Kenyans are fending off disruption and complexity at every intersection. The economy remains fragmented with elevated risk due to debt pressures and the high cost of doing business. The upcoming elections are straining peace as intensified political competition and a tense electoral environment put pressure on people and systems. There is widespread social exhaustion, and it is creating a fertile environment for scams and threats that exploit distraction, emotion and misplaced trust.
This disruption and unrest is also sitting against the backdrop of limited user awareness around key scam tactics such as phishing and social engineering. According to the Communications Authority (CA) of Kenya’s Cybersecurity Report, these threat vectors have become increasingly personalised and targeted, using AI to create believable content, deepfakes and business email compromise attacks.
These are the conditions that fraud relies on. The most effective scams aren’t the ones that come from hours of hacking into a firewall or breaking an encryption key, but rather those that wait for people to feel tired, rushed and emotionally unprepared. An SMS while rushing in traffic, an email while dealing with yet another delay or strike, a scam arriving at an emotionally fragmented moment – these are the moments that scammers wait for because in a split second, the person takes one small action that puts them at risk. They tap the link, they return the call, they share their personal information on the wrong page, and then the door is wedged open by the attackers.
The sophistication of scams today comes down to how they are orchestrated to ripple outwards from these small actions and take advantage of human vulnerability. And in Kenya, the attack surface for this vulnerability is significantly widened because of its thriving mobile ecosystem. In 2025, the CA showed about 47.7 million active mobile money subscriptions at a penetration rate of around 91%. Mobile money has become central to the country’s payments ecosystem and critical to ongoing financial inclusion, and mobile wallets have effectively become the primary channel through which many Kenyans move money.
The risk lies in the accessibility and the speed at which mobile transactions and interactions take place. For example, in a M-PESA fraud scam, scammers were impersonating Safaricom’s customer care centre or security teams and calling customers with fake SIM registration issues, asking them for personal information to resolve them. Scammers have also pretended to be from Huduma Namba or the CA, knowing just enough personal information that people trust them to be legitimate and provide them with one-time codes or other essential information.
Everything about these interactions sounds plausible, and this is what makes them so successful and so risky.
The same pattern of vulnerability and risk repeats itself across moments that define daily life in Kenya right now. A person stops at a café and connects to the free Wi-Fi to make a payment. The football World Cup arrives alongside a strong betting culture, and people end up on fake betting sites that look exactly like the real ones. And the approaching elections have seen an increase in websites that are designed to look like part of the campaigns but are designed to harvest personal information instead. None of these situations require the victims to be reckless, just distracted, tired, or busy.
Changing these patterns and protecting users comes down to awareness and being constantly suspicious. If someone calls you from a reputable company, always ask questions and verify their identity before sharing personal information – or, better yet, offer to call them back. Check a betting or registration site’s URL before entering any personal information, as that is usually the quickest way to identify that it is not legitimate. And pair every moment of awareness with capable security tools so that when you are too tired or rushed to catch the warning signs, the protection does that for you. Awareness and security solutions are not competing choices; they are the same defence applied at two different points.
While there is not much Kenyans can do to prevent geopolitical conflict, economic complexity or election volatility, they can build protections around themselves and their mobile environments to ensure they remain secure.
By Lynette Waweru, Cybersecurity Specialist at ESET East Africa










