By The Report Behind the Warning
Visa released its Spring 2026 Biannual Threats Report in late May 2026, drawing on intelligence gathered across its global payments network. The report tracks emerging fraud patterns, attack trends, and the shifting tactics of cybercriminals operating across digital payment systems worldwide.
The headline finding is stark: from July to December 2025, Visa identified nearly $1 billion (approximately Sh160 billion) in scam-related activity globally, making scams the single largest category of consumer payment fraud for the period tracked. What makes this finding particularly alarming is not just the scale, but the nature of the attacks. These scams, for the most part, did not require criminals to breach any technology. No servers were hacked. No databases were stolen. Instead, the attackers went after something far more difficult to patch: human trust.
"Payments at a network level continue to get safer, but threats are evolving faster than ever," said Paul Fabara, Chief Risk and Client Services Officer at Visa. "Criminals are increasingly targeting people rather than technology, using deception, urgency, and AI-enabled tools to exploit trust."
This is not the story of a failed security system. It is the story of a security system that is working well enough that criminals have been forced to abandon traditional technical attack methods entirely, and pivot to manipulating the people who use those systems.
When Security Works Too Well: How Fraud Migrates
One of the more counterintuitive insights from the Visa report is that stronger security is partly driving the surge in social engineering scams. The report notes that fraud involving device tokens, a common target for technical attackers, declined by 9.6% between July and December 2025 compared to the same period in 2024. Stronger authentication systems, biometric verification, and network-level protections are clearly having an effect.
But fraud is not disappearing. It is migrating. As technical entry points close, criminals are redirecting their efforts toward the one vulnerability that no software update can fully fix: human psychology.
This shift is being supercharged by artificial intelligence. Michael Jabbara, Senior Vice President for Payment Ecosystem Risk and Control at Visa, summarized the problem clearly: "The rapid adoption of AI has fundamentally lowered the barrier to entry for fraud." Tools that once required technical expertise and significant resources to deploy are now accessible to a much wider pool of bad actors. AI allows scammers to craft highly convincing fake messages at scale, clone voices to impersonate known contacts or institutions, generate realistic synthetic identities to pass digital onboarding checks, and simulate official customer service interactions that are nearly indistinguishable from the real thing.
The result is a fraud economy that is both more scalable and more convincing than anything that came before it.
Kenya's Specific Vulnerability
Kenya's digital payments landscape is, in many respects, a triumph of financial innovation. M-Pesa, Safaricom's mobile money platform, processes more than $50 billion annually and serves a country where 82% of adults use mobile money, the highest penetration rate on the planet. Digital banking apps, fintech lending platforms, and e-commerce have all grown rapidly, bringing millions of Kenyans into the formal financial system for the first time.
But that same openness and reach creates an enormous attack surface for fraudsters. And recent data shows they are exploiting it aggressively.
According to a Central Bank of Kenya (CBK) report, fraud cases in Kenya's banking sector more than doubled in 2024, jumping from 173 to 353 documented incidents. The financial damage was even more striking: mobile banking losses soared by 344% to Sh810.68 million. Card fraud alone leapt 16-fold to Sh263.29 million, while identity theft rose six times to Sh199.08 million. In total, hackers siphoned a record Sh1.59 billion from bank customers in 2024, a year when total losses stood at just Sh412 million in 2023.
The broader cyber threat picture is equally alarming. Between July and September 2025, Kenya's National KE-CIRT/CC (the national cybersecurity incident response body) recorded 842 million cyber threat events in just three months. Over the full 12 months ending June 2025, the Communications Authority of Kenya reported nearly 8 billion cyberattacks, more than double the previous year's figure. In the same period, Kenya lost an estimated Sh29.9 billion (about $230 million) to cybercrime.
To put that figure in context: Sh29.9 billion is more than 10% of Kenya's entire annual health ministry budget.
The Human Factor: Who Is Being Targeted and How
The fraud methods targeting Kenyans reveal a clear pattern: criminals are going where the people are, and they are using psychological pressure to extract money or information before victims realize what is happening.
A TransUnion Africa fraud analysis found that 82% of Kenyans were targeted by digital fraud attempts between August and December 2024. Of those targeted, 39% encountered smishing (fraudulent SMS messages), 36% faced phishing attempts, and 33% experienced vishing, where scammers called directly and tried to extract sensitive information. Around 9.8% of mobile money users reported a direct financial loss from fraud, according to the FinAccess 2024 Survey.
The KE-CIRT/CC has consistently flagged impersonation as one of the dominant attack methods. Criminals pose as banks, mobile network operators, government regulators, and even well-known service providers to trick users into revealing PINs, OTP codes, or account credentials. SIM-swap fraud, where attackers convince a mobile carrier to transfer a victim's number to a new SIM card, remains one of the most destructive tactics, because it allows fraudsters to intercept one-time passwords and bypass two-factor authentication entirely.
