How criminals use SIM swap scams to access bank and M-Pesa accounts

By , July 6, 2026

A phone number is now linked to much more than calls and messages. For many people, it is connected to M-Pesa, bank accounts, email addresses, social media pages and online shopping platforms.

This is why SIM swap fraud can cause serious financial loss. The scam happens when criminals take control of a person’s mobile number and use it to receive security messages that were meant for the real owner.

The issue has drawn attention following the arrest of eight people linked to an alleged SIM swap fraud scheme in Marsabit. Detectives said the suspects allegedly used deception to obtain an M-Pesa SIM card from an operator before accessing funds connected to the line.

Although investigations into the case are ongoing, it has raised a wider question for mobile money users: how can someone access a bank or M-Pesa account simply by taking over a phone number?

How criminals take over a SIM card

The first step is usually collecting personal information. Criminals may look for a victim’s full name, phone number, identity card details, date of birth or answers to common security questions.

This information can be obtained through fake calls, phishing messages, social media posts, stolen documents or conversations where a person unknowingly gives away private details.

The confiscated SIM cards. PHOTO/@DCI_Kenya/X
The confiscated SIM cards. PHOTO/@DCI_Kenya/X

A fraudster may then visit a mobile service outlet and pretend to be the phone number owner. They may claim that the SIM card was lost, damaged or stolen and request a replacement.

If the request succeeds, the original SIM card stops working. The victim may notice that their phone has no network, cannot make calls or cannot receive messages. Meanwhile, the replacement SIM card begins receiving all calls, SMS messages and verification codes linked to that number.

How bank accounts can be accessed

Many banks use one-time passwords, often sent by SMS, to confirm logins, reset passwords or approve transfers.

Once a criminal controls the victim’s phone number, they may try to log in to the person’s mobile banking application or online banking account. If they already know the account number, password or other personal details, they can request a password reset.

The bank then sends a verification code to the registered phone number. Since the fraudster now controls the number, they receive the code and may use it to create a new password.

This can allow them to enter the account, change account details or transfer money. Some criminals may first send messages or make calls pretending to be bank staff to persuade a victim to reveal a password, PIN or verification code before the SIM swap takes place.

How M-Pesa accounts can be targeted

M-Pesa accounts are protected by a PIN, but a stolen SIM card can still create a major risk.

A person using M-PESA on a mobile phone.

A criminal with the SIM card may attempt to reset the M-Pesa PIN through official channels by using identity details linked to the line. They may also receive transaction alerts and messages that help them understand the account activity.

In cases involving M-Pesa agents, gaining access to the agent’s SIM card can be especially risky because the line may be connected to a float account used for daily customer transactions.

The DCI said the alleged Marsabit suspects posed as customers before obtaining the M-Pesa SIM card from an attendant. Investigators believe the card was later used to access a bank account linked to the M-Pesa business and withdraw more than KSh1.2 million.

Why speed matters

The longer a criminal controls a phone number, the more time they have to attempt password resets, request funds or change security settings.

A sudden loss of network should therefore be treated as urgent. Contact the mobile service provider using another phone and ask whether a SIM replacement has been processed. It is also important to call the bank and M-Pesa customer care team to block or secure accounts linked to the number.

Daily steps that reduce the risk

Never share your M-Pesa PIN, bank password or one-time verification code. Avoid clicking links in messages that claim your account has been suspended or needs urgent updating.

M-Pesa agents should keep their phones, SIM cards and transaction devices away from customers, even during busy hours. Customers should also be careful about sharing identity documents or personal details with strangers.

A mobile number may look ordinary, but it can be the key to a person’s money. Protecting it with the same care given to a bank card can help prevent a costly SIM swap scam.

More Articles