Ever since Kenyans were able to transact and access financial services via mobile devices over 16 years ago, scammers have been hard at work - constantly evolving to outsmart users and platforms alike.
From fake promotions, hoax SMSs, fake international calls, false emergencies, curiosity texts, credential harvesting, SIM swap fraud to outright extortion and impersonation, Kenyans have lost millions to savvy fraudsters whose techniques continue to grow in sophistication.
Financial institutions in Kenya, according to a 2021 report by credit reporting agency, TransUnion Africa, are losing in the upwards of Ksh17 billion ($121.49 million) to identity thieves annually.
And the trend has only continued to worsen with the TransUnion 2023 State of Omnichannel Fraud Report showing a worrying 309% increase in the rate of fraud attempts in the financial services sector in Kenya over the last three years.
The report further reveals that nearly half (42%) of Kenyan consumers were targeted by cybercriminals between September and December 2022.
One of the earliest scam types that Kenyans grappled with from the onset of mobile money in the late 2000s was voice phishing or vishing.
This is where a fraudster entices their victim into divulging sensitive information over the phone that they then can use to gain access to their mobile money or bank accounts - typically by impersonation or using sob stories/false emergencies to trick unsuspecting users into sending cash.
Telcos, the first entities to innovate mobile money services in Kenya, responded with consumer awareness campaigns that persist to date.
Incredibly, according to the TransUnion report, vishing is still the most common fraud type to date at 41%.
As early as 2009, there was a stampede among African nations to register SIM cards in an attempt to curb mobile-related fraud and boost national security.
Kenya was among the first 10 countries that included South Africa, Ivory Coast, Cameroon and Ghana - that at the time accounted for about 80% of mobile phone subscribers in Sub-Saharan Africa.
These efforts would continue through the 2010s including a December 31, 2012, deadline set by the then Communications Commission of Kenya (Now CA) to switch off unregistered SIM cards. Neighbours, Uganda, Rwanda and Tanzania had similar initiatives.
In 2013, the Kenya Information and Communications Act, 2013, was enacted making it a criminal offence to fail to register a SIM card. It set a fine of up to Ksh100,000 and/or imprisonment of up to six months for failing to comply.
Two years later, the Kenya Information and Communications (Registration of SIM Cards) Regulations, 2015, were published by the rebranded Communications Authority of Kenya (CA) detailing the process of registering and deactivating SIM cards with a new switch off deadline set for November 2015.
Under the regulations, a higher fine of Ksh300,000 or six months imprisonment was set for anyone found guilty of using an unregistered SIM. A Ksh100,000 fine was set for providing false information when registering a SIM card or a similar jail term. The sale of unregistered SIMs would attract a fine of Ksh500,000 or imprisonment of up to 12 months.
The regulations further made subscribers liable for activities carried out via SIM cards registered in their names if they were unable to prove that they were not in control of the SIM cards when the said activities were carried out.
Despite these and subsequent efforts to enhance the verifiability of the identities of SIM card holders, cybercriminals continued to find ways of beating the system, prompting more innovative solutions.
Early 2022, the CA set yet another deadline (April 15, 2022) for the deactivation of unregistered SIM cards citing loopholes in adherence to SIM card registration laws.
The authority cited findings from a survey of 22 counties that revealed, among others, fraudulent registration of SIM cards that included the use of fictitious identity card numbers, ID cards of proxies or other documents such as Student IDs, NSSF Cards and a general lack of verification of identity documents.
The exercise that required subscribers to verify their SIM registration details and unregistered users to comply, would be extended to October 15, 2022 and later on, another 60 days were added.
It is during this 2022 process that telecommunications companies initially required subscribers to submit to having their photographs taken, processed and retained.
The CA in a joint briefing session with heads of telcos from Safaricom, Telkom Kenya and Airtel on April 10, 2022, clarified that only a subscriber’s photo of ID (National ID, service cards for disciplined forces, passports or birth certification), name and address were legally required.
During the briefing, Safaricom’s Chief Corporate Security Officer, Nicholas Mulila, explained that the requirement of a subscriber's photo was an additional measure to guard against impersonation.
“What we have seen in the past is that there have been quite a number of incidents of impersonation and M-PESA fraud driven by stolen identities and we thought it was something that would make our customers much more safer than they are today,” he said.
During the session, CA Director-General Ezra Chiloba remarked that it was possible that in the near future, the requirement for biometric SIM Card registration would become mandatory.
A number of countries as documented by Privacy International have already implemented mandatory biometric SIM registration - fingerprint and face biometrics.
They include Nigeria (2011), Bangladesh (2015), Pakistan (2016), Uganda (2018), Mexico (2021), and Mozambique (2023) among others at various stages of legislation.
In fact, as far back as July 2017, Safaricom was set to introduce customer photo verification as a prerequisite for M-Pesa transactions where agents were to use photos to verify those depositing or withdrawing from the mobile money service.