2025 also saw the emergence of a particularly insidious trend in Kenya: AI-generated voices and profiles. Cybersecurity experts described 2025 as seeing "the highest volume of digital scams targeting ordinary citizens in over a decade," with fraudsters using AI-cloned voices to impersonate trusted contacts, fabricating screenshot evidence of earnings or transactions, and running fake investment and job recruitment groups on WhatsApp and Telegram that disappeared overnight after collecting deposits.
The sophistication is escalating faster than defenses. A separate Nasdaq Verafin report from March 2026 found that AI-enabled or tech-assisted scam losses globally climbed 19.6% to $14.3 billion year-on-year, a figure that reflects just how rapidly the fraud economy is expanding its use of AI tools.
The Four Trends Reshaping Payment Security Globally
The Visa Spring 2026 Biannual Threats Report organizes the global threat landscape around four key trends, all of which have direct relevance to Kenya's situation:
1. Security is working, but fraud is migrating. As highlighted earlier, improvements in device-level security and network authentication are reducing certain categories of technical fraud. But that success is pushing criminal activity toward softer targets, primarily human behavior.
2. Scams are accelerating. Scams have now displaced all other forms of consumer payment fraud to become the dominant threat category. Unlike data breaches or card skimming, scams often result in authorized transactions, meaning the victim willingly initiates the payment under false pretenses. This makes recovery far more difficult.
3. AI is transforming fraud on both sides. Fraudsters are using AI to make scams more scalable and convincing, while defenders are deploying AI to detect suspicious patterns earlier in the transaction lifecycle. Visa itself has invested $3.3 billion in AI and data infrastructure over the past decade and introduced three new AI-powered fraud prevention tools under its Visa Protect suite in 2024 alone.
4. Ransomware is evolving, but resistance is growing. Globally, ransomware activity increased 26% in the second half of 2025, but only 23% of victims paid ransoms, the lowest rate on record. This suggests that organizations are investing in resilience and are increasingly unwilling to fund criminal networks even when data is at risk. It is a small but meaningful piece of good news in an otherwise challenging threat landscape.
What Needs to Change in Kenya
The Visa report and the broader data on Kenya's fraud landscape point to a clear conclusion: the next phase of digital payment security in Kenya cannot rely on technology alone. The human element needs equal attention.
On the institutional side, the CBK is already taking steps. The regulator is laying the groundwork for a formal fraud compensation framework within the National Financial Inclusion Strategy 2025-2028, with rollout planned for 2026. The initiative promises digital complaint channels, greater transparency, and structured redress mechanisms for fraud victims, a recognition that fraud has become a systemic issue requiring systemic responses.
Kenya's commercial banks and mobile money operators also need to accelerate investment in real-time fraud detection powered by AI. The same tools that fraudsters are using to scale their attacks can be deployed defensively to flag anomalous transaction patterns, detect voice cloning in customer service calls, and identify synthetic identities at the point of onboarding.
But technology-side defenses will only go so far if the human side remains undertrained. Consumer education needs to move beyond generic awareness campaigns and become practical, specific, and regularly updated. Kenyans need to understand exactly what an AI-cloned voice call sounds like and why a "bank representative" asking for an OTP is always, without exception, a red flag. Employers, schools, churches, and community organizations all have a role to play in spreading this knowledge to audiences that might not be reached by fintech-focused media.
Chad Pollock, VP and General Manager for Visa East Africa, put the challenge directly: "Consumer education is our best defense against fraud, and industry collaboration makes this possible. As scams grow more sophisticated, the battle for security never stops."
The Bigger Picture: Trust as Infrastructure
There is a concept in development economics that is easy to overlook when discussing fraud statistics: trust is infrastructure. Kenya's mobile money miracle did not happen because of the technology alone. It happened because millions of people trusted the system enough to put their money into it, to pay each other through it, and to build their financial lives around it.
AI-powered fraud attacks are, at their core, attacks on that trust. Every successful scam erodes confidence in digital payments, makes people more hesitant to transact electronically, and potentially pushes users back toward cash-based systems that are less transparent and harder to monitor. The damage extends well beyond individual victims.
This is why the Visa report's framing matters. It is not just cataloguing losses. It is warning that the behavioral shift from technical hacking to human manipulation represents a fundamental change in the threat model, one that requires a fundamental change in the response.
Kenya has proven, time and again, that it can lead Africa in financial innovation. The country's ability to protect that innovation, and the people who depend on it, will define whether the next decade of digital finance builds on that legacy or becomes a cautionary tale.
Comments