It started with a voice note circulating on WhatsApