Equity Bank, one of Kenya’s largest financial institutions, recently faced a massive debit card fraud incident, where criminals made off with approximately $2.1 million.
According to a report shared with the Directorate of Criminal Investigations (DCI), the stolen funds were transferred across more than 500 bank and mobile money accounts.
In response, Equity Bank has frozen all accounts implicated in receiving the stolen money.
A detective from the DCI confirmed the fraud and revealed that 19 individuals had been arrested in connection with the case.
Although Equity Bank has not publicly commented on the matter, sources close to the investigation disclosed that the fraudsters employed a ‘card-not-present’ scheme.
Typically, such scams involve using stolen card details to make purchases online.
However, in this case, the perpetrators are suspected of setting up fake websites to receive payments from compromised cards before transferring the funds to various accounts.
A letter from Equity Bank’s general manager of security, Gerald Munyiri, detailed that the fraud took place over six days between April 9 and April 15, 2024, during which KES 179.6 million ($1.3 million) was siphoned off into 551 Equity accounts.
Additionally, KES 63 million ($478,360) was sent to Safaricom’s M-Pesa platform, while KES 39 million ($296,015) was funneled into 11 different commercial banks.
Efforts are underway to track the stolen funds, and Equity Bank is collaborating with both Safaricom and the other banks to trace the transactions and recover as much of the stolen money as possible.
The fraudulent transactions were reportedly conducted in batches, likely to bypass Kenya’s regulatory requirement that customers disclose any transaction exceeding $10,000.
Mobile wallets, such as M-Pesa, also have transaction limits, further suggesting that the fraudsters meticulously orchestrated the heist in smaller, manageable amounts.
Fraud in Kenya’s financial sector is not new, and incidents of this magnitude raise concerns.
TransUnion Africa estimates that Kenyan banks lose an estimated $130 million annually to cybercrime, with identity theft and loan fraud among the most common schemes.
The Financial Reporting Centre (FRC), which monitors the flow of funds in the country’s financial institutions, flagged over $600 million in suspicious transactions linked to fraud, corruption, and terrorism financing between 2020 and 2023.
Unfortunately, many fraud cases go unreported, with banks opting for quiet settlements to avoid damaging their reputations.
However, the latest incident at Equity Bank has raised questions about the bank’s internal security controls and brought renewed scrutiny on the Central Bank of Kenya (CBK), the sector’s regulator, for not taking stronger actions against recurrent banking fraud.
In a similar case earlier this year, Equity Bank suffered another breach when hackers stole KES 179 million by targeting 155 accounts over a one-week period.
The method used in that heist, known as a “BIN attack,” involved manipulating the Bank Identification Number (BIN) of debit and credit cards to guess valid card numbers through trial-and-error on e-commerce platforms.
The hackers then used the stolen funds to make fraudulent payments.
Equity Bank’s security protocols and its ability to protect customer accounts have come under increasing scrutiny.
The bank will need to bolster its cybersecurity measures to prevent further attacks and restore confidence among its customers and investors.
Without big improvements, these incidents could have lasting consequences for the bank’s reputation and its standing in Kenya’s financial field.
Add Comment