PINched: Inside Ghana’s Mobile Money Fraud Economy and the Legal Fight Back

A Wallet and a Trap

Mobile money services have revolutionised financial inclusion in Ghana. From the commercial enclaves of Kumasi to the fishing communities in Elmina, mobile wallets have become indispensable for transactions ranging from utility payments and remittances to small-scale trade. But with this innovation has emerged an evolving threat—fraud. In particular, social engineering-driven mobile money fraud has grown both in sophistication and scale, raising important questions about user protection, legal remedies, and institutional accountability. This article examines the full lifecycle of mobile money fraud in Ghana, dissecting its modus operandi while balancing the narrative with Ghana’s legal and regulatory frameworks.

Stage One –How Fraudsters Build Their Target Lists

Mobile money fraud typically follows a structured path comprising data harvesting, psychological manipulation, and the eventual takeover of a victim’s account. The initial stage is often inconspicuous. Fraudsters begin by building data profiles, sometimes through random dialling and cold calls. In other cases, public information such as names and numbers harvested from social media platforms, WhatsApp groups, and business advertisements form the raw data pool. These tactics, while seemingly trivial, set the stage for precision attacks.

More alarmingly, insider threats have become a major vector for mobile money fraud. Rogue mobile money agents or employees in urban centres are sometimes reported to sell verified user data to organised networks. Using some enhanced technologies and backend plugins, fraudsters register low-KYC (Know Your Customer) required merchant aliases that closely resemble legitimate businesses, thereby masking fraudulent prompts as ordinary transactions. One such name that recently surfaced was “PAY Baatsona Shell”—a fake merchant profile disguised as a familiar fuel station.

Stage Two –The Psychology of the Scam

Armed with data, the fraudsters deploy the second phase: psychological manipulation or social engineering. This is where fraud becomes less about technology and more about human behaviour. For example, a trader in Kasoa may receive a call from someone posing as a telco representative warning of impending account suspension. Urged to act fast, the victim is tricked into sharing an OTP or approving a USSD prompt. In another case, a school teacher in Ho might receive a fabricated message from a supposed relative requesting urgent money. The emotional appeal then overpowers caution.

Stage Three –Prompting Fraud, Draining Accounts

The final stage is the attack proper. In one scenario, a fraudster exploits OTP disclosure to reset a victim’s mobile money PIN, then swiftly drains the account. In another, the fraudster only has the victim’s number but sends a merchant-style prompt requesting payment. If the victim authorises the transaction—confused or distracted—the money is gone. These scams often rely on the lack of contextual information provided in transaction prompts. Vague descriptions such as “XYZ Merchant requests GHS 220” offer little clarity, making it easier for users to authorise malicious transactions.

A March 2024 report by the GSMA on Fraud Typologies and Mitigations highlights that account takeover (ATO) frauds now constitute one of the fastest-growing threats to mobile network operators and fintech platforms. The report indicates that social engineering and subscription fraud tactics—especially those involving impersonation or unauthorised prompt authorisations—are responsible for a significant percentage of global mobile wallet losses. With mobile money penetration exceeding 55% across sub-Saharan Africa, the scale of potential victimhood is vast. In Ghana, anecdotal evidence and operator-level data suggest that at least 8 in 10 reported fraud complaints in 2023 were linked to some form of prompt manipulation or OTP compromise.

Legal Breaches and Systemic Gaps

What makes these fraud schemes legally significant is that they intersect with multiple breaches of Ghanaian law. The Electronic Transactions Act, 2008 (Act 772) criminalises unauthorised access (Section 115), electronic fraud (Section 121), and unlawful interception (Section 117). These apply squarely to fraudsters who harvest, manipulate, or intercept data to compromise mobile wallets. Moreover, service providers who fail to protect user data may be in breach of Section 43 of the same Act, which mandates the protection of personal data against unauthorised access or disclosure similar to the Section 28 data security safe guard  provisions under the Data Protection Act, 2012 (Act 843).

Complementing this is Section 44 of the Payment Systems and Services Act, 2019 (Act 987), which outlines principles of consumer protection. These include data confidentiality, transparency in service provision, and effective dispute resolution mechanisms. Any telco or fintech entity that allows fraudulent prompts to be transmitted without sufficient authentication mechanisms may be falling short of its statutory obligations.

Case law in Ghana has yet to fully evolve in this area, but comparative analysis suggests that courts are likely to adopt a hybrid approach, balancing consumer due diligence with service provider responsibilities. While users are expected to exercise reasonable caution, service providers bear a heightened duty of care given their technological advantage and control over platforms. A legal regime that considers shared responsibility would offer a balanced framework for redress.

Who Bears the Risk? Balancing User Duty and Provider Accountability

Regulatory bodies like the Fintech and Innovation Office or the Bank of Ghana and the Data Protection Commission also play a central role. Yet enforcement remains fragmented. The lack of a real-time fraud intelligence exchange between banks, telcos, fintechs and law enforcement undermines systemic prevention. A national fraud registry and cross-sector alert system could significantly reduce repeat offences.

To strengthen legal protection and public awareness, mobile money interfaces must evolve. Prompts should include merchant verification indicators, transaction purpose, and biometric confirmation options. Legal mandates may be necessary to compel providers to meet such standards and emphasizes consumer rights to accurate service information—an area where implementation has been weak.

Conclusion

Public education is vital, the need for legal literacy campaigns must explain not just how fraud occurs but what rights consumers have under Ghanaian law. For example, a user who unknowingly authorises a fraudulent transaction under coercion may have a basis to sue for restitution if negligence can be shown on the part of the provider. Community forums, church announcements, and local radio broadcasts in languages like Twi, Ga, Ewe, and Dagbani can deliver these lessons effectively.

Ultimately, tackling mobile money fraud in Ghana requires a multi-dimensional approach: legal reform, technological safeguards, regulatory alignment, and cultural education. Fraud may begin in the shadows of data harvesting and deception, but it thrives where systems are opaque and users uninformed. By embedding legal accountability into technological innovation, Ghana can protect its mobile money future while building user trust.

In the fight against mobile money fraud, it is not enough to warn people to “be careful.” They must be empowered—legally and technologically—to defend their rights, understand their remedies, and trust the platforms they depend on. The law is not just a shield after harm—it must be a fence that prevents it.