Site icon Soko Directory

SIM Swap Fraud: How Scammers Hijack Your Line And How Safaricom Is Winning The Fight Back

insurance

There is a particular kind of dread that comes with watching your phone lose signal for no reason, only to discover minutes later that your M-Pesa balance has been drained and your bank accounts raided. This is the reality of SIM swap fraud, one of the most quietly devastating forms of digital theft in Kenya today, and one that has forced Safaricom, the country’s dominant telecom operator, into an ongoing arms race with increasingly sophisticated criminals.

How the Scam Works

SIM swap fraud is, at its heart, an exercise in impersonation rather than hacking in the technical sense. A fraudster does not need to breach a firewall or crack an encryption key. Instead, they need only convince a mobile network, or an unwitting employee, or the victim themselves, that they are the rightful owner of a phone number.

Once that number is reassigned to a SIM card, the criminal controls, they inherit everything tied to it: incoming calls, SMS messages, and crucially, the one-time passwords (OTPs) that banks and mobile money platforms use as a second layer of authentication.

Criminals typically begin with reconnaissance: harvesting a victim’s ID number, date of birth, or other personal details through phishing calls, fake SMS prompts, or social media oversharing. Armed with this information, they either present themselves at a SIM registration point posing as the customer, manipulate a customer through social engineering into dialing a malicious USSD code, or, in the more troubling cases uncovered by investigators, collude with insiders at telecom outlets. Once the swap succeeds, the victim’s line goes dead, and the clock starts ticking before they even realize what has happened.

Safaricom’s Response: From Reactive to Predictive

To its credit, Safaricom has not treated this as a public relations problem to be managed with statements alone. Under sustained pressure from customers, regulators, and high-profile fraud cases, including one incident in which a Kiambu county assembly member reportedly lost billions of shillings, the company has layered on a series of technical and procedural defenses.

The most visible of these is a temporary freeze on mobile money transactions immediately after any SIM swap, closing the narrow window fraudsters previously exploited to empty M-Pesa wallets before victims could react. Safaricom also introduced a self-service USSD code, *100*100#, that lets customers “lock” their line so that any swap attempt triggers a verification SMS from the short code 707, requiring the customer’s active confirmation before the transfer proceeds.

Perhaps more consequential has been Safaricom’s move to give banks direct visibility into swap activity. Its SIM-Swap-Check API, adopted by at least six major banks, allows lenders to query when a customer’s SIM was last swapped before approving high-risk transactions, turning what used to be a blind spot into a shared early-warning system. A companion tool, ATM Vicinity Check, cross-references a customer’s phone location against the ATM being used, adding a geographic layer of verification that is difficult for a remote fraudster to spoof.

The results are worth taking seriously. Safaricom has reported that, of the roughly 28,000 SIM swap requests it processes daily, only about 40 fraudulent swaps occur for every 750,000 transactions — a strikingly low rate given the sheer volume involved, and one the company attributes to AI-driven fraud detection and tighter identity verification at the point of registration.

Why Vigilance Still Matters

None of this makes SIM swap fraud a solved problem. Safaricom itself acknowledges that verification systems cannot always predict, with certainty, whether the person standing at a service counter is who they claim to be. As 5G adoption expands the attack surface and as criminals adapt their social engineering scripts, the burden of vigilance cannot rest on the telecom alone.

Customers remain the first and last line of defense: never share PINs or OTPs, never dial an unfamiliar USSD string on a stranger’s instruction, and treat any unexpected loss of network signal as a five-alarm signal to contact Safaricom immediately. Safaricom’s engineering has narrowed the door fraudsters once walked through, but the door is not yet fully shut, and complacency is the one vulnerability no algorithm can patch.

Read Also: Protect Your Money From The New Face Of Online Fraud In Kenya

Exit mobile version