Since the inception of Safaricom’s mobile money platform M-Pesa in 2007, every time a user sends money, pays for fuel, groceries, or a boda boda ride, they leave behind their phone number, which appears in the transaction notification sent to the receiver or merchant. That number could be saved, shared, or sold to malicious actors involved in SIM swap fraud.
For the over 37 million Kenyans who use the platform, it is a possible link in a chain that, in some cases, has ended up in customers losing their funds to scammers.
On Friday, the Central Bank of Kenya (CBK) approved Safaricom’s long-awaited request to hide phone numbers of users whenever they make payments.
The decision marks a significant shift in digital privacy for the platform’s users and a direct intervention into a fraud threat that has fueled thousands of scams in the country.
“This is to inform you that the CBK has reviewed your application and submissions in support of the solution and approves your request to implement data minimalisation for peer-to-peer transactions,” CBK said in its letter to Safaricom.
Under the new system, phone numbers will be partially masked in peer-to-peer transfers. If a recipient wants to see the full number, they will have to request it—and the sender can either consent or decline.
The feature will also prevent merchants from seeing the payer’s full name or mobile number when settling bills or buying goods via the platform’s Till or Paybill numbers, cutting the visibility of personal information, which has been a point of concern for millions of users.
Rising fraud threats
The consequences of easy-to-find phone numbers have been stark. In 2025, the Directorate of Criminal Investigations (DCI) arrested six cybercrime suspects in Mombasa who ran a scamming ring in the coastal city. According to DCI, the scammers used ID spoofing applications—paid for with over KES 500,000 ($3,875)—to impersonate bank and telco customer service agents.
Using phone numbers harvested from legitimate transactions, they could convince victims they were speaking to a trusted official, coaxing out PINs and passwords.
SIM-swap fraud has also become one of the most damaging crimes in Kenya’s mobile-first economy, exploiting the fact that a phone number doubles as a bank username and mobile money account. Fraudsters trick or bribe telecom agents into transferring a victim’s number onto a new SIM card, locking the legitimate owner out of their line.
Once that has been done, they reset mobile banking and M-Pesa PINs, intercept one-time passwords, and drain accounts within minutes. The scale of the threat has repeatedly drawn warnings from the Communications Authority of Kenya and the Central Bank of Kenya, as well as tighter SIM registration rules and stronger customer verification requirements.
Kenya’s High Court has also awarded damages to consumers over unwarranted contact and spamming by private companies. For instance, it is common for local businesses to send promotional messages to customers who pay via mobile money.
Regulators are now tightening expectations around how digital financial services handle personal data. In 2024, financial and insurance companies accounted for an estimated 30% of determinations issued by the Office of the Data Protection Commissioner (ODPC), with over 5,000 complaints filed.
