Back to archive

cybersecurity Kenya / KE-CIRT / AI deepfakes / online fraud / mobile money safety / phishing / 2027 elections / Communications Authority / data security / digital literacy

Kenya Recorded 3.37 Billion Cyber Threat Events: What That Number and AI Deepfakes Mean for You

Cybersecurity and AI

A number as large as 3.37 billion creates instant fear. It can sound as though every Kenyan phone, bank account and government service was hacked many times. That is not what the Communications Authority report says, but the reality behind the number still deserves attention.

Between January and March 2026, the National Kenya Computer Incident Response Team Coordination Centre, known as KE-CIRT/CC, detected 3,367,113,840 cyber threat events. That was 26.1 percent lower than the 4.56 billion events recorded in the previous quarter. Most detections were classified as system vulnerabilities, with tens of millions of malware and brute-force events also recorded.

A threat event can be an automated scan, repeated login attempt, malicious request, known vulnerability or suspicious network activity. One attacker can generate thousands or millions of events. One vulnerable server can be scanned repeatedly from around the world. The figure therefore measures the volume of hostile or risky activity seen by monitoring systems, not the number of successful hacks.

3.37B
Total threat events detected from January to March 2026
3.23B
Events classified under system vulnerabilities
68.7M
Malware-related threat events detected
46.4M
Brute-force attack events, up 8.4 percent quarter to quarter
Immediate ruleNo bank, mobile-money provider, government office or legitimate support agent needs you to read out your PIN or one-time password. A caller who knows your full name, ID number or recent application can still be a scammer.
Reading the report correctly

A cyber threat event is not the same as a successful breach

Internet-connected systems are constantly tested. Some of that testing is legitimate security research, but much of it is automated criminal scanning. Attackers search for an old website plugin, exposed remote desktop port, weak password, unpatched router or cloud storage bucket. They do not need to know the owner personally. Software scans large ranges of addresses and attacks anything that responds.

This explains why the numbers can reach billions. A single botnet made of infected computers and routers can repeatedly contact thousands of Kenyan systems. Monitoring tools log each attempt or vulnerability signal. The event may be blocked before any account is accessed. It may also expose a weakness that remains dangerous until the owner applies a patch.

CategoryWhat it usually describesWhat an ordinary user may notice
System vulnerabilitiesWeaknesses or exposed services that attackers could exploitOften nothing until the weakness is abused
MalwareMalicious software, infected files or harmful linksSlow device, pop-ups, unknown apps or account activity
Brute forceRepeated attempts to guess passwords or credentialsLogin alerts, locked accounts or unexpected verification messages
Web application attackAttempts to exploit a website or online serviceDefaced pages, stolen customer data or service interruption
DDoSTraffic floods intended to make a service unavailableWebsite, payment portal or app becomes unreachable

The quarterly decline is welcome, especially the sharp fall in detected distributed denial-of-service activity. It should not be read as proof that Kenya is now safe. Brute-force events increased, web application attacks increased and the overall number remained enormous. More importantly, automated detections cannot measure every successful fraud that begins with a phone call, fake job advert, compromised WhatsApp account or dishonest insider.

Why human-targeted fraud is different
A firewall can block a malicious connection, but it cannot stop a person from voluntarily sending money to someone impersonating a relative. Criminals increasingly combine leaked personal details, social engineering and artificial intelligence to make the request believable.
The AI shift

A familiar voice or video is no longer proof of identity

Kenyan officials are now warning about AI-generated deepfakes, misinformation and identity manipulation ahead of the 2027 General Election. A deepfake can imitate a person's face or voice well enough to make a false statement appear genuine. The same technology can be used for political propaganda, family emergency scams, fake business instructions and blackmail.

The old scam message often had poor grammar and an unfamiliar number. AI can remove those warning signs. A criminal can collect public videos, voice notes or speeches, generate an audio clip and claim that a politician, chief executive, parent or friend is speaking. The clip may arrive through a compromised account belonging to someone the victim already trusts.

RISK 01
Family emergency scam
A cloned voice claims a relative has been arrested, injured or stranded and needs money immediately.
RISK 02
Business payment fraud
A fake executive voice or video instructs an employee to change bank details or approve an urgent transfer.
RISK 03
Political manipulation
Synthetic clips can invent inflammatory statements, false concessions, endorsements or instructions to supporters.
RISK 04
Fake evidence
Edited audio or video may be presented as proof in a dispute before journalists or investigators verify it.

Visual clues such as strange blinking, distorted fingers or unnatural lips can help, but generation tools are improving. The safest habit is not to become a deepfake detective. It is to verify the claim outside the content. Call the person through a number you already know. Ask a question an impersonator cannot answer. Check whether credible organisations have published the same statement.

