Mobile phones in Kenya are like bank accounts - some people keep all their savings on their phone - and fraudsters are trying to hack into them to steal the money.
Sammy Wanaina received a text message on Sunday asking him to provide the secret personal code so that his Sim card could be swapped.
He was confused, he had not asked for a new card - and just moments earlier he had terminated a call that he now realised must have been from a fraudster who had posed as a customer services adviser from the phone company.
"It was a brief call and I did not give any of my details," Mr Wanaina told the BBC.
He immediately contacted Safaricom, his mobile provider, to report that he suspected that there was an ongoing attempted fraud on his number.
Despite not giving out his details - and reporting the fraud to Safaricom - he completely lost access to his number and only getting back control after three days.
He tweeted that the whole experience had scared him.
I was completely baffled and scared.— Sammy (@sammy_ynwa) July 16, 2018
I know that a SIM swap cannot be done without:
- Myself being present at a Safaricom shop or an authorized agent,
- Without my ID card,
- Without my PIN,
- Without knowledge of my transactions details e.g last numbers called, last top up etc
Mr Wanaina says Safaricom contacted him after his complaint and issued him with a new Sim card as a precaution - without giving further details about how he lost access to his number.
The company tweeted him to say it was "committed to safeguarding customer information and... that we will follow up this matter to its conclusion".
'I lost $18,000'
His story prompted others to share their experiences - many of whom had lost money in the scam.
This Fraud is deep than what you are writing in this notice and cuts across many institutions including banks . I suffered a SIM swap without ever sharing my details. @DCI_Kenya @CA_Kenya have the power to STOP it if they wish to .— ndinya john (@jndinya) July 20, 2018
Politician Stanley Wanjiku revealed that he had been trapped by the fraudsters, losing $18.000 (£14,000).
He told the Daily Nation newspaper that his trouble started after he received a notification that he could not access his mobile wallet and had to call a certain number to reset it - which he did.
He later learned that his Pin number has been replaced and a new one regenerated, so he could not get access to his money. The paper did not say which service he had his account.
"I do not know how my mobile money Pin was regenerated and issued to strangers. I am at a loss how they identified themselves," Mr Wanjiku said, adding that a bank account not linked to his mobile phone was also hacked.
More on mobile money:
People tend to have several Sim cards from different companies - as they have different coverage and deals. This means Sim cards do get damaged, so it's not unusual for customers to want to replace them.
Kenya has the highest number of users of mobile money in the world, a major reason why the recent Sim card fraud has caused such public alarm.
Almost half of its 47 million population use the dominant M-Pesa platform to pay for services and conduct businesses.
Through partnerships, phone companies have also managed to integrate mobile money services with banks, allowing customers to seamlessly move money back and forth.
William Makatiani, from the cyber-security consulting firm Serianu, told the Daily Nation that the scam to hack into mobile phones is becoming more common.
"Sim swapping has become a big problem especially in Nigeria since 2016. It started picking up in Kenya in the last half of last year," he was quoted as saying.
How to protect yourself
It is not clear how exactly the scam is working, but this week the Communication Authority of Kenya, the body that regulates the mobile phone industry, told users to be on their guard:
- Never give out personal information
- Don't give out your Pin number
- Delete requests for financial information or passwords
- Be suspicious of unsolicited messages.
Safaricom also urged customers to safeguard their passwords, dates of birth and national identity numbers.
It also said that subscribers should be aware of its official customer care number so as not to be duped by those trying to get access their account.