap.

To counteract SIM card swap fraud, consumers can actively contribute to their own security through these measures:

- Use a robust PIN: Avoid easily guessable codes like birth years or anniversaries, and refrain from using the same PIN for multiple purposes

- Employ both SIM and phone locks: Ensure that your SIM and phone locks have distinct PINs and avoid using inverted versions (e.g., phone unlock 1980, SIM unlock 8019).

- Report suspicions: If you have any doubts, promptly report them to relevant authorities or your mobile network provider.

While measures against SIM swap fraud are paramount, given its rise, it is equally essential to address internal vulnerabilities within financial institutions. For proactive fraud prevention in digital banking, critical measures extend beyond embracing the right technological solutions. It is also crucial that financial institutions establish strong internal safeguards against potentially dishonest employees.

A report by the SWIFT Institute revealed that security breaches often have an inside source – be it regular employees, vendors, or even contractors. Such insider threats are not only responsible for some of the most damaging security breakdowns but are also notoriously challenging to detect, address, and bring to justice.

A systematic approach involving clearly demarcating roles and responsibilities can help prevent collusion and fraud. More specifically, access to sensitive information and systems should be limited and granted only on a need-to-know basis. Regularly scheduled checks and audits are essential to ensure these procedures are being followed and to detect any anomalies early on.

Beyond the confines of financial institutions, the broader arena of cybersecurity in Kenya faces its own set of challenges, as seen recently when the government faced a major cyber-attack on the eCitizen portal. This is a platform used by the public to access over 5,000 government services, including passport applications, e-visas, and driving licences. The disruption lasted almost a week and affected services, including train booking systems, electricity payments, and M-Pesa.

The attack mainly involved a DDOS (Distributed Denial of Service) designed to flood and paralyse online systems. Kenya-based expert Bright Gameli shared with the BBC suspicions that insiders could have been involved.

It was a wake-up call demonstrating how cybersecurity cannot be taken for granted. Governments and institutions must constantly upgrade and fortify their cyber defences, ensuring that critical infrastructure remains protected. Continuous training of IT personnel, public awareness campaigns, and collaboration with international cyber experts can help build resilient systems.

Lastly, while cybersecurity threats like the eCitizen portal attack underscore the importance of digital defence, the broader financial landscape also demands rigorous attention to money laundering. The Financial Action Task Force (FATF) is an inter-governmental body that sets standards to combat money laundering and the financing of terrorism. Kenya has been working with the FATF and the Eastern and Southern Africa Anti-Money Laundering Group to strengthen its anti-money laundering (AML) frameworks.

After the release of the FATF 4th Round Review and Report for Kenya, Financial Crime News assigned Kenya a score of 46/100, indicating a Moderate to High Threat level. This is notably better than FATF member countries like China, Mexico, and India, which received scores of 34/100, 32/100, and 32/100 respectively.

However, this score still emphasises the need for Kenya to enhance its AML measures and frameworks. Money laundering not only threatens the stability and integrity of the financial system but also fuels other illicit activities, including terrorism and drug trafficking, which can have dire consequences for a nation. To improve its position, Kenya must focus on strengthening its domestic regulatory environment, improving cross-border co-operation, and fostering greater public-private partnerships.

While digitalisation has empowered Kenya, the time has come for a holistic approach to improving the detection and prevention of cybercrime and digital fraud. While new progress in digitalisation comes with unparalleled convenience, it also comes with the non-negotiable need for more advanced and sophisticated fraud prevention strategies. The future of Kenya’s digital services hinges on this balance.