Phishing scams — where fraudsters create fake websites or emails to steal your personal information — are becoming increasingly sophisticated in Kenya. Here’s how to protect yourself.
What Is Phishing?
Phishing is when criminals create websites, emails, or messages that impersonate legitimate organisations to trick you into entering your personal information, banking details, or passwords.
In Kenya, common phishing targets include:
- Fake Safaricom websites (safaricom-mpesa.com, safaricom-offers.net, etc.)
- Fake bank websites (fake Equity, KCB, Co-op bank pages)
- Fake government websites (fake eCitizen, NTSA, KRA pages)
- Fake e-commerce sites (copies of Jumia or other retailers)
- Fake lottery or prize notification websites
How to Identify a Phishing Website
Check the URL Carefully
The web address is the most important indicator. Legitimate sites have clean, official domains:
- Real Safaricom: safaricom.co.ke
- Fake: safaricom-mpesa.com or safaric0m.co.ke or safaricom.verify-account.com
Look for: extra words, numbers replacing letters (0 instead of o), hyphens added, or the real company name appearing after a different domain (mpesa.fake-site.com — here .fake-site.com is the actual domain).
Look for HTTPS and a Lock Icon
Legitimate banking and personal data sites use HTTPS (you’ll see a padlock icon in the browser address bar). However, even some phishing sites now use HTTPS — so this alone isn’t sufficient, but HTTP (no S) on a banking site is an immediate red flag.
Notice Poor Design Quality
Phishing sites are often hastily made with grammatical errors, low-quality logos, misaligned text, or broken images. Legitimate institutions maintain professional websites.
Verify Through Official Channels
If you receive a link claiming to be from Safaricom, your bank, or a government body, don’t click it. Instead, open a new browser tab and type the official website address yourself.
Common Phishing Scenarios in Kenya
"Your M-Pesa account has been suspended" — You receive an SMS or email with a link to "verify" your account. The link leads to a fake Safaricom site that harvests your credentials.
"You’ve won a Safaricom prize" — A message tells you to visit a website to claim your prize. The site collects your personal information or asks for a small "processing fee."
"Update your bank details" — An email or SMS from what appears to be your bank asks you to update your details via a link.
"Your tax returns need attention" — A fake KRA notification with a link to a phishing site.
What to Do If You’ve Clicked a Phishing Link
- Don’t enter any information on the site
- Close the page immediately
- If you already entered information: change your passwords immediately, contact your bank or Safaricom, and report to your bank’s fraud line
- Report the phishing site to the Communications Authority of Kenya
- Warn friends and family if the link came through a shared message
Frequently Asked Questions
Q: How do I report a phishing website in Kenya?
A: Report to the Communications Authority of Kenya (CA) and the organisation being impersonated (e.g., Safaricom’s fraud line at 100, your bank’s fraud department).
Q: Can Safaricom SMS messages be fake?
A: Yes, SMS spoofing allows criminals to send messages that appear to come from "SAFARICOM" or your bank’s name. Never trust a link in an SMS — visit the official website directly.
Q: What happens if I give my details to a phishing site?
A: Change all relevant passwords and PINs immediately. Contact your bank and Safaricom to flag your accounts. Monitor your accounts for unauthorised activity.
Stay safe online and verify sellers at legitcheck.co.ke.
🔍 Shopping online in Kenya?
Always verify your seller first. Legit Check KE has verified reviews from real Kenyan buyers.
Leave a Reply