Mobile banking fraud surges 344% amid digital expansion; CBK intensifies ICT oversight and calls for human-centered cybersecurity frameworks.
Kenya’s banking sector is grappling with an alarming rise in cyber-enabled fraud, with total losses jumping 264% to KSh 1.5 billion ($11.1 million) in 2024, up from KSh 412 million ($3.1 million) the previous year. The spike, driven by mobile banking vulnerabilities and rapid digitalisation, has prompted the Central Bank of Kenya (CBK) to enhance its supervisory lens on ICT risk and cyber resilience.
“Cyber risks have increased due to the digitalisation of payments and transfer of money from person to person,” CBK stated in its 2024 Financial Sector Stability Report.
Reported fraud cases more than doubled to 353, while attempted fraud rose to KSh 1.9 billion ($14 million). Mobile banking was hit hardest, with losses soaring to KSh 810.6 million ($6 million), accounting for over half of the sector’s total fraud costs.
Breakdown of Fraud Losses by Channel
| Fraud Type | 2023 (KES) | 2024 (KES) | % Change |
|---|---|---|---|
| Mobile Banking Fraud | 182.41M | 810.66M | +344% |
| Computer-Based Fraud | 74.84M | 203.8M | +172% |
| Identity Theft | 32.06M | 199.1M | +521% |
| Card Fraud | 15.29M | 263.3M | +1,622% |
| Internet Scam | 797.7K | 6.07M | +661% |
| Online Banking Fraud | 106.21M | 111.8M | +5% |
CBK’s ICT Strategy: From Supervision to Cyber Resilience
In response to escalating digital threats, CBK ramped up its ICT oversight in 2024, conducting thematic inspections focused on cyber resilience, data governance, and third-party risk. The regulator now integrates ICT risk indicators, such as system downtime, incident response, and penetration testing, into its supervision model.
“The Bank conducted thematic inspections focused on ICT risk, with emphasis on cyber resilience, data governance, and third-party risk,” the Supervision Annual Report 2024 noted.
CBK also flagged emerging risks tied to cloud adoption, weak API security, and mobile app vulnerabilities; areas increasingly exploited by fraudsters targeting Kenya’s digital-first banking population.
Human-Centred Cybersecurity: Bridging Policy and Practice
Insights from the GIZ-KICTANet Study on Human-Centred Cybersecurity in Kenya’s Fintech Sector underscore the need to shift from tech-centric to user-centric security frameworks. The study maps Kenya’s cybersecurity landscape, highlighting gaps in user trust, data protection, and breach reporting.
“Cybersecurity must be about people—not just systems. A human-centred approach ensures users are equipped to detect, respond, and report threats,” the study asserts.
With mobile money and e-commerce expanding rapidly, the attack surface has widened—especially among first-time digital users.
The study calls for national assessments, stronger institutional coordination, and inclusive policy design to build cyber maturity across the financial ecosystem.
Sector Resilience Amid Economic Headwinds
Despite elevated operational risk, Kenya’s banking sector remained resilient:
- Core capital rose to KSh 989.2 billion ($7.3 billion), lifting the capital adequacy ratio to 19.6%.
- Profit before tax increased by 18.71% to KSh 260.3 billion ($1.9 billion).
- Net assets contracted by 1.6%, while net loans fell 2.7%.
CBK cited macroeconomic pressures, including high energy costs, tight financial conditions, and delayed government payments, as key constraints. The exchange rate peaked at KSh 162.7/$1, and inflation stayed within the 2.5–7.5% target range.
