Fraudsters display official-looking numbers in order to trick victims into sharing sensitive personal details, such as PINs and OTPs.
In what was described as one of the largest phone scams in UK history, a group of cybercriminals used a spoofing website to impersonate banks and financial institutions, calling at least 70,000 individuals.
The fraudsters stole tens of millions of dollars. At the height of the scam, they were making around 20 calls per minute globally, with some victims losing up to $10,000 (approximately Sh1,292,500) each.
UK's massive scam echoes in kenya
That global operation was shut down in late 2022, but troublingly, similar tactics are now surfacing in Kenya.
Earlier this week, detectives in Mombasa County arrested six individuals in the Nyali area, who are suspected of using caller ID spoofing applications to impersonate mobile service providers and banks.
Confirming the arrests, Nyali Sub-County Police Commander Moses Kirong said that officers, working alongside the Cyber Crimes Unit, apprehended the group, which had defrauded an unspecified number of victims.
“We arrested the suspects named in the police report and urge Kenyans to be extra vigilant. If you receive a call instructing you to share personal details, avoid doing so. Just be careful,” said Mr Kirong.
The suspects’ methods mirrored those of the international scammers: calling unsuspecting users while displaying official-looking numbers and convincing them to share sensitive details such as Personal Identification Numbers (PINs), national ID numbers, and one-time password (OTP) codes.
According to a police report seen by the Nation, the group had allegedly invested more than Sh500,000 in spoofing software, operated from a short-rental apartment, and used multiple phones and SIM cards. Their goal was to access mobile money wallets and bank accounts without leaving a trace.
Understanding caller ID spoofing
But what exactly happened?
Caller ID spoofing (CIS) is a technique used by scammers to make it appear as if they’re calling from a trusted source.
A phone screen might display your mobile service provider’s "Customer Care" or the name of your bank, but behind the scenes, it’s a fraudster armed with a convincing script.
Grace Irungu, a tech educator based in Mombasa, says Kenyans and people globally fall victim due to social engineering—psychological manipulation designed to quickly build trust.
“People keep getting scammed through call spoofing because of social engineering. Someone calls with what feels like an urgent issue, so you rush to give them your information. Later, you realize you’ve been scammed,” she said.
She added: “Sometimes it’s hard to tell just by looking at the number. You have to critically assess the information. Why would your bank call you at 8 p.m. when it closes at 5?”
Ms Irungu noted that fraudsters often impersonate banks or mobile service providers, citing urgent issues like compromised accounts or pending SIM deactivations. In a moment of panic, victims unknowingly reveal critical personal data—handing scammers access to their finances.
Experts warn that the problem could escalate if the government and tech companies fail to invest in public awareness about these increasingly sophisticated scams.
Despite the arrest of the suspects—who are set to be arraigned in court — concerns remain about how easily technology designed for convenience can be weaponized for fraud.
“We have low digital literacy across the country,” said Ms Irungu.
“Neighbour spoofing, where the scammer uses a number that looks familiar, is very different from the old prize scams. Even when telcos ask people to report scam numbers, it's difficult to report a legitimate-looking number back to the same provider.”
Caller ID spoofing is not illegal in some jurisdictions with some applications available for legitimate uses such as business calls or privacy protection. But in the wrong hands, they become tools for fraud.
SIM swaps
Scammers also use SIM swap attacks, where a victim's number is transferred to a new SIM card—granting criminals access to mobile money and banking apps.
Experts stress that while technology continues to evolve, the weakest link remains human trust—exactly what scammers exploit.
“It’s hard to catch every fraudster. So the best defence is awareness. If someone tries to scam you, tell a friend. Don’t stay silent about near misses,” said Ms Irungu.
To stay safe, she advises Kenyans to remember that legitimate banks and mobile service providers will never ask for your PIN or OTP over the phone.
“If you ever doubt a call, hang up and call the institution’s official number. That one action could save you thousands—or even millions,” she said.
The Directorate of Criminal Investigations (DCI) has also urged any Kenyan who suspects they may have been targeted or defrauded to report to the nearest police station or contact DCI headquarters directly.