Business Daily reported that the telco had, at the time, distributed about 25,000 pre-programmed smartphones to agents for SIM card registration purposes.
Agents were to conduct all transactions with company-issued mobile devices that were to eliminate the need to ask for proof of identity.
Photo evidence of the person registering a SIM was seen as a sure way of curbing the use of stolen personal identification information to commit mobile money fraud.
The growth in the popularity of app-based digital loan providers in the country especially from the second half of the 2010s would further compound the challenges of identity theft.
Identity thieves take advantage of personally identifiable information such as ID Number, date of birth, full names and email address readily available in visitor books or stolen IDs to create fake customer profiles that are convincing enough for digital lenders to advance loans to borrowers who are effectively ghosts.
Cases of Kenyans finding themselves negatively listed in the CRB for digital loans they didn’t take started to rise as digital loans became commonplace and cunning Kenyans easily gamed Know Your Customer (KYC) requirements being developed by digital lenders.
Perhaps one of the most famous incidents of identity theft-related CRB listing was the 2019 suit filed by Resolution Health founder, Peter Nduati, against a digital lender that he said, in a Twitter (now X) post, had negatively listed him for apparently defaulting on a Ksh1,000 loan.
He said he learned of the listing when concluding a loan application for his company, Centric Air, where the bank initially had declined to extend credit on account of the listing that he said significantly lowered his credit score.
As more Kenyans were able to get access to near-instant credit from digital lenders, fraudsters were engaging in what has come to be known as loan stacking.
This is where after creating a fake identity with stolen data, a fraudster will quickly grow their credit limit with several loan apps, borrow the highest amount possible from them all and take off.
Since the Central Bank of Kenya (CBK) assumed a supervisory role over the activities of digital lenders regranting them access to CRBs, the app-based lenders - who have borne the brunt of impersonation - are upgrading their KYC requirements.
The Central Bank of Kenya (Digital Credit Providers) Regulations, 2022, require a digital credit provider to “satisfy itself as to the identity of its customers while performing transactions.”
In light of the challenges presented by fraudsters, some digital lenders are taking a leaf from their commercial banking counterparts and encouraging their customers to opt in and provide facial biometrics in the form of uploading a selfie at the signup stage.
Banks that have innovated digital customer onboarding services have translated the existing physical KYC process - that requires a customer to present their original ID and a passport-size photo - into a digital option of uploading a copy of ID and a selfie image.
For example, to open the Bank 24/7 Digital Account offered by the Diamond Trust Bank, a customer is required to digitally submit a copy of their National Identity Card, KRA PIN certificate, and a selfie.
A similar selfie requirement is listed for opening the fully digital Standard Chartered DigiSmart Account in lieu of submitting a passport-size photograph at a branch.
Similarly, to open the Absa Digital Savings Account - which is also fully digital - there is an “identity verification” requirement where an applicant consents to have a ‘selfie’ taken in real-time using the camera of the device they are using.
One of the digital lenders offering its customers this identity verification option is Zenka Finance. The lender, who is among the first batch of 32 Digital Credit Provider (DCP) licensees, says the selfie allows for another layer of verification during the sign-up process to prevent impersonation.
The facial ID (selfie) verification system developed by the lender whose mobile app has over 5 million downloads on the Google Play Store is primarily meant to weed out scammers.
“Selfie identification is not only a huge step towards protecting our clients from scammers but also acts as an additional credibility and directly affects the amount of the credit limit granted,” Zenka Country Manager, Bernard Kiraithe, explains.
Just like it sounds, selfie identity verification, selfie authentication or selfie check, is a process that requires a user to submit a selfie for their identity to be verified.
Typically, it is paired with other verification techniques including database and document verification to ascertain - with a higher degree of accuracy - the identity of the user.
In the Zenka facial ID verification case, for example, the lender says the selfie submitted by users who have opted in is digitally matched with the image on the copy of the National ID card submitted as part of the signup process.
An Artificial Intelligence (AI) program is used to analyse the images, check for discrepancies and determine if they are a match.
“The selfie verification process happens automatically, without human intervention," Kiraithe adds.
Depending on the service provider, a user may be required to submit multiple selfies from different angles as an additional security measure to guard against attempts to outsmart the process including the use of photo deepfakes.
With scammers stopping at nothing to get past the verification step, the need to determine with a higher degree of certainty that indeed the selfie submitted is of a “live” person and not a recording, picture or other spoof, “liveness detection” is being employed.
Sophisticated algorithms analyse various data points including image data, metadata, reflexive signals, and other active detection techniques to detect a spoof from a real, living person.
KYC verification is an area where several African startups have been raising tens of millions of dollars to solve.
They include Smile Identity which earlier in February raised $20 million in Series B funding to expand its AI-powered ID Verification and KYC compliance service for African faces across the continent.
In the State of KYC in Africa 2022 Report, the startup reports that about 50% of fraud in all industries in the continent goes undetected with textual KYC alone.