For nearly two decades, every M-Pesa payment in Kenya quietly exposed one critical piece of personal data: the sender’s phone number.
Whether paying for fuel, groceries, or a boda boda ride, users automatically shared their mobile numbers with recipients and merchants. That number could be stored, shared, resold — or worse, harvested for fraud.
Now, in a landmark shift approved by the Central Bank of Kenya, Safaricom will begin masking users’ phone numbers during transactions on M-Pesa.
The move could significantly disrupt SIM-swap fraud and impersonation scams that have cost Kenyans millions.
What’s Changing?
Under the new system:
• Phone numbers will be partially masked in peer-to-peer transfers
• Recipients must request access to view the full number
• The sender can approve or decline the request
• Merchants will no longer see the payer’s full name or mobile number when customers use Till or Paybill
“This is to inform you that the CBK has reviewed your application and submissions in support of the solution and approves your request to implement data minimalisation for peer-to-peer transactions,” CBK said in its letter to Safaricom.
In short: less exposed data, fewer entry points for fraudsters.
Why Phone Numbers Became a Security Risk
In Kenya’s mobile-first economy, a phone number is more than contact information.
It functions as:
• A bank username
• A mobile money account identifier
• An authentication channel
• A digital identity anchor
That visibility created a dangerous chain reaction.
Fraud rings harvested numbers from legitimate transactions, then used spoofing tools to impersonate:
• Bank officials
• Telco agents
• Customer support teams
In 2025, the Directorate of Criminal Investigations arrested six suspects in Mombasa who allegedly used ID spoofing applications—paid for with over KES 500,000 ($3,875)—to scam victims using harvested phone numbers.
SIM-swap fraud has been particularly devastating. Once criminals transfer a victim’s number to a new SIM, they can:
• Reset banking credentials
• Intercept one-time passwords
• Change PINs
• Drain accounts within minutes
Masking phone numbers directly targets the earliest vulnerability in that chain.
A Regulatory Signal, Not Just a Feature Update
This is more than a product tweak. It is regulatory intervention in digital privacy.
Kenya’s regulators — including the Central Bank and the Communications Authority — have repeatedly tightened compliance rules around SIM registration and identity verification.
The Office of the Data Protection Commissioner reported over 5,000 complaints in 2024 alone, with financial and insurance companies accounting for approximately 30% of determinations issued.
Kenya’s High Court has also awarded damages in cases involving unsolicited marketing and misuse of customer data.
M-Pesa’s masking feature aligns with a broader shift toward data minimisation — a principle increasingly enforced globally.
Why This Matters Beyond Kenya
With over 37 million users, M-Pesa is one of the most influential mobile money systems in the world.
Its architecture has inspired mobile payment systems across Africa.
If successful, number masking could:
• Become a compliance benchmark for African fintechs
• Influence digital wallet design standards
• Pressure other operators to reduce visible personal data
• Strengthen consumer trust in mobile-first finance
In a region where phone numbers double as financial identities, limiting exposure could materially reduce fraud attempts at scale.
The Bigger Infrastructure Lesson
Digital financial inclusion brought millions into formal systems.
But it also exposed millions to digital fraud.
The next phase of fintech growth may depend less on onboarding new users — and more on redesigning infrastructure to reduce systemic risk.
By masking phone numbers, M-Pesa is addressing one of the quietest yet most exploited vulnerabilities in mobile money systems.
And in Kenya’s mobile-driven economy, that small design change could stop thousands of scams before they start.
