Cybercriminals are shifting from stealing passwords to targeting biometric and identity data using artificial intelligence (AI) tools, a new global cybersecurity report warns, raising concerns over rising exposure among Kenyan users and businesses.
In the report, cybersecurity firm Kaspersky says AI is transforming traditional phishing attacks into highly sophisticated operations that now seek to capture immutable personal identifiers such as faces, voices, and handwritten signatures.
The firm says it detected and blocked over 142 million phishing link clicks worldwide during the three months to June 2025, which marked a 3.3 percent rise from the previous quarter.
During the period, the report notes, Africa recorded a sharper 25.7 percent rise, driven by the spread of AI-generated scams and fake websites exploiting local trust platforms.
The findings come to the fore just weeks after a deepfake video of former Prime Minister Raila Odinga endorsing a fake cryptocurrency circulated online through his compromised X account, underscoring how AI-driven deception is gaining entry into Kenya’s digital ecosystem.
According to Kaspersky, attackers are now developing fraudulent sites that mimic legitimate platforms and request users to grant smartphone camera access under the pretext of account verification.
The sites then capture facial identifiers or signatures, which can be used for unauthorised access to sensitive portals such as financial and government accounts.
“Attackers are no longer focused on stealing passwords; they’re targeting biometric data and signatures, which cannot be changed once compromised,” Kaspersky notes in the report.
The firm warns that AI is enabling criminals to create phishing messages, emails, and websites that are virtually indistinguishable from legitimate communication.
Large language models (LLMs) are being used to eliminate grammatical and visual cues that once made scams easy to detect, while AI-driven bots on messaging apps like Telegram now impersonate real people to build trust before stealing data.
Kaspersky further highlights a growing trend of voice cloning and deepfake videos being used to impersonate officials or executives, with scammers using AI-generated voices to call victims while posing as official staff and tricking them into revealing one-time passcodes for fraudulent transactions.
In Kenya, where mobile money and digital identity systems underpin most financial activity, such attacks are poised to have a significant impact. Institutions ranging from banks, telcos, and government agencies have increasingly integrated biometric verification, from fingerprints to facial recognition, into daily transactions and service access.
The use of biometric data across platforms such as M-Pesa, eCitizen, and other Huduma services means that once such identifiers are compromised, users have little recourse to recover their digital identity.
AI and cybersecurity thought leader Anthony Muiyuro says biometric data such as fingerprints, facial patterns and voiceprints are emerging as a new attractive target for threat actors due to their unique and permanent nature, meaning they cannot be reset once compromised unlike passwords or PINs.
According to Mr Muiyuro, Kenya’s vibrant digital ecosystem presents a larger attack surface, especially during a phase where many authentication systems are now integrating facial recognition or voice verification for faster onboarding.
“The real risk lies in over reliance on a single biometric layer without complementary controls. Cybercriminals exploiting AI can create digital twins of individuals to gain unauthorised access, execute fraudulent transactions, or compromise digital identities at scale,” he says.
“To mitigate this, local platforms must adopt AI for defense, leveraging behavioural biometrics, continuous authentication, and adaptive risk scoring to detect impersonation attempts in real time.”
Analysts have in the past singled out the country’s fast adoption of fintech services, coupled with low public awareness of AI-enabled scams, as the chief factors that would make Kenya a prime target for these new forms of phishing.
Kaspersky’s report also details how attackers are using legitimate services such as Telegram’s Telegraph publishing tool and Google Translate’s page translation feature to host or disguise phishing pages.
By using URLs resembling official domains, for example, links ending with ‘translate.goog’, criminals can evade browser and email security filters.
AI-powered tools are further allowing scammers to automate the creation of fake websites that closely resemble corporate or government portals.
Some of these clones are capable of collecting data, generating sign-in forms, and integrating CAPTCHA technology to appear authentic, extending the lifespan of phishing campaigns before detection.
The shift from password theft to biometric and signature harvesting marks a critical turning point, as this data is considered permanent and can be reused indefinitely once leaked. Attackers are reportedly targeting platforms such as electronic document signing services and digital onboarding tools used by financial institutions, posing both reputational and financial risks.
Kaspersky attributes this shift to the increasing effectiveness of two-factor authentication (2FA), which has forced cybercriminals to seek alternative entry points. By acquiring biometric or handwritten signature data, attackers can bypass or supplement 2FA mechanisms entirely.
The report urges users to exercise caution when granting camera or microphone permissions on websites or apps and to treat unsolicited requests for verification as potential phishing attempts.
Businesses, on the other hand, are advised to limit the use of biometric authentication for low-risk processes and enhance monitoring of third-party app integrations.
