Esther Wangiru thought she hit the jackpot. Two strangers called out of the blue, saying she’d won 200,000 shillings. She was shocked but excited – that’s about $2,200, well above her monthly $200 salary.
But there was a catch. They asked Ms. Wangiru, who works as a cleaner at the University of Nairobi, to transfer $22 in phone credit to them as a condition for receiving the prize.
She sent it with a few taps on her cellphone keyboard via M-pesa, Kenya’s mobile payment system. She then primped for the TV appearance they promised would be accompanies with the prize money, which sounded like one of the many lotteries constantly being advertised on television. The men told her she had won a sweepstakes hosted by Safaricom, Kenya's leading mobile phone network.
The men called a few minutes later to say they were delayed, but on their way — and requested Wangiru send them another $22 for facilitating the prize. She complied, perplexed but still not skeptical.
The men never showed and Wangiru never heard from them again. She was out almost $50 — a week's pay.
“I heard about [these scams] but I never thought they were serious,” says Wangiru. “Now I am more diligent.”
That was 2008, only a year after the wildly popular mobile money transfer service M-pesa launched. Today, it’s hard to find a mobile phone user in Kenya who hasn’t been on the receiving end of a similar scam – and doesn’t know someone who fell for one. Many receive their first within days of activating a new number.
M-pesa — pesa is Swahili for money — is simple to use. Customers add money to their account, which is linked to their phone number, by taking cash to an agent, often located in a store or roadside kiosk. They can then pay others by punching in the phone number or business code of the recipient. Kenyans use it to pay for everything from groceries to utility bills.
The money is stored across Kenya’s many commercial banks, but it is perhaps most valuable for the vast number of Kenyans without bank accounts, whether because of poverty or distance from the nearest brick-and-mortar bank.
Africa's mobile money boom
In nine African countries, mobile money accounts outnumber bank accounts. It’s been heralded as a financial revolution, both for its ability to provide a form of banking to the poor and for providing many of the benefits of electronic payment without the same infrastructure investment.
But it's also a harder system to regulate and protect. Scams cropped up almost as soon as M-pesa became available in 2007, and Safaricom and the police always seem to be a couple of steps behind the latest con.
There’s one that says “I’m outside your house with a contract to kill you. Send me 5,000 shillings and I’ll leave.” In rural areas, the message asking for money to help get a snake-bitten child to the hospital is more believable.
Often the person sending that type of message is sitting in a high-security prison in central Kenya, where wardens have been known to smuggle mobile phones in to prisoners. They try thousands of phone numbers, figuring one will occasionally bite. As soon as Safaricom, the mobile provider behind M-Pesa, alerts the public to a scam, another one crops up.
And yet, the money service continues to boom. It has 80,000 agents and is closing in on 20 million registered users — close to half the population of Kenya. It ranks fourth in the country for international money transfers.
Irene Kibire, who fell for scams twice as an M-Pesa agent for Safaricom, is still a devotee. Both times, someone asked her to provide an advance to their M-Pesa account and then never came back with the cash, leaving Ms. Kibire stuck with the tab.
“Even though I had these two incidents, it’s not enough for me to say no to M-Pesa,” she says. “It’s the safest and most effective option.”
Social engineering trickery
All M-Pesa SMSs are encrypted, and the database is stored overseas in Germany, Mr. Joseph says. One of the most common questions he gets is whether M-Pesa has ever been hacked. He says that it hasn’t. But Safaricom could also do more to protect users from falling victim to mobile shakedowns, perhaps with multiple authentication steps before anyone sends money.
Like with the infamous Nigerian e-mail scams, the young and digitally savvy often just laugh and ignore any of the bogus messages. It’s often older individuals or those with little exposure to technology who fall for them. The company does remind users to always check their M-Pesa balance, to never give out the PIN that protects their account, and to never let someone send the money for them.
In its early days, the company reimbursed all customers for money lost, but that practice is less common now. Sometimes the company is able to track the scammers by phone number.
But in the rural community where Kibire was an M-Pesa agent, those warnings don’t do much and opportunity for abuse is rife. “My mom and grandma don’t understand [PINs],” she says.
Among the most common and straightforward types of fraud is a getting a message that says you’ve received an unexpected deposit. A moment later, you get a frantic call from someone saying they punched in the wrong number. “Could you please send the money back?” they plead.
It can get quite detailed, says Mutua Mulanga, a business analyst with Financial Sector Deepening (FSD), an organization focused on financial inclusion. Instead of asking for the full amount back, they might ask for 5,000 shillings back and let you “keep” 2,000 as a thank you.
It’s not just text messages, either. Dodgy M-Pesa agents have been known to lie to customers about needing their PIN to complete a transaction. Once they have the PIN and phone number, they have unfettered access to the account. Agents have also been accused of overcharging unsuspecting customers. In some cases, agents and others commit fraud against Safaricom by registering fake accounts to earn commission or splitting up one large transaction into multiple ones because they receive commission on every transaction.
The scale of consumer fraud is unknown. Few people report it, says Nambuwani Wasike, a former Safaricom employee who is now a research associate at FSD.
The customer care center receives hundreds of calls a day, and less than 50 percent of them are successfully resolved. Many people don’t know that they can report it, while many of those who do end up getting shuffled back and forth between Safaricom, which can’t take any action against fraudsters, and the police, who can but don’t really understand the problem.
“People just give up,” says Mr. Wasike.
Convenience outweighs risk
And yet M-Pesa is everywhere. In the seven-story office building where FSD is located, there are three agents. In its first year, the service had three times the uptake Safaricom projected.
The most common problem it had was the system crashing from overuse, says Wasike, who joined the company only a couple months after the launch of the service. “Safaricom enjoys a lot of trust as a brand … It takes reputational risk very seriously.”
According to Vodafone's Joseph, “The amount of fraud where we have actually lost money is something like .05 percent of the total value of transactions that have gone through the system.” He says traditional banks have lost 10 times that much.
All this has made M-Pesa somewhat of a global fascination. In fact, Safaricom started an internal travel office to handle the flood of requests from financial regulators to come and observe the service.
Its success is easy to understand, Joseph says, nonchalantly: “It’s cheap, it’s efficient, it works.”