Companies

Regulator, Safaricom face class action suit over SIM-swap fraud

sim card

Kenyans queue to register their SIM cards on April 7, 2022. PHOTO | PHOTO LUCY WANJIRU | NMG

Safaricom and the communications regulator face a class action suit over SIM-swap fraud that has seen scammers drain millions of shillings from mobile phone subscribers’ bank accounts.

Businessman Abdi Zeila has sued the telcos operator and the Communications Authority of Kenya (CA) for alleged fraud, and invited other victims through the class action suit to press for Safaricom to be cited for negligence and liable for lost cash.

He wants the CA to be found negligent of its regulatory duties by allegedly failing to ensure Safaricom is providing services that are secured from fraudsters.

The US-style class action suit is where one or several people sue on behalf of a much larger group, and if successful all consumers aggrieved stand to get compensated.

This suit emerges in a period where a growing number of mobile phone users have been targeted by scammers in which criminals gain access to their victims’ phones or accounts.

SIM swap scams occur when a criminal is able to convince a mobile operator to issue them with a replacement SIM card by claiming a false identity and pretending that their mobile phone has been either lost or stolen.

It involves cyber crooks taking control of a victim’s phone number by essentially deactivating their SIM and switching the allocated number to a SIM belonging to one of the criminal gangs.

The criminals then reset passwords on apps, giving them access to their victims’ contacts, banking details, emails and social media accounts.

Mr Zeila says he lost nearly half a million shillings through the scam in March 28 after fraudsters withdrew Sh373,000 from his bank account at NCBA -- which has been linked to his mobile phone -- took a mobile loan of Sh66,440, another Sh24,000 from KCB-MPesa and a Fuliza loan of Sh12,000.

He wants a declaration that Safaricom failed to provide secure services to its customers who have been defrauded, causing them to lose money.

“The Plaintiff avers that the suit herein is a class action brought and pleaded as of his own right and on behalf of the identifiable class of persons (subscribers) affected by the breaches and violations associated with the 1st Defendant’s mobile telecommunications network and mobile telephone-based mobile money services known as M-Pesa,” he says.

If the petition is allowed by the court, Mr Zeila will publicise the case to invite persons who have been defrauded through SIM-swap.

It means there will be strength in numbers and consumers could get their money back without lifting a finger.

According to Mr Zeila, Safaricom has published on its website safety tips and policies all which he adhered to but was still exposed to ‘needless and avoidable injuries and losses’.

The victim wants the country’s largest mobile operator to refund him the Sh495,651 which was allegedly stolen from him, and pay him damages for breaches.

Mr Zeila says in the court documents that the fraud happened on March 28, this year while he was out of the country on holiday.

The businessman says Safaricom failed to securely process and control his personal data and in the process, breached its obligations under the law, leading to financial losses.

Safaricom is yet to respond to the suit that looks set to be keenly watched in Kenya’s legal circles and in the fintechs space.

Mr Zeila says the CA failed to exercise its watchdog role and should bear the burden of the compensation that would come from the class action suit.

“A declaration that the 2nd Defendant (CA) failed to exercise its regulatory mandate in a diligent manner and failed to hold the 1st Defendant to its licence conditions and by this failure caused the Plaintiff (and members of the class) financial losses,” said the businessman in court affidavits.

He reckons his SIM-swap occurred when he was on a roaming network outside the country, arguing that Safaricom should have known he could not process the transaction while on a network outside Kenya.

The businessman reveals he was in possession of his original national identification card and passport when the fraud happened.

He says in court papers that Safaricom has a duty to ensure his personal data are kept in a secure and confidential manner.

“I am further aware that SIM-swap is not possible unless someone has access to the Safaricom system and the targeted subscriber’s personal data required for purposes of effecting SIM registration,” he says, adding that Safaricom demands that a subscriber presents themselves in person together with their original ID for a transaction to occur.

Also read: CA grants 60-day grace period for Sim card deactivation

Mr Zeila says Safaricom had sole responsibility for carrying out Know-Your-Customer (KYC) steps and verification before permitting the SIM-swap.

[email protected]