Module 2 of 5
Password security. Recognizing scams and phishing. Protecting personal data. Social media safety.
Peter is a 38-year-old hardware dealer in Mombasa. One Tuesday morning, he received an SMS that read: 'MPESA: Ksh 12,500 has been sent to your account. To confirm, send your PIN to 0712-XXX-XXX.' Peter had been waiting for a payment from a supplier. He was relieved. He sent the PIN.
Two hours later, he discovered his M-Pesa account had been emptied — Ksh 34,000 gone. The SMS was fake. There was no payment. The number belonged to a fraudster who had spent three minutes crafting a message Peter had no framework to question.
Peter is not careless or unintelligent. He was simply operating in a digital environment without the specific knowledge that would have protected him. This module gives you that knowledge.
Understanding the mechanics of scams is the most effective defense against them. Scammers rely on three psychological levers: urgency (act now or lose something), authority (this is from Safaricom / your bank / the government), and confusion (making the situation complex enough that verification feels harder than compliance).
The most common digital scams targeting Kenyan users:
Fake M-Pesa messages (SMS spoofing): Fraudsters send SMS messages that mimic Safaricom's exact message format — same fonts, same language, same sender name formatting. They claim money has been sent to you and ask you to confirm with your PIN, or claim you sent money to the wrong person and ask you to 'reverse' by sending to a specified number. M-Pesa will never ask for your PIN via SMS. Never. Under any circumstances.
Phishing links: A WhatsApp message or SMS containing a link that looks like it goes to a legitimate site — 'Click here to claim your Safaricom bonus' or 'Your KCB account needs verification.' The link leads to a fake page that captures your login credentials or installs malware. Safaricom, banks, and government agencies do not send unsolicited links asking for account information.
Job scams: An online job posting or WhatsApp message offering unusually high pay for simple work — typing, clicking ads, reviewing products. Applicants are asked to pay a 'registration fee' or 'training deposit' to begin. The fee is paid; the job never materializes. In Kenya, the Communications Authority has documented thousands of job scam complaints annually.
SIM swap fraud: A fraudster contacts your mobile network with enough of your personal information to convince customer service to transfer your phone number to a new SIM they control. Once they have your number, they receive your one-time passwords and can access your mobile money, banking apps, and email. This attack often follows a period of gathering your personal information from social media or through direct contact.
Prize and lottery scams: 'Congratulations — your number was selected. You have won Ksh 50,000 / a smartphone / a trip to Dubai. To claim, pay the processing fee of Ksh 500.' No legitimate prize requires you to pay to claim it.
The Communications Authority of Kenya received over 10,000 cybercrime complaints in 2022 alone, with financial fraud via mobile money being the largest single category. Estimated losses from mobile money fraud in Kenya exceed Ksh 1 billion annually.
Source: Communications Authority of Kenya — Cybersecurity Annual Report 2022/2023
Most people use the same weak password across multiple accounts. This is understandable — remembering many complex passwords is genuinely difficult. But it is also the single most exploitable vulnerability in personal digital security.
What makes a password strong:
Length — a 12-character password is exponentially harder to crack than an 8-character one. Length matters more than complexity.
Unpredictability — avoid names, birthdays, and sequential numbers (1234, 0000). These are the first combinations any attacker tries.
Uniqueness — use a different password for each important account. If one password is compromised, the attacker cannot access everything else.
A practical system for remembering strong passwords: use a passphrase — three or four random words joined together. 'GikombaRainBlueTable' is 20 characters long, easy to remember, and extremely difficult to crack computationally. Add a number and symbol to satisfy platform requirements: 'GikombaRainBlueTable7!'
Two-factor authentication (2FA) is the single most important security upgrade available. When 2FA is enabled, logging into an account requires both your password and a second verification — typically a code sent to your phone or generated by an app. Enable 2FA on your M-Pesa, banking apps, email, and WhatsApp immediately. Even if a scammer gets your password, they cannot access your account without the second factor.
Train yourself to pause and ask these four questions before responding to any unexpected message, call, or online offer:
Did I initiate this contact? If a message arrives that you did not ask for — a prize notification, a payment confirmation for money you were not expecting, a job offer you did not apply for — treat it as suspicious until proven otherwise.
Is there urgency or pressure? Scammers create artificial urgency: 'You have 30 minutes to respond or lose the offer.' Legitimate organizations give you time to verify. Pressure is a red flag.
Is there a request for money, a PIN, or personal information? M-Pesa and all legitimate financial services will never ask for your PIN. Your bank will never ask for your full account number via SMS. If someone asks for these things, the answer is always no.
Can I verify this through an official channel? Before acting on any financial message, call the official customer service number (Safaricom: 0722 002 100; Airtel: 0733 100 000) and ask whether the message is real. This takes two minutes and has prevented countless frauds.
Safaricom processes over 60 billion Kenyan shillings in M-Pesa transactions daily — making it one of the largest mobile money platforms in the world and a significant target for fraud.
