East Africa has one of the fastest-growing digital financial sectors in the world. Mobile money, USSD banking, and fintech innovation have outpaced infrastructure maturity. That gap is exactly what cybercriminals exploit. Understanding the threat landscape and the regulatory environment is the first step to building a defensible organisation.
The East African cybersecurity landscape
East Africa’s rapid digital adoption, particularly in mobile money and internet banking, has made the region a priority target for both local and international cyber threat actors. The attack surface has expanded dramatically. A community bank in Kigali now has the same digital exposure as a bank anywhere in the world, but often with fewer security resources.
According to regional CERT data and incident reports, East Africa sees significant volumes of:
- Banking trojans and credential-stealing malware
- Business email compromise (BEC) targeting finance teams
- Mobile money fraud exploiting USSD session vulnerabilities
- Phishing campaigns impersonating banks, telcos, and government agencies
- Ransomware attacks on hospitals, government, and financial institutions
Key threats facing East African organisations
Business email compromise (BEC)
BEC attacks, where fraudsters impersonate executives or suppliers to redirect payments, cause the single largest financial losses of any cybercrime category globally. East African banks and corporates are heavily targeted. A finance officer receives an email that appears to come from the CFO, authorising an urgent wire transfer to a new account. The losses can be in the hundreds of thousands of dollars.
Mobile money fraud
MTN MoMo, Airtel Money, and M-Pesa collectively process billions of dollars of transactions annually across East Africa. The attack vectors are numerous: SIM swap fraud, USSD session hijacking, agent network compromise, and social engineering of customer service representatives. The speed of mobile money transactions means losses can be irreversible within minutes.
Banking application vulnerabilities
Many banks and fintechs in the region have built and deployed digital products faster than they have secured them. Insecure APIs, missing authentication controls, and business logic flaws in mobile banking apps allow attackers to access other customers’ accounts, manipulate transaction amounts, or bypass payment authorisation. We find critical vulnerabilities in the majority of banking applications we test for the first time.
Ransomware
Ransomware attacks have hit hospitals, government agencies, and at least one major bank in East Africa in recent years. Attackers encrypt critical data and demand payment in cryptocurrency. The operational impact (inability to process transactions, access customer records, or run core systems) can last weeks.
Insider threats
With relatively high staff turnover in some sectors and competitive salary markets for tech talent, insider threats, both deliberate and negligent, are a significant concern. A disgruntled employee with access to core banking systems or customer data can cause significant damage.
Country-by-country regulatory overview
Rwanda
Rwanda has the most developed regulatory cybersecurity framework in East Africa. The National Bank of Rwanda (BNR) mandates regular VAPT for all supervised financial institutions. The National Cyber Security Authority (NCSA) oversees national cybersecurity strategy and coordinates incident response. Rwanda’s data protection law aligns with international standards including GDPR principles. See our detailed guide: BNR cybersecurity requirements for banks in Rwanda.
Kenya
The Central Bank of Kenya (CBK) issued its Guidance Note on Cybersecurity (CBK/PG/23) in 2017, requiring all banks to conduct risk assessments and security testing. The Communications Authority of Kenya oversees cybersecurity for the broader ICT sector. Kenya also has the Computer Misuse and Cybercrimes Act (2018) which criminalises a wide range of cyber offences and establishes incident reporting requirements.
Uganda
The Bank of Uganda (BoU) has issued guidelines requiring supervised institutions to conduct regular security assessments. Uganda’s National Information Technology Authority (NITA-U) coordinates national cybersecurity. The Computer Misuse Act (2011) was amended in 2022 to address modern threats.
Tanzania
The Bank of Tanzania (BoT) has requirements for cybersecurity programmes within its licensing and supervision framework. Tanzania’s TCRA (Tanzania Communications Regulatory Authority) manages cyber incident reporting for the ICT sector. The Electronic and Postal Communications Act provides the legislative framework.
The financial sector: the primary target
Banks, fintechs, insurance companies, and payment processors are disproportionately targeted for an obvious reason: that is where the money is. Beyond direct financial fraud, attackers target:
- Customer data: sold on dark web marketplaces for identity fraud
- Transaction systems: for fraudulent transfers or transaction manipulation
- SWIFT connections: the most lucrative target for sophisticated attackers. The 2016 Bangladesh Bank heist ($81M stolen via SWIFT) directly led to the mandatory SWIFT Customer Security Programme that all SWIFT-connected banks in East Africa must comply with today.
- Core banking systems: for long-term persistence and data exfiltration
Mobile money and USSD: a growing attack surface
East Africa’s reliance on USSD-based financial services creates attack surfaces that do not exist in Western banking markets. USSD sessions can be vulnerable to session hijacking, man-in-the-middle attacks on 2G networks, SIM swap fraud, and enumeration of customer accounts via sequential transaction queries. See our deep dive: USSD security testing: how we assess mobile money platforms and mobile money security testing: MoMo, M-Pesa and USSD platforms.
Building a regional cybersecurity programme
For organisations operating across multiple East African countries, the key is to build a programme that meets the most stringent applicable regulation (currently Rwanda BNR) as a baseline, then layer country-specific requirements on top. Key elements:
- Annual penetration testing across all material digital assets
- Continuous vulnerability management, not just annual scans
- Security awareness training for all staff, in relevant local languages where possible
- Incident response plan with clear escalation and regulatory notification procedures per country
- Third-party risk management: assess your cloud providers, payment processors, and software vendors
- SWIFT CSP compliance if you process SWIFT transactions. See SWIFT CSP compliance guide for Rwandan banks.
Choosing a security partner in East Africa
The most important factor is practical expertise, not just certifications on paper. Look for a provider with OSCP-certified testers, documented experience with East African financial institutions, physical presence in the region for on-site testing, and the ability to produce reports that satisfy BNR and regional regulatory requirements.
How we can help
We are an OSCP-certified penetration testing firm based in Kigali. Our lead consultant comes from threat-led red team operations at European banks and brings that expertise to the East African market. We work with banks, fintechs, telecom operators, and regulated institutions across Rwanda, Kenya, Uganda, and Tanzania.
For details on our assessment methodology, see our security assessments service page. For penetration testing engagements, see our penetration testing service page. If your organisation needs a security partner who understands both the threat landscape and the regulatory requirements of the region, contact us to start a conversation.