When Goma and Bukavu fell to the M23 rebels in January and February 2025, the Democratic Republic of the Congo (DRC) closed banks in both cities, causing a liquidity crisis. Mobile money transfers became essential for conducting personal business, exposing cellphone users to SIM card swapping scams.
The DRC is no stranger to such cybercrimes. In 2022, international grant-issuing organisation GiveDirectly reportedly lost US$1.2 million in a SIM-swapping scandal. In this instance, staff colluded with fraudsters to divert resources, depriving over 1 700 needy families of expected support.
SIM card swapping, or SIM hijacking, occurs when fraudsters impersonate a phone owner and transfer the latter’s number to a new SIM card. This is often achieved through manipulation, where the victim, at the request of a fake official, opens access to their personal information through data breaches, social media, or phishing schemes. The information is used to deceive telecom employees into doing the SIM swap.
The fraudster gains access to the victim’s text messages, calls, and two-factor authentication codes sent via SMS. Criminals can then get into the victim’s bank accounts, email, social media profiles, and cryptocurrency wallets, resulting in massive financial loss.
Identity theft, privacy breaches, and emotional distress are just some of the negative consequences. SIM swappers can use the phone line for criminal purposes, and victims are held liable. It can even facilitate broader crimes like money laundering or corporate espionage. Globally, SIM swap fraud has surged with the rise of mobile banking and digital payments.
The DRC has registered rapid growth in cellphone use over the past 12 years, with over 56 million mobile subscribers in a population of about 100 million. In a cash-strapped economy, mobile money services are a lifeline for millions. Service providers like Vodacom, Airtel, and Orange dominate daily transactions, particularly in urban centres like Goma in North Kivu. In this context, SIM card swapping is a major digital organised fraud and extortion racket.
Goma residents told ENACT that hackers called or messaged unsuspecting victims with various offers. One of the most common is where people receive messages telling them they’ve won cash. The text will ask the recipient to respond to the message with the word ‘ok’, which will prompt the attackers’ systems to grant access to personal information.
Scammers also lure people with attractive employment opportunities that require only basic competency skills, such as being able to speak French or Swahili – which are commonly spoken.
One victim told ENACT that his Airtel SIM card had been swapped twice in three years. ‘The first time, the scammer, posing as an Airtel customer care agent, asked me to give them five numbers that I could call for free over the weekend. He then used those to swap my card and began demanding sums of money from my contacts, some as high as US$10 000.’
The second time, he noticed a mobile network failure – but realised this was another swap when some of his contacts called or texted him to verify his cash requests.
Weak regulation of and by street SIM card vendors, who operate on a small scale on behalf of telecommunications providers to market their SIM cards and other services, exacerbates the problem.
Fraudsters swap SIM cards through vendors under the pretext that their phone was stolen. To circumvent the need for identification, the perpetrator says their ID documents were taken too. Sympathetic vendors, further persuaded by the easy payment of 3 000 FC in a struggling economy, do the swap. The criminals avoid established telecommunication dealers who insist on customers producing identification.
The fraudsters then re-register the number on online messaging platforms such as WhatsApp and Telegram, and engage the victim’s contacts through chats and borrowing money. One victim said: ‘They even contacted my friends who are as far as Kenya, demanding money to offset my three months’ rent arrears. It was a narrow escape as [my friend] did not have cash on his mobile money app.’
Both the government and telecom operators have taken decisive steps to counter the threat. At the national level, the Autorité de Régulation de la Poste et des Télécommunications du Congo introduced stricter SIM registration requirements, mandating biometric identification such as fingerprints and photographs for all new SIM activations and replacements.
In Goma, where risk of fraud is heightened due to dense population and cross-border activity, local telecom providers have implemented multi-factor authentication methods. These range from PIN codes to ID verification and security questions to ensure only legitimate users can authorise SIM swaps. Companies like Vodacom have deployed fraud detection systems that monitor unusual activity, while tools like the ‘@first’ anti-fraud roaming system help secure international and cross-border mobile communications.
To bolster user protection, public awareness campaigns were launched across various media, including radio broadcasts, SMS alerts, and community engagement sessions, with a focus on educating people in rural and semi-urban areas about how to recognise phishing attempts and other forms of social engineering.
Telecom staff have received specialised training to identify suspicious behaviour and follow strict identity verification procedures before processing SIM replacements. Vodacom has been noted as the company with the most stringent security measures, making it impossible to register a user without an ID.
Still, significant challenges remain. Infrastructural constraints mean many service centres in Goma still lack essential biometric equipment. Weak enforcement mechanisms, often hampered by corruption and insider collusion, undermine security protocol effectiveness. Digital illiteracy and limited connectivity in remote areas also make it hard for users to understand and protect themselves against cyberthreats.
Public education campaigns in local languages like Swahili, Lingala and Kikongo focused specifically on SIM swapping would be an important step to help bridge the knowledge gap on this cybercrime in the DRC.
This would help consumers protect themselves – for example, by making them aware of the risks of responding to calls or messages announcing prizes without first checking with a registered dealer, or of fulfilling cash requests from friends before calling back to verify the person’s identity.
But the government also has a role to play. Implementing enforcement and accountability mechanisms to ensure that all SIM card vendors comply with the law and uphold security measures during SIM registration or swapping would help to strengthen regulation.
Keeping statistics on this form of cybercrime would enable the government to gauge the effectiveness of its current interventions, and determine if more targeted regulatory, accountability or criminal justice approaches are necessary.
Mugah Michael Sitawa (PhD), Researcher, Central Africa Observatory on Organised Crime and Violence Project, Institute for Security Studies, and Major Beautah Mwanza Suba, Kenya Defence Forces, Peace and Security Consultant
Image: Pexels/David Barber
