Mobile money has transformed how Tanzanian businesses operate. M-Pesa, Tigo Pesa, Airtel Money, and the broader ecosystem have made payments faster, more accessible, and more deeply embedded in daily commercial life. They have also created a significant attack surface that fraudsters — and increasingly, organised threat actors — are actively exploiting.
This post covers the specific fraud vectors targeting Tanzanian SMEs through mobile money channels in 2026, and the controls that actually make a difference.
The Scale of the Problem
Mobile money fraud in East Africa is not a theoretical risk. The GSMA and multiple central bank reports have documented increasing sophistication in attacks targeting mobile money platforms. In Tanzania, the BoT has raised cybersecurity requirements for licensed mobile money operators precisely because the threat is real and growing.
For SMEs, the risk profile is different from that of the platforms themselves. You are not the target of API-level attacks on the Vodacom infrastructure — you are the target because you use that infrastructure, often with weak controls on who can authorise transactions, how payments are verified, and what your reconciliation processes look like.
Attack Vector 1: Business Email Compromise + Mobile Money
Business Email Compromise (BEC) is the most financially damaging form of cyberattack globally, and it intersects with mobile money in ways that are specific to the East African context.
How it works:
A fraudster monitors or compromises an email account — often a supplier, a client, or even a senior executive. They identify a payment relationship. When the timing is right, they send an email that looks legitimate, requesting that the next payment be made to a different number or account. The email may reference real invoice numbers, use familiar language, and arrive from a domain that is nearly identical to the legitimate address (with a substituted character: hawratcybe**r**com vs hawratcyber.com).
For mobile money payments, the attack is particularly effective because:
- The transaction happens instantly and is difficult to reverse
- Verification is often limited to “did the confirmation arrive?”
- Many businesses do not have formal payment authorisation controls
What actually works:
A callback verification procedure — before processing any payment instruction received via email or message, call back the sender on a known number (not one provided in the email) to verbally confirm the instruction. This single control stops BEC cold for mobile money payments.
Pair it with a payment approval threshold: any mobile money transaction above a defined amount requires dual authorisation — two people must approve before it is processed.
Attack Vector 2: Fake Payment Confirmation Scams
This is a social engineering attack targeting your staff directly.
How it works:
A customer, contractor, or fraudster claims to have made payment via mobile money and presents a fake payment confirmation — a screenshot that looks exactly like a genuine M-Pesa or Tigo Pesa confirmation. In many businesses, the person receiving this confirmation has no way to verify whether it is genuine or has no process for doing so. Goods or services are released. The payment confirmation is fake.
Fake confirmation screenshots are disturbingly easy to produce, and the quality has improved as editing tools have become more accessible.
What actually works:
Never release goods or services based on a confirmation screenshot. Verify every payment by checking your own mobile money account directly, or by receiving the confirmation in your own account inbox. Teach every member of staff who handles payments or releases services that a screenshot from a customer is not payment verification.
For higher-value transactions, use the business-to-business payment tools provided by the mobile money platforms that include reference-based verification rather than screenshot-dependent confirmation.
Attack Vector 3: SIM Swap Attacks
SIM swaps are one of the most impactful attacks on mobile money accounts and are particularly relevant where a phone number is the primary authentication factor for financial accounts.
How it works:
An attacker gathers enough information about a target — typically name, ID number, and sometimes a recent transaction — to convince a mobile network agent to transfer the target’s number to a new SIM card. Once they control the number, they can receive OTP codes, reset account passwords, and access any account that uses that number for authentication.
SIM swaps are often facilitated by insider access at mobile network agents — a genuinely difficult control problem.
What actually works:
For your business mobile money account:
- Register for SIM lock or number lock services where available from your mobile operator
- Use a dedicated business SIM that is not the same number staff use for personal accounts
- Limit who knows the business mobile money PIN and review this regularly
- Enable transaction notifications to a secondary contact (email or secondary number) so that unauthorised activity is detected quickly
At the account level, use mobile money platform controls where available: transaction limits, PIN-required approvals, and restricted beneficiary lists.
Attack Vector 4: Insider Threats in Mobile Money Operations
This is the least discussed but frequently the most impactful fraud vector for businesses that process significant mobile money volumes.
How it works:
Staff with access to mobile money accounts — whether business wallets, float accounts, or payment processing systems — are in a position to conduct or facilitate fraud. This might be direct misappropriation (authorising payments to a personal account), leaking account credentials to external fraudsters, or facilitating fake payment confirmations.
Insider risk is not about hiring bad people — it is about designing systems that make fraud difficult even for staff who want to commit it, and easy to detect when it happens.
What actually works:
Segregation of duties: the person who creates a payment instruction should not be the same person who approves it. The person who reconciles the account should not be the person who processes transactions.
Reconciliation cadence: daily reconciliation of mobile money accounts catches discrepancies within 24 hours, when the trail is fresh and reversal may still be possible.
Access review: audit quarterly who has access to business mobile money accounts, remove access promptly when staff leave, and change PINs when any account holder departs.
Building Your Controls Stack
No single control eliminates mobile money fraud risk — the goal is to make fraud sufficiently difficult, easily detectable, and rarely successful. A layered approach:
| Layer | Control | Priority |
|---|---|---|
| Payment verification | Callback procedure before processing instructions | Critical |
| Approval | Dual authorisation above defined threshold | Critical |
| Reconciliation | Daily account reconciliation with variance review | High |
| Access control | Quarterly access review, prompt removal on departure | High |
| SIM protection | SIM lock registration, business-only SIM | High |
| Staff awareness | Training on fake confirmations and BEC | Medium |
| Detection | Transaction alerts to secondary contact | Medium |
The Regulatory Dimension
The Bank of Tanzania has issued cybersecurity guidelines for licensed mobile money operators that include requirements for transaction monitoring, fraud controls, and incident reporting. If your business is BoT-licensed, compliance with these controls is a regulatory obligation, not optional.
For businesses that are not BoT-licensed but use mobile money in commercial operations, there is no direct regulatory mandate for the controls above — but there is clear business interest. The businesses that have these controls in place recover faster from fraud attempts and suffer fewer losses.
Getting Help
If your business processes significant volumes via mobile money and you are unsure whether your controls are adequate, a Fintech & Mobile Money Security Audit or an Incident Response Readiness engagement can give you a structured assessment and tested procedures.
Mobile money fraud is not going away. The platforms are improving their controls. So are the attackers. The businesses that stay ahead of it are the ones that treat fraud risk as a managed function rather than something that happens to other people.
Book a free discovery call to discuss your specific mobile money security posture.