The verdict in three sentences
SIM swap hijacks your phone number so the attacker receives your OTP codes and empties your mobile money balance. Protection is not a single setting but a chain: a wallet PIN distinct from your SIM code, a SIM-change alert, and dual approval for large withdrawals. For a merchant account moving several million FCFA per month, the cost of one incident far exceeds the cost of prevention.
How the attack works, step by step
The fraudster first collects your data (number, name, sometimes ID via phishing), then impersonates you with the operator to obtain a new SIM card. Once the SIM is active, your phone loses the network and every OTP arrives at the attacker's device. Within minutes, they reset the wallet PIN and start withdrawals.
| Step | Fraudster action | Victim-side signal | Reaction window |
|---|---|---|---|
| 1. Collection | Phishing, data leak, social engineering | None | Days/weeks |
| 2. SIM request | Fake documents at the operator | None | Hours |
| 3. SIM activation | New SIM takes the network | Total loss of signal | 5-30 minutes |
| 4. PIN reset | Hijacked OTPs received | Unsolicited reset SMS | 2-10 minutes |
| 5. Withdrawals | Balance and limits drained | Debit notifications | Immediate |
The critical point is step 3: a sudden, prolonged loss of network with no reason is warning sign number one. In a market where outages are common, many victims ignore it until the debit lands.
The protections that truly cut the risk
Not all measures are equal. Here is their estimated effectiveness and cost for a merchant in 2026.
| Protection | Cost | Effort | Risk reduction (estimate) |
|---|---|---|---|
| Wallet PIN distinct from SIM code | 0 FCFA | 5 min | High |
| SMS/email SIM-change alert | 0 FCFA (often free) | 10 min | High |
| Dual approval on withdrawals > 500,000 FCFA | 0 FCFA (setting) | 15 min | Very high |
| Dedicated, non-public merchant number | 0 FCFA | 1 h | Medium |
| Lowered daily withdrawal limit | 0 FCFA | 10 min | Medium-high |
| Verified merchant account (full KYC) | Variable | 24 h-5 d | Medium |
| Second signer for large amounts | Organization | Ongoing | Very high |
The most cost-effective combination: distinct PIN + SIM-change alert + dual approval above 500,000 FCFA. These three measures cost zero francs and block most automated attack scenarios.
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
Mini case study
Awa, who runs a cosmetics shop in Dakar, collects about 4,500,000 FCFA/month on her merchant wallet. One Sunday, her phone loses the network for 40 minutes. Because she had enabled the email SIM-change alert, she gets a notification on her computer, calls the operator immediately and has the account suspended. The fraudster had already attempted an 800,000 FCFA withdrawal, blocked by the dual approval she had set above 500,000 FCFA. Cost of the incident: 0 FCFA instead of a potential 1-2 million loss. The only investment: 25 minutes of setup a month earlier.
FAQ
How do I know I'm being SIM swapped? The main sign is a sudden, lasting loss of network (more than 15-20 minutes) with no general outage in your area, followed by reset SMS messages you didn't request. Check with the operator at once.
What should I do in the first minutes? Call the operator from another phone to block the SIM and wallet, then change your credentials. Every minute counts: withdrawals often happen within 10 minutes of activation.
Does dual approval slow down my sales? No, if you limit it to large amounts (above 500,000 FCFA). Everyday customer collections, usually below 100,000 FCFA, are not affected.
What is the average loss in a fraud case? In 2026, the observed order of magnitude runs from 200,000 to 2,000,000 FCFA per case, depending on the available balance and account limits at the time of the attack.
Is a verified merchant account safer? It offers better control tools (alerts, multi-user, history) but does not replace good practice. KYC verification is one layer among others, not an absolute guarantee.
Let's talk about your project. We build secure mobile money payments, alerts and dual approval directly into your site or app. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