In response to rising SMS spoofing fraud, Safaricom implemented SMS sender ID registration in 2022 — requiring businesses and individuals to register the names they use to send SMS messages. This makes it harder (though not impossible) for fraudsters to send messages that appear to come from 'MPESA' or 'Safaricom.'
Safaricom also introduced M-Pesa's 'Reverse' feature — allowing users to reverse a mistaken send within a limited window — which scammers had been exploiting by convincing victims to 'reverse' non-existent payments. Safaricom revised the feature's interface to make it clear that reversals only work for genuine accidental sends, not for responding to third-party instructions.
The most important protection, however, remains user knowledge. Safaricom's own security team states publicly: M-Pesa will never ask for your PIN via any channel. If anyone asks for your PIN — by SMS, by call, or in person — they are attempting to defraud you.
Understanding how the legitimate system works is your best defense against fraud that tries to imitate it.
Social media platforms — Facebook, Instagram, TikTok, WhatsApp — are valuable tools. They are also significant sources of personal data that can be used to target you for fraud, identity theft, or manipulation.
Practical social media security steps:
Review your privacy settings now. On Facebook: Settings > Privacy > Who can see your posts, friend list, and personal information. Most users have never changed these settings from the default — which is often more public than they realize.
Do not post your full phone number publicly. Scammers harvest phone numbers from public social media profiles to build contact lists for bulk fraud attempts.
Be cautious about what your profile reveals. Your birthdate, your mother's maiden name, your secondary school, the name of your pet — these are exactly the answers to security questions that protect your accounts. Limiting this information makes you harder to impersonate.
WhatsApp privacy: Go to Settings > Privacy. Set 'Last Seen,' 'Profile Photo,' and 'About' to 'My Contacts' only. Turn off 'Read Receipts' if you prefer. Enable 'Two-Step Verification' — it adds a PIN requirement when registering your WhatsApp number on a new device, blocking SIM swap attacks.
Speed matters. If you believe you have been defrauded:
For M-Pesa fraud: Call Safaricom immediately on 0722 002 100 or dial 456 from your Safaricom line. Report the specific transaction and the number involved. Request a temporary account freeze. Safaricom's fraud team can sometimes recover funds if contacted quickly.
For banking fraud: Call your bank's fraud hotline immediately (KCB: 0711 087 000; Equity: 0763 000 000; Cooperative: 0703 027 000). Request a card block and account review.
For general cybercrime: Report to the Communications Authority of Kenya at ca.go.ke or call their hotline. Also file a report at your nearest police station — you will need this report for any insurance claims or bank investigations.
Change your passwords immediately for any account the fraudster may have accessed.
Tell someone — a family member, a trusted friend. Fraud works partly through shame and silence. Reporting quickly, both to authorities and to people in your network, helps others avoid the same scam.
Check and strengthen your M-Pesa PIN right now.
Dial *334# and select 'My Account' > 'Change PIN.' Choose a PIN that is not your birthday, not 1234, and not repeated digits. Memorize it. Do not write it anywhere connected to your phone. This takes 2 minutes and is the most important thing you can do today for your financial security.
Enable Two-Step Verification on WhatsApp.
Open WhatsApp > Settings > Account > Two-Step Verification > Enable. Create a 6-digit PIN you will remember. Add a backup email address. This prevents anyone from registering your phone number on a new device — the core mechanic of SIM swap fraud targeting WhatsApp.
Forward this module's 'Four Questions' to 3 people in your family or community.
Copy the four questions (Did I initiate this? Is there urgency? Is there a request for money or a PIN? Can I verify through an official channel?) and send them to people you care about. Financial fraud in Kenyan communities disproportionately targets older adults and people who are new to digital financial services. Sharing this knowledge is an act of community protection.
Every scam works by creating a moment of confusion in which your judgment is suspended. The antidote is simple: pause, ask the four questions, and verify through an official channel before you do anything. That pause is worth thousands of shillings.
Want to go further? These free resources are the next step:
Communications Authority of Kenya — Cybersecurity Awareness — Official government resources on digital fraud, reporting mechanisms, and consumer protection ca.go.ke/consumers/cybersecurity
Safaricom Security Centre — Safaricom's official guidance on M-Pesa fraud, SMS scams, and account protection safaricom.co.ke/personal/security
Google Safety Centre — Free tools and guidance on password security, two-factor authentication, and online privacy safety.google
Answer this question before completing the module
Conduct a personal digital security audit. Check your three most important online accounts and answer: Does each one have a strong, unique password? Is two-factor authentication enabled? Have you reviewed what personal information is publicly visible on your profile? Write down your findings and list every specific security improvement you will make this week.
Score 2 out of 3 to complete this module
1. Grace receives a WhatsApp message from an unknown number saying she has won a prize and must click a link and enter her bank details to claim it. This is most likely:
2. Which of the following is the strongest password for an online account?
3. Two-factor authentication (2FA) makes your accounts more secure because: