How to Protect Your Identity and CRB File from Fraud in Kenya

The Growing Threat of Identity Fraud in Kenya

Identity fraud — where someone uses your personal details (National ID, phone number, KRA PIN) to take out loans in your name — is increasing in Kenya as digital lending expands. Victims often discover they have been defrauded only when their own loan applications are declined due to defaulted accounts they never opened.

How Your Identity Can Be Compromised

• ID photocopies: Copies of your ID submitted to shops, matatus, hotels, or other services can be misused
• SIM swaps: Fraudsters convince mobile operators to transfer your number to a SIM they control, gaining access to M-Pesa and loan apps
• Phishing: Fake M-Pesa alerts or bank messages trick you into sharing OTPs or passwords
• Data breaches: Leaked databases from apps or services that stored your KYC details
• Lost or stolen ID: Someone finds or steals your ID and uses it to apply for digital loans
• Inside jobs at lenders: Rogue employees at financial institutions use customer data to open accounts

How to Protect Your National ID

• Never leave original ID documents unattended or in vehicles
• When copying your ID for submission, write the purpose across the photocopy (e.g., "For KCB Account Opening — June 2026") to prevent re-use
• If your ID is lost or stolen, report to the National Registration Bureau (NRB) and your nearest police station immediately
• Obtain a police abstract and notify your bank, SACCO, and any active lenders
• Consider placing a fraud alert with the CRBs

How to Protect Your M-Pesa and Loan Apps

• Enable SIM swap protection at your Safaricom service centre (requires in-person verification)
• Never share M-Pesa PINs, one-time passwords (OTPs), or app passwords with anyone
• Do not click links in SMS messages claiming to be from Safaricom, your bank, or a lender — visit official apps or URLs directly
• Regularly review your M-Pesa transaction history and report any unfamiliar transactions immediately
• Use strong, unique passwords on all financial apps and enable biometric authentication where available

What to Do If You Discover Fraudulent CRB Entries

1. Get your CRB report — identify the fraudulent account(s) (lender name, account number, date opened)
2. File a police report immediately — you need the OB (Occurrence Book) number for the dispute process
3. Contact the lender in writing, citing identity fraud, and attach the police report and a copy of your ID
4. File a formal dispute with the CRB — attach all evidence. Fraudulent data can be removed before the 5-year period
5. Notify CBK (020 286 0000) if the lender is unresponsive
6. File a complaint with ODPC (info@odpc.go.ke) — your data was processed without consent

Ongoing Protection Habits

• Check your CRB report at least twice per year for unfamiliar accounts
• Monitor M-Pesa transaction history monthly
• Review your bank statements regularly for unrecognised activity
• Periodically check if your KRA PIN has been used for suspicious activity at tax.go.ke