What changed in 12 months
The attack surface of African financial institutions expanded significantly in 2025. Mobile money platforms crossed 400 million registered users continent-wide. That growth brought capital, and capital brought attackers.
Key findings
Three patterns emerged consistently across our engagements:
Credential stuffing at scale. Attackers are running automated credential stuffing campaigns against mobile money platforms using breach databases from non-African markets. The assumption that breach data from European or North American leaks won't map to African accounts is wrong.
SMS interception infrastructure. We observed a sustained increase in SS7-based SMS interception targeting OTP flows. This is not a novel attack — it has been documented since 2014 — but adoption by financially-motivated threat actors in the region is accelerating.
Insider threat via social engineering. The most consistent finding across all financial sector engagements: employees with privileged access are being targeted directly via WhatsApp and phone. The attack is simple. The damage is not.
What this means for defenders
Institutions that moved authentication to app-based TOTP or passkeys saw materially lower incident rates. The migration cost is real. The cost of not migrating is higher.