Cybercrime Cases in Kenya Up 67% in 2026 as Scammers Target Mobile Wallets
Kenya's Communications Authority has released mid-year data revealing a 67 per cent increase in reported cybercrime incidents compared with the same period in 2025, with mobile money fraud — particularly attacks on Safaricom's M-Pesa platform and mobile banking applications — accounting for 58 per cent of all cases. The CA's Cybercrime and Computer Misuse Directorate received 14,836 formal complaints between January and June 2026, up from 8,885 in the first half of 2025.
The figures, released on Wednesday, understate the true scale of the problem: the CA estimates that fewer than one in five cybercrime victims file a formal report, meaning the actual number of incidents could exceed 70,000 nationally in the first six months of the year alone. Financial losses directly attributed to the reported cases total Sh3.2 billion.
AI-Powered Scams Driving the Surge
Investigators at the DCI's Cybercrime Unit say the most alarming trend in 2026 is the proliferation of AI-generated voice cloning scams, in which fraudsters use synthetic audio to impersonate a victim's family member, employer, or bank representative in real-time phone calls. "We are seeing cases where the fraudster calls a target, plays what sounds exactly like the target's son saying he has been arrested and needs bail money immediately," said DCI Cyber Unit head Superintendent Derrick Obuya. "The emotional pressure is immense, and people are transferring money before rational thought kicks in."
SIM-swap attacks — in which fraudsters bribe or deceive mobile network employees into reassigning a victim's phone number to a new SIM card — have also surged, with 1,240 cases reported in the first half of 2026. Once in possession of the target number, attackers bypass two-factor authentication to access M-Pesa, Equity Bank's Eazzy Banking, KCB Mobi, and other platforms. Safaricom said in a statement that it had detected and blocked over 2.1 million suspicious transaction attempts through its fraud management systems in the same period, and had suspended 47 employees for suspected collusion with fraudsters since January.
Kenya's rapid 5G rollout — now covering Nairobi, Mombasa, Kisumu, Nakuru and Eldoret — has expanded digital financial inclusion but simultaneously expanded the attack surface. "More Kenyans than ever are conducting high-value transactions on mobile devices," said CA Director-General David Mugonyi. "The infrastructure is ahead of our collective cybersecurity hygiene, and criminals are exploiting that gap."
Regulatory and Legislative Response
The CA has issued new directives requiring all licensed mobile network operators to implement enhanced identity verification protocols for SIM replacements by 1 September 2026, including mandatory in-person biometric confirmation for numbers linked to registered mobile money accounts. Non-compliance will attract fines of up to Sh5 million per breach under the Kenya Information and Communications Act.
Parliament's ICT Committee is also accelerating review of the Computer Misuse and Cybercrimes (Amendment) Bill, 2026, which proposes to increase maximum sentences for financial cybercrime from three to ten years and to establish a dedicated Cyber Court within the Milimani Commercial Courts complex. Committee Chair George Murugara said a second reading was expected before Parliament recessed in August.
KRA, facing IMF pressure to expand its tax base, has quietly begun cross-referencing DCI cybercrime databases with its taxpayer registry to identify individuals whose apparent lifestyle and M-Pesa throughput suggest unexplained income — a move that has simultaneously surfaced suspected fraudsters and put pressure on the informal economy. Three individuals flagged through this exercise have already been charged with both cybercrime and tax evasion offences.
What Citizens Can Do
The Communications Authority has partnered with Safaricom, Equity Bank and Co-operative Bank to run a Sh120 million public awareness campaign — Jilinde Mtandaoni (Protect Yourself Online) — running through September 2026 across television, radio, and social media in Swahili, English and four other local languages. The campaign focuses on SIM-swap awareness, PIN hygiene, and the importance of verifying caller identity before transferring money.
Consumer protection advocates say awareness campaigns, while welcome, are insufficient on their own. "Banks and mobile money operators need to absorb more of the liability for fraud on their platforms," said Judith Ochieng of the Consumer Federation of Kenya. "In the UK, mandatory reimbursement rules changed the incentive structure for banks overnight. We need something similar here before Sh3.2 billion becomes Sh10 billion."