In April 2024, Kenya’s Equity Bank hit by $2.1 million debit card fraud.
Equity Bank, Kenya’s biggest bank, was the target of a debit card fraud in which the perpetrators stole $2.1 million. According to a letter sent to the Directorate of Criminal Investigation, the stolen funds were moved to over 500 bank and mobile money accounts. The bank has restricted all accounts that received those funds.
A fraud detective at the DCI confirmed the incident to us and claimed 19 persons were arrested in connection with the fraud.
Equity Bank declined to comment.
Three sources with knowledge of the investigation said the perpetrators executed a “card-not-present” scam to steal money from victims. While this type of fraud typically involves using stolen card details to shop online, fraudsters often create websites and route payments to those websites to access funds in those cards.
Those funds are then moved to other bank accounts.
“Preliminary investigations revealed that between 09/04/2024 and 15/04/2024, KES 179.6 million ($1.3 million) was paid out from the GL fraudulently to the 551 Equity Bank accounts,” a letter signed by Gerald Munyiri, Equity’s general manager security said.
“KES 63 million ($478,360) was sent to Safaricom and KES 39 million ($296,015) to eleven commercial banks. We are in touch with Safaricom and the respective banks to assist in tracing the movement and safeguarding the funds,” part of the same letter said.
One theory is that the transactions were done in batches because Kenyan banks require customers to disclose information for all transactions over $10,000. Mobile wallets also have a limit of $1,900 per transaction, with a maximum of $3,800 daily.
Fraud is a growing concern in Kenya’s financial services sector. According to TransUnion Africa, a credit reporting agency, Kenyan banks lose about $130 million to cybercriminals yearly, mostly through loan stacking and identity theft.
Kenya’s Financial Reporting Centre (FRC), an agency that tracks the flow of money in financial institutions- flagged more than $600 million linked to card fraud, corruption and terrorism financing in the three years to July 2023.
Most banking fraud cases in Kenya go unreported, as most financial institutions choose to resolve them quietly, albeit with the knowledge of the Central Bank of Kenya (CBK), the sector regulator.
In July,2024 Sh1.5 billion Fraud
The recent fraud incident where Sh1.5 billion was allegedly siphoned out of Equity Bank raised serious concern regarding the bank’s internal controls and overall financial integrity. This theft which occurred on July 10 2024 not only spotlighted the vulnerabilities within the bank’s operations, but also highlighted broader issues related to security and trust among its clientele.
The fraudulent activities were detected by the bank’s internal control department which noted a series of 47 suspicious withdrawals from the payroll account totaling Sh1.5 billion intended for employee salaries and benefits. These funds were quickly transferred to multiple external accounts, raising red flags due to the absence of corresponding credits, which are standard in legitimate transactions. David Machiri the manager of the salary processing unit has been identified as a key figure in the fraud. His credentials were reportedly used to authorise the transactions while he was on leave, leading to suspicions of collusion or gross sus negligence within the bank’s hierarchy.
Following the discovery, the Directorate of Criminal Investigations initiated an inquiry, which escalated due to the severity of the allegations and the involvement of armed abductions related to the case. The situation took a dramatic turn when Machiri and his father were reportedly abducted by armed individuals, further complicating the investigations.
Witnesses described a coordinated attack involving multiple armed men, suggesting a level of organisation that raises questions about the motivations behind these actions-whether they are linked to the fraud investigations or other undisclosed matters. Many questions are being raised over the increased cases of fraud at Equity Bank with the bank’s reputation as one of Kenya’s largest financial institutions at stake.
Whether the fraud incidents are due to internal cyber security vulnerabilities, inside jobs by employees ог insurance claims related, the bank’s stakeholders are now asking hard questions as to why the banking sector regulator, the Central Bank of Kenya has not taken drastic measures against the bank.
It has to be remembered that this incident is not isolated as it follows another significant breach where hackers siphoned Sh179 million from 155 accounts within a week in April as explained in Case study number one above, further eroding customer confidence in the bank’s security measures.
Equity Bank, Uganda.
Additionally, reports of over US$16 million lost due to fraudulent activities related to stock loans and agent float financing in Uganda have compounded these concerns. Stakeholders including customers and investors are increasingly questioning the adequacy of Equity Bank’s financial systems and cyber security protocols. The bank’s reputation as one of Kenya’s largest financial institutions is at stake, and the ongoing investigations are likely to have longlasting effects on its operations and customer trust. The unfolding events surrounding the Sh1.5 billion fraud at Equity Bank underscores critical vulnerabilities in the bank’s operational integrity and security frameworks.Thunder should not strike the same tree twice but Equity bank system is not the case.
As investigations continue, the bank faces immense pressure to restore confidence among its stakeholders and address the systemic issues that allowed such a significant breach to occur. The outcomes of both the legal proceedings against Machiri and the broader investigations by the DCI will be pivotal in determining the future stability and reputation of Equity Bank in the Kenyan financial landscape.
The April attack happened through a sophisticated attack involving Bin (bank identification number) manipulation. A statement from the bank stated that between April 9-15, 2024, Sh179, 677,736 was fraudulently paid out from Equity Bank’s MasterCard GL to 551 Equity accounts and an additional Sh63,023,983 was sent to Safaricom MPesa and Sh39,047,344 to 11 other banks.
However, Equity Bank managed to block some of the stolen funds by locking the recipient accounts and working with Safaricom to trace the MPesa transactions, It is suspected that the hackers likely used a “Bin attack” which involves manipulating the first six digits of a credit card number (the Bin) to rapidly guess valid card details through trial-and- error on e-commerce sites. This was not an isolated incident.
Kenyans Jailed In Rwanda
Equity Bank has a history of being targeted by cybercriminals. In 2022, a 12-man gang including eight Kenyans was jailed in Rwanda for hacking Equity Bank accounts in Kenya and Uganda. The bank’s cyber security systems have been criticised as vulnerable, making it an easy target for sophisticated hacking tactics like Bin attacks. The latest Sh1.5 billion theft highlights the need for Equity to bolster its security measures to protect customer accounts from determined cybercriminals.
During the Sh179 million heist, the hackers were able to evade detection for an extended period by using sophisticated techniques to infiltrate Equity Bank’s systems and cover their tracks. The hackers likely exploited unpatched vulnerabilities in Equity Bank’s systems to gain initial access. Once inside the network, they could deploy advanced tools to further infiltrate and move laterally. It is suspected that the hackers used obfuscation techniques to disguise their malicious code and evade detection by antivirus and security tools. This includes renaming files, modifying code to lower detection rates, and using living-off-the-land (LOTL) tactics to blend in with legitimate processes. The hackers created persistent footholds in Equity Bank’s systems to maintain access even after restarts or reboots. This included using auto run files and other methods to create stealth backdoors that could be used to reinfect the network. Rather than using easily detectable malware, the hackers are suspected to have abused legitimate applications and processes to slip past security unnoticed. Equity Bank’s security tools may have been focused more on prevention than detection.
Without robust end-point monitoring and threat hunting capabilities, the hackers could operate undetected for weeks or months before being discovered. The sophistication of the attack highlights the need for Equity Bank to bolster its cyber security with advanced tools, better patching processes, and a layered defence- in-depth strategy. Relying solely on prevention is no longer sufficient against determined hackers who specialise in evading detection.
Forget About Reversal Of Money Sent To Wrong account.
Digital activist Hanifa was a victim.
“Hello guys I need your help please help. Kibdly. @KeEquityBank like the frauds they are refusing to revert back the money belonging to one of the bereaved families. Mike Kihuga’s mother called me over a week ago saying she never got her money and I was shocked so we went to check and it’s the bank account that was wrong and not matching her name. So I called mchanga and asked what the problem was since the money was sent over a month ago. @KeEquityBank Nakuru branch confirmed that they have the money and said it was sent back to ecobank belonging to mchanga but it’s a lie. Mama Mike has been to the bank daily , daily and I’ve asked for proof from the manager where he sent the money back but he’s still lying, we’ve been going back and forth for over a week I feel so sorry for the mum. This is the second time @KeEquityBank is doing this after the Cherengani hospital issue where they returned the money after the uproar. Please call them out to revert the money back so that we can send to the mother. @KeEquityBank SHAME ON YOU!!!!!! Frauds!!”
KenyanHour 