Hackers stole a record Sh1.59 billion from Kenyan banks last year in attacks that highlight the risk of cyber heists as lenders go heavy on tech and mobile banking investments.
The disclosure, in a central bank report on digital thefts in the Kenyan banking sector, shows that the theft of customer deposits has grown fourfold from Sh412 million in 2023 due to fraudulent wire-transfer requests.
Kenya built a reputation as a pioneer of financial inclusion through its early adoption of a mobile money system that enables people to transfer cash and make payments on cellphones with or without a bank account.
Mobile banking was the hardest hit, with criminals siphoning off Sh810.68 million, translating to a 344 percent rise from Sh182.41 million in the prior year.
This accounted for more than half of the amount lost to the fraudsters as bankers struggle to cope with the rising wave of late-night fraud, where unsuspecting revellers are tricked into revealing their passwords.
The thefts often happen on Friday and Saturday night, with millennials—individuals born between 1981 and 1996— being the most affected.
The CBK reckons that fraud cases more than doubled to 353 in 2024 from 173 a year earlier.
The report shows that card fraud, computer fraud, online banking scams and identity theft also surged sharply, pushing up losses to levels never disclosed before.
The overall amount exposed to fraud—money targeted by fraudsters before recovery efforts—jumped almost threefold, from Sh680.9 million in 2023 to Sh1.96 billion in 2024, showing how much larger the fraud attempts have become.
This suggests that banks managed to recover Sh368.8 million from the targeted heist, setting the stage for costly insurance as premiums surge in tandem with the theft cases.
Some banks are paying as much as Sh400 million in annual premiums to cover the rising thefts.
As lenders splash billions of shillings to upgrade the technology platforms to boost reach without extra hiring or brick and mortar expansion, cybercriminals are equally quick to exploit loopholes, deploying means such as SIM swap fraud, malware, phishing schemes, and identity cloning.
“The motivation of cyber criminals targeting financial institutions is financial gain. Cyber fraud was prevalent in the banking sector in 2024, with reported cases rising from 157 in 2023 to 353 in 2024, and the mount exposed increasing from Sh680.9 million to Sh1.9 billion,” says the CBK in the financial sector stability report.
The regulator says successful cyber-attacks on such banks lead to loss of money and denial of services, potentially impacting earnings and credibility.
“Perhaps the most significant and emerging operational risk facing the financial sector is associated with the rapid adoption of financial technologies to power the delivery of financial products and services,” says the CBK.
Acting chief operating officer at Britam General Leonard Chirchir told the Business Daily in a phone interview that premiums have surged and nearly doubled following the rising thefts.
Communication Authority of Kenya data for the year ended June 2025 showed the number of cyberattacks targeting internet users in the country more than doubled to 7.96 billion from 3.52 billion a year earlier.
System attacks contribute 97 percent of the threats—a disturbing trend to firms, notably banks.
Mr Chirchir said banks are increasingly tapping the electronic computer crime policy (ECCP), which covers banks from cash lost to hackers.
ECCP is under the Bankers Blanket Bond (BBB)—an insurance policy designed for banks and other financial institutions to cover financial losses from criminal acts such as theft, burglary and forgery.
“In terms of pricing, incidences of electronic fraud have been rising over the past three to four years and therefore the market has been hardening to reflect the level of losses that have been seen in the market. Prices of electronic computer crime and cybercrime have been on the rise,” said Mr Chirchir.
“Most of these covers are reinsured in London with the support of the likes of Lloyds due to limited local capacity. The market has also been shrinking, with many BBB insurers deciding to stop these covers and this has also contributed to the rise in prices. We are likely to see prices continue rising.”
CBK data shows card fraud cost customers Sh263.29 million, being 16.9 times the Sh15.59 million lost in the prior year.
Computer fraud, which includes hacking into systems to steal data, saw bank customers lose Sh203.39 million, a 2.7 times jump from the preceding year, while fraud through identity theft grew six times to Sh199.08 million.
The review period saw online banking fraud rise to Sh111.83 million from Sh106.2 million, while internet scams cost lenders Sh6.07 million, up from Sh797,7000 in the prior year.
Mr Chirchir said premiums for ECCP in Kenya are now averaging Sh80 million for large banks, depending on the amount of deposits, number of customers, staff size, level of investment in secure systems and the size of compensation they want insurers to absorb in case of fraud incidents.
The level of premiums rises to between Sh200 million to Sh400 million for large banks seeking cover that can compensate for losses of up to Sh5 billion and Sh10 billion, respectively, according to Mr Chirchir.
“In our proposal forms, we issue them a ransomware questionnaire, which we use to assess how strong their system controls are sufficient to avoid obvious fraud. In the market now, even for the smallest microfinance bank, it is not possible to get premiums of below Sh5 million,” he said.
Stanbic Bank Kenya recently issued a wake-up call to customers over the rising wave of late-night fraud, where unsuspecting revellers are tricked into revealing their passwords.
The lender said its data showed many of the reported cases of social engineering—where customers are deceived into giving up confidential information such as passwords—were happening at midnight as fraudsters target customers using digital wallets such as bank apps and mobile money to settle transactions at social joints.
Head of personal and private banking at Stanbic Bank Abraham Ongenge said most of the cases tend to happen on Friday and Saturday night, with millennials—individuals born between 1981 and 1996— being the most hit.
“We are seeing a lot of fraud attempted on digital channels through some form of social engineering. The consequence of that is that a lot of customers are losing money through these social engineering tactics, like people calling and posing as bank employees and asking for personal information and using it to access accounts,” said Mr Ongenge during a media engagement session in Nairobi.
The extent of banks’ losses through fraud could be higher, given the many cases that lenders opt not to report to the regulator for fear of reputational damage. Many bank executives often prefer to quietly reimburse affected customers rather than admit to large-scale breaches that could trigger panic among depositors.
For instance, a CBK cyber risk stress test conducted in May this year to assess the resilience of the banking sector to cyber losses showed that assuming a probability that five percent of cyber-attacks are successful, the banking sector would incur losses amounting to Sh2.1 billion and Sh2.9 billion under moderate and severe scenarios, respectively.
