The verdict in three sentences
Mobile money fraud in Senegal and Cote d'Ivoire is almost never a stolen card: it is social engineering (fake confirmation SMS, fake screenshot, reversal scam). Rule number one: never validate an order on a screenshot — only on an operator-confirmed webhook. With 6 simple controls, an observed fraud rate drops from 1.5% and above to 0.2-0.7%.
The 6 essential anti-fraud rules
| Rule | What it blocks | Expected effect |
|---|---|---|
| 1. Confirm via signed webhook | Fake payment screenshot | Removes ~80% of fake payments |
| 2. Lock out after 3 PIN failures | Wallet brute force | Reduces PIN testing |
| 3. Velocity check (>5 attempts/10 min) | Bot / mobile carding | Cuts bursts |
| 4. Unusual amount alert | Large-basket hijack | Targeted manual review |
| 5. Verify number == payer account | Reversal / impersonation | Payer consistency |
| 6. Grey-list repeat IP/device | Multi-account recidivism | Blocks serial fraudsters |
These rules stack: none is enough alone, but together they form a low-cost safety net.
Webhook vs screenshot: the golden rule
| Validation method | Forgeable? | Use it? |
|---|---|---|
| Screenshot sent by the customer | Yes, trivially | NEVER |
| "Operator" SMS forwarded | Yes (fake SMS) | NEVER |
| Signed operator webhook -> server | No (verified signature) | ALWAYS |
| Status verification API call | No | YES (as a complement) |
The classic reversal scam: the fraudster pays, you ship, then he "cancels"/disputes the transfer. Countermeasure: ship only on final status confirmed by webhook, never on a pending status.
Quantified impact of controls
| Scenario | Observed fraud rate | Losses per 10M FCFA of sales |
|---|---|---|
| No control (screenshot) | 1.5% to 3% | 150,000 - 300,000 FCFA |
| Webhook only | ~0.8% | ~80,000 FCFA |
| Webhook + velocity + PIN lockout | 0.4% | ~40,000 FCFA |
| Full stack (6 rules) | 0.2% to 0.7% | 20,000 - 70,000 FCFA |
Moving from screenshot to webhook alone halves fraud or more.
Mini case study
Moussa, who runs a phone shop in Dakar, validated orders on Wave screenshots. On 8,000,000 FCFA of sales/month, he lost about 2% to fake payments, i.e. 160,000 FCFA/month. After switching to signed webhooks + velocity check + lockout after 3 PIN failures, his rate fell to 0.5%, i.e. 40,000 FCFA/month. Net gain: 120,000 FCFA/month, for a one-time setup.
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
FAQ
Why never trust a payment screenshot?
A screenshot is trivially forgeable (edits, fake SMS). Only an operator-signed webhook, verified server-side, proves a payment actually succeeded.
What is a reversal scam?
The fraudster pays then has the transfer cancelled or disputed after delivery. The countermeasure: ship only on confirmed final status, never on a "pending" status.
What is a velocity check for?
It blocks automated bursts: for example more than 5 payment attempts in 10 minutes from the same device or IP. This cuts bots and carding.
What fraud rate is realistic with controls?
2026 ballpark: 0.2 to 0.7% with a full stack, versus 1.5% and above with no control. The webhook alone already halves the rate.
Is mobile money subject to PCI-DSS?
No, PCI-DSS is a card standard. Mobile money falls under BCEAO compliance and its own anti-fraud rules, not PCI.
Let's talk about your project. We integrate Wave/Orange Money payments validated only by signed webhook, with velocity checks and anti-fraud rules. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
