While I was in a village in Kenya two weeks ago, I was woken up at night by a young man who needed help to get his SIM card properly registered. This is because an agent from Safaricom had noted an anomaly in the registration of the SIM card.
Half asleep and with only one eye open, I told him to ignore the call because that was a scammer.
He insisted that it was a serious matter and they had asked him to find a different phone to follow the instructions they were giving on how to get the SIM card properly registered. It is then I decided to wake up and find out what was happening.
M-PESA USSD scam
I asked him to tell the ‘Safaricom agent’ to call back after a few minutes. When I checked the phone, I realized that the young man had been tricked to send Kshs 187 to a certain phone number.
He didn’t have money on M-PESA, so what they did was get him to enroll for FULIZA, which is an M-PESA loan facility, then went ahead to make him get a loan and send them the money.
I talked to Safaricom on Twitter and they of course gave me the standard answer; Safaricom will only call you from 0722000000, and that the money cannot be reversed because the recipient had already utilized the money.
I went ahead to ask if Safaricom has mechanism of protecting its vulnerable users by for example taking disciplinary action against the number or user that received the money, and Safaricom did not give any response. Ignored by Safaricom, I let it go but the scams did not go.
Scammer strikes back
This week, a scammer called me on my Airtel line and told me that I had won KShs 75,000. They assured me that I needed not to have participated in any promotion to win since this was Airtel rewarding its users for sticking to its network. They told me that they would help me receive the money using bank or even M-PESA if I was not able to access Airtel Money where I was.
They took me through a process where they wanted me to dial *234*0*1*1# on a Safaricom line, which is a direct method of accessing MPESA using USSD. I told them I was not able to do that, and later checked to find that the process would have enrolled me to Fuliza. They then asked me to try the M-PESA Menu where they directed me to withdraw cash using ATM, and gave me the Agent Number 286286, the number that is used to withdraw money from M-PESA using Equity Bank ATMs.
The point was to either get me to send money to a phone number, or to make me authorize an ATM withdrawal and give them the code, which they will use to withdraw money from my M-PESA through an ATM.
Scammers have also tried several other methods to hack M-Pesa.
Other M-Pesa fraud tricks
As soon fraudsters in Kenya learned how mobile money, especially M-PESA, worked, they went into full gear to exploit the loopholes. Telecommunications companies like Safaricom failed to educate people on how to keep off these fraudsters.
There have been some successes in arresting some of these M-PESA fraudsters and hackers.However, it is always a good idea to know their methods and be on the lookout lest you become a victim.
Here is a list of some of the methods fraudsters use.
SMS fraud - When you receive an SMS indicating that you have received money from somebody, you need to double check the identity of the sender. Some fraudsters will send you an SMS saying you've received money, and then they proceed to call you asking you to send the money back. Some people did not know that all legitimate M-PESA text messages come from the SMS sender ID M-PESA, and thus, some Kenyans of goodwill would proceed to comply with the fraudsters request and send the money back, if they had an equivalent or higher amount in their M-PESA accounts.
SIM card replacement -Since M-PESA was launched in Kenya before there was a requirement for SIM card registration, some people realized that once you were able to steal someone’s M-PESA PIN, you could replace their SIM card. Once you had a person's M-PESA PIN and their mobile SIM card, fraudsters would then withdraw all the money that is in their victim's M-PESA account. Unfortunately, this still happens today through the co-operation of some rogue Safaricom agents who conspire to replace SIM cards.
Tuma kwa hii number (Send to this number) - With so many people using M-PESA every day, chances are high that if you surveyed a random sample of a 100 people, there could be one about to send money to someone. A fraudster would broadcast messages to hundreds of people, asking them to "Send to this number." They do this with the hope that one of their targets would've been asked to send money to a contact. As such, the victim would interpret the broadcast message to mean that the specific contact wants them to send to a different M-PESA account, and thus they would proceed to send the money without asking questions. As simple as it sounds, some people have fallen victims to such tricks.
ATM withdrawal - Safaricom introduced a cardless ATM service, whereby one can go to an ATM, choose to withdraw money from M-PESA via the ATM, and all that one needed to do is go through a process on their phone, and they would be sent a one-time-pin (OTP) code which they could punch in the ATM and receive their money. Since some people do not know about the existence of the service, fraudsters realized that they could trick people to go through the process and send them the authorization code. Minutes later, one would receive an SMS indicating that they have withdrawn money from an ATM hundreds of miles away.
Telcos are not doing enough
While most people reading this will identify such scams from a mile away, there is a big number of Kenyans who cannot, and these continue to be scammed every day.
How can they be protected?
Unfortunately, Safaricom and other telcos are simply not doing enough to protect the digitally vulnerable. Safaricom failed to comment on whether they can take action against the M-PESA users involved simply because they do not. They will only ask you to report to the police, making the whole process even more complex.
I followed up with Airtel Kenya to know what actions they take on such people but they only responded that they would inform the relevant teams for investigation. They did not respond on whether they take any action against the scammers.
If Safaricom wanted, they could verify the information and permanently block M-PESA scammers on their platforms and never allow them to register any SIM card on their platform. This way, they will help even the vulnerable people to enjoy the benefits afforded by mobile phones.
Why don’t they do it?
I do not know.
— By Jacob Mugendi