Urgency is part of the attack
Scammers want the victim to act before thinking. They create a deadline, a threat or an emotional shock. A pause of two minutes to call a known number can defeat technology that took hours to prepare.
Personal protection

The highest-value security habits are still simple

People often assume cybersecurity requires expensive software. For most households, the biggest improvement comes from protecting the routes criminals use every day: reused passwords, unlocked SIM cards, unattended notifications, outdated phones and rushed mobile-money transfers.

01Use a different strong password for email, banking, social media and work. Your email account can reset many other accounts, so protect it first.
02Turn on two-factor authentication using an authenticator app where possible. SMS is better than no second factor, but a stolen SIM can receive SMS codes.
03Hide message previews on the lock screen. A thief holding a locked phone may still see verification codes and financial alerts.
04Install operating-system and application updates. Many attacks succeed because a known security weakness remains unpatched.
05Verify payment requests through a second channel. Do not trust a voice note, video call or familiar profile picture on its own.
06Create a family verification phrase for emergencies. It should not be posted online and should be changed if exposed.
07Report a stolen phone and block the SIM quickly. Then change the email and financial passwords that were signed in on the device.
See the underlying numbers
The Communications Authority's January to March 2026 sector statistics report lists the threat categories and quarterly changes. The Authority also publishes cybersecurity advisories through KE-CIRT/CC.
For small businesses

One compromised account can become a payroll, customer and reputation crisis

A small Kenyan business may not think of itself as a cyber target. Attackers see something different: mobile-money collections, customer phone numbers, supplier payments, social-media accounts and one busy owner who approves everything. A criminal does not need to break into a bank if an employee can be persuaded to change a supplier account.

Businesses should separate approval from instruction. Any new payment account should be verified by calling a known supplier contact. Large transfers should require a second person. Former employees should lose access immediately. Backups should be tested, not merely assumed. Website plugins, routers and remote-access tools should be updated.

Business controlAttack it reducesLow-cost action
Two-person payment approvalFake executive or supplier instructionsRequire independent confirmation above a chosen amount
Password manager and 2FACredential reuse and brute forceProtect email, cloud, social and finance accounts first
Offline or isolated backupRansomware and accidental deletionTest restoration on a schedule
Access reviewFormer staff and excessive privilegesRemove unused accounts every month
The best defence against AI-assisted fraud is not an AI detector. It is a culture where unusual requests are verified and nobody is punished for pausing a payment.
Public information

How to handle a shocking political clip before sharing it

Deepfakes become powerful when ordinary people distribute them faster than journalists, institutions and the person shown can respond. Before forwarding a dramatic clip, find the earliest source. A video reposted by dozens of accounts can still come from one anonymous upload. Check the full speech or event, not only a short extract. Compare reporting from organisations that attended.

Look for an official statement, but do not rely on one political side to verify itself. Independent newsrooms, fact-checkers, election observers and the electoral commission should be part of the evidence. Save a copy or link if the content may be criminal, but avoid adding a confident caption before verification.

Were 3.37 billion Kenyans or devices hacked?
No. The number counts detected threat events or signals, many of which are automated and blocked. It does not equal successful breaches or unique victims.
Can I identify every deepfake by looking closely?
No. Visual defects can help, but good fakes may not show obvious errors. Verify through a known contact and independent sources.
Is a call from a familiar voice safe?
Not automatically. Voices can be cloned and accounts can be compromised. Use a family phrase or call back through a number you already trust.
What account should I secure first?
Email is usually the most important because it can reset many other accounts. Then secure mobile money, banking, cloud storage and social media.
The bottom line

The danger is not the size of one headline number

Kenya's 3.37 billion threat events show the scale of automated pressure against a rapidly growing digital economy. The decline from the previous quarter is positive, but tens of millions of malware and password attacks remain. Every new online service creates convenience and another system that must be protected.

Artificial intelligence adds a second challenge. It makes fraud more persuasive and misinformation cheaper to produce. That means cybersecurity is no longer only the work of network engineers. Families need verification habits. Businesses need payment controls. Newsrooms and public institutions need rapid, credible correction systems.

The most useful response is neither panic nor complacency. Update devices, protect email, verify unusual requests, slow down urgent payments and treat dramatic political media as a claim that needs evidence. A careful two-minute check can be more effective than the most frightening statistic on the internet.

Published July 3, 2026. Cybersecurity figures are from the Communications Authority sector statistics for January to March 2026. Threat events are automated detections or attempts, not a count of successful breaches or affected individuals. Election-related deepfake concerns are based on public statements by government and IEBC officials.