Equity Bank, one of Kenya’s largest financial institutions, has been hit by a sophisticated debit card fraud scheme, leading to the theft of approximately $2.1 million (KES 179.6 million) from numerous accounts. The breach has sparked a major investigation by Kenyan authorities, with 19 suspects already arrested in connection with the fraud.
The fraud occurred between April 9 and April 15, 2024, and involved unauthorized transactions from the bank’s incoming MasterCard GL, affecting 551 bank accounts. Funds were transferred to various accounts across 11 commercial banks and Safaricom’s M-Pesa service, totalling KES 63 million and KES 39 million, respectively.
Gerald Munyiri, Equity Bank’s general manager of security and investigations, confirmed that the bank has detected these irregularities and is actively collaborating with the Directorate of Criminal Investigation (DCI) to trace and recover the stolen funds. The bank has also contacted Safaricom and the other affected banks to assist in these efforts.
This fraud incident has highlighted ongoing security challenges in the Kenyan banking sector. Despite increasing investment in cybersecurity measures, Kenyan banks continue to face significant threats, with the Financial Reporting Centre (FRC) flagging over $600 million linked to card fraud, corruption, and terrorism financing in recent years.
The timing of the fraud coincides with the passage of the Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024. These regulations, known as Legal Notice No. 44 of 2024, were crafted by the National Computer and Cybercrimes Coordination Committee (NC4) to enhance cybersecurity preparedness across critical sectors, including banking.
Key provisions of the new regulations include the establishment of a National Cybersecurity Operations Center and comprehensive measures to manage cybersecurity operations and address cybercrimes such as fraud and identity theft. These measures aim to bolster the resilience of Kenya’s critical infrastructure against the growing cyber-attack threat.