Blog By
Patrick Meki
Cybersecurity & IT Risk Analyst
South-End Tech Limited
Date: 29th May, 2025
Introduction
In Kenya’s rapidly digitising economy, mobile phones are no longer just communication tools—they’re wallets, banks, and business hubs. But as mobile use grows, so does a silent threat: Smishing—fraudulent text messages designed to steal sensitive data.
Smishing (SMS + phishing) is now one of the most dangerous social engineering tactics targeting Kenyan individuals and businesses alike. Whether it’s a fake M-PESA refund or a counterfeit KRA notice, the danger is very real.
What Exactly Is Smishing?
Smishing is when cybercriminals send deceptive SMS messages that appear to come from legitimate sources( Safaricom, NTSA, banks, logistics firms, or even KRA) tricking recipients into clicking malicious links or sharing personal data.
Recent Kenyan Examples
1. Safaricom Smishing Alert (Dec 2024):- Fake texts claiming to offer M-PESA refunds were sent to thousands. The messages prompted users to “confirm account details,” leading to unauthorized access and account breaches.
2. NTSA/KRA Scam Texts (2024):- Fraudsters sent SMS notifications falsely claiming unpaid traffic fines or missing PIN returns, urging users to “verify” details via malicious links.
3. Online Delivery Fraud:-A rise in fake Jumiaand Sendy SMS alerts asking customers to pay “clearance fees” or “confirm parcels” before delivery. Most victims lost mobile money after clicking.
Why Smishing Works So Well in Kenya
1. High Trust in SMS:Many Kenyans trust mobile texts more than email.
2. Urgency Works:“Your account is suspended,” “You owe KES 10, 000,” or “Your KRA PIN is blacklisted” triggers panic.
3. Limited Digital Literacy in SMEs:Many small business staff are unaware of cybersecurity red flags.
Step-by-Step Safety Tips for Kenyan SMEs
1. Verify before You Click: – Always confirm messages with the organization directly—don’t trust numbers sent in the SMS. Be cautious of shortened URLslike bit.ly or unfamiliar domain links.
2. Train Your Team Monthly: – Run monthly staff sensitizationon common cyber threats. Use real Kenyan case studies (like M-PESA refund scams) to build relevance.
3. Use Business SMS Management Tools: – Opt for verified bulk SMS providersto avoid spoofing. Apply SMS whitelisting where available for internal communications.
4. Install Mobile Security Apps: – Recommend staff install apps like Bitdefender Mobile, Avast, or Kaspersky Mobileto scan SMS threats.
5. Report and Block Suspicious Numbers: – Dial *333# (for Safaricom users) to report spam or forward smishing SMS to 333. Encourage employees to block numbers and report incidents to management.
6. Protect Your Business Numbers:– Register business numbers under DND (Do Not Disturb) and ensure you’re not a target for spoofing or SIM swaps.
Conclusion
In Kenya, where SMS is a critical communication and transaction tool, smishing is not just an inconvenience—it’s a threat to SME continuity and financial security. Cybercriminals are getting more localized and more deceptive.
Awareness and proactive defense are the best weapons.
Do you Need Help?
We offer Smishing Awareness Training, Mobile Security Advisory, and Policy Development for Kenyan SMEs.
📞 Call us: +254115867309 | +254740196519| +254721864169
📧Email: cybersecurity@southendtech.co.ke | info@southendtech.co.ke
🌐 www.southendtech.co.ke