Business email compromise: the KSh 2M scam hitting Kenyan SMEs

A supplier sends you an invoice with "new bank details." Your finance person updates the record and pays. Two days later the real supplier calls asking for their money. You have just become another BEC statistic.

What BEC looks like in Kenya

Business email compromise (BEC) is when a fraudster impersonates a supplier, executive, or business partner to trick someone into sending money or sensitive data. In Kenya it usually shows up as:

• An email from a supplier with "updated" paybill or bank details.
• A WhatsApp message from "the director" asking for an urgent M-Pesa transfer.
• A fake invoice that looks identical to a real one, sent from a lookalike email address.

Why SMEs are the perfect target

Small teams move fast. One person often handles payments, procurement, and bookkeeping. Fraudsters exploit that speed and the trust you have built with long-term suppliers. They also exploit the fact that most Kenyan businesses do not verify account changes directly with the sender.

5 things you can do today

1. Verify every account change by voice. Call the supplier on a known, saved number — not the one in the email or message.
2. Use a second pair of eyes. Any new payment details must be confirmed by two people before money moves.
3. Check the paybill or account before paying. Use Codec8 Verify to confirm the registered organisation name and any fraud reports.
4. Watch for urgency. "Pay now or we stop delivery" is a classic pressure tactic.
5. Train your staff. The weakest link is usually the person who sees the message first, not your firewall.