Kenya’s financial system does not look the way it did a decade ago. Paying rent, settling utility bills, and even receiving government services can now happen on a phone, mostly through mobile money.
Transactions flowing through that system are equivalent to more than 53% of the country’s GDP, and over 90% of Kenyans are registered on the national digital identity platform.
Financial access, personal identity, and daily commerce have converged into a single, deeply interconnected infrastructure.
That infrastructure is now under sustained attack. It is an assessment based on Smartcomply, a Nigerian-founded governance, risk, and compliance technology company that has been studying East Africa’s cyber risk landscape as part of its expansion into the region.
Their findings, published in the AI & the Cyber Frontier Report, paint a picture of a digital economy running faster than its security foundations can keep up.
Between July and September 2025, the Communications Authority of Kenya’s National KE-CIRT/CC revealed that there were 842 million cyber threat events. In the same three months, Kenya lost an estimated KES 29.9 billion (about US$230 million) to cybercrime.
Most of these were not the result of dramatic, high-profile hacks on government servers. The majority came through the mobile finance system itself: mobile banking fraud cases surged 87% in the most recent reporting period (from 2023 to 2024), driven by SIM-swap schemes, credential theft, and social engineering attacks that work precisely because people trust the platforms they are using.
The country’s greatest digital strength, anchored by a mobile-first financial ecosystem, is also its most exposed surface.
A Faster and Smarter Threat
Cybercrime has changed in character in that it is no longer mainly about phishing emails landing in inboxes. Artificial intelligence is reshaping what attacks look like, how fast they move, and how hard they are to detect.
Globally, 60% of organizations believe they have faced AI-enabled attacks, but only 7% have defenses built to match, according to a Boston Consulting Group (BCG) report. The gap between offensive capability and defensive readiness is widening, and East Africa is feeling it acutely.
The SmartComply report has noted how in Tanzania, deepfake fraud attempts surged 317% in a single review period, while in Uganda, the Pegasus Technologies breach saw attackers coordinate over 2,000 SIM cards to drain UGX 11 billion from banks and telecoms simultaneously.
What makes both cases significant is the method of attack over and above the losses. Automation allowed a small group of attackers to operate at a scale that would have required an army of people just a few years ago.
Kenya is ranked among Africa’s strongest countries in cybersecurity by the International Telecommunication Union, and only a tiny fraction, about 0.3%, of attempted system breaches are successful.
However, maturity and exposure are now moving in the same direction. As more services move online and everything becomes connected, it means there’s simply more to protect.
The stronger and bigger Kenya’s digital economy becomes, the bigger the target it creates for cybercriminals.
Strong on Paper but Weaker in Practice
The problem is not that companies are ignoring the threat. Over 70% of East African organizations say cyber risk is their number one concern, which is higher than the global average.
In contrast to this, only 29% of firms in the region have actually run drills to test what they would do if an attack happened. That means most organizations have a plan that has never been tested. When something goes wrong, then that gap shows.
READ: PayPal Confirms Data Breach Linked to Working Capital Loan Product
The report observes that the security culture in many organizations is also still largely compliance-driven. Firms build out documentation, tick the regulatory boxes, and then assume the work is done.
The result is strong audit paperwork and underprepared staff. There is also a structural blind spot that the Ugandan incident brought into sharp relief: banks are regulated, but the technology quietly connecting them to mobile wallets in the background often is not.
Attackers have learned to live in that unregulated space.
Smartcomply Enters at a Critical Moment
This is the context in which Smartcomply is arriving in Kenya. The company’s argument, sharpened by the data in its report, is that the region cannot compliance-audit its way to resilience.
Filling out the right forms and passing the right audits will not keep a system safe. Security has to be part of how something is built in the first place, in the product architecture, in procurement decisions, in how teams are trained, and in how crises are rehearsed, but not to be added later when something goes wrong.
Gbemisola Osunrinde, CEO of Smartcomply, puts it plainly:
“Expansion tends to outpace security design in fast-scaling sectors like telecoms and healthcare. Leaders must stop treating security as a box-ticking exercise for audits and instead mandate that controls are baked into products before they scale. Resilience improves when organizations plan for failure instead of assuming stability. The shift from reactive fixes to deliberate design is what ultimately builds long-term trust.”
For platforms like M-Pesa and the wider mobile payments ecosystem, resilience is not abstract. Any sustained disruption affects businesses, salaries, remittances, and household cash flow in real time.
Kenya’s digital economy is not under threat because it is weak. It is under pressure because it is deeply integrated into everyday life.
