In an increasingly digital Kenya, cyber phishing has emerged as one of the fastest-growing threats to individual privacy and national data security.
As more Kenyans embrace online platforms for banking, communication, and commerce, cybercriminals have found new avenues to exploit unsuspecting users—particularly through fraudulent links shared via email, SMS, WhatsApp, and social media.
Phishing is the deceptive practice of tricking individuals into revealing personal or financial information by impersonating legitimate institutions.
Victims are often lured into clicking on what appear to be harmless links, only to be redirected to fake websites designed to harvest sensitive data such as passwords, identification numbers, and mobile money PINs.
Once this information is captured, it may be used to commit identity theft, drain bank accounts, or perpetrate fraud across multiple platforms.
In more advanced cases, clicking such links can install malware that grants criminals remote access to devices—resulting in massive data breaches and long-term exposure of personal information.
Phishing is not just a digital nuisance; it is a crime under Kenyan law.
The Computer Misuse and Cybercrimes Act, 2018 expressly criminalises phishing under Section 17, prescribing penalties that include fines of up to Sh5 million, imprisonment for up to 3 years, or both.
The Act also addresses unauthorised access, system interference, and identity theft, all of which are typically associated with phishing activities.
Moreover, cyber phishing infringes on Article 31 of the Constitution of Kenya, which guarantees every person the right to privacy—including the right not to have personal information unnecessarily required, revealed, or misused.
When a phishing attack results in the unlawful access or disclosure of personal data, the constitutional right to privacy is directly violated.
The Data Protection Act 2019 reinforces these protections by outlining the responsibilities of entities that collect and process personal data.
It mandates strict safeguards against unauthorised access and imposes compliance obligations on public and private entities.
In the event of a breach, affected individuals have the right to seek legal redress or report the incident to the Office of the Data Protection Commissioner.
Kenyans must remain vigilant. It is critical to avoid clicking on unfamiliar or suspicious links, especially those originating from foreign domains. Always verify the source of any message requesting personal data or login credentials.
Equally, institutions must invest in cybersecurity awareness, data encryption, and incident response protocols to protect both themselves and their clients.
Cybercrime is evolving rapidly, but so is our legal framework. The law is clear: phishing is a punishable offence. And while technology may be the battleground, the ultimate defence lies in public awareness, personal caution, and institutional accountability.
The writer is an Advocate of the High Court of Kenya and the Managing Partner at Susan Mute & Company Advocates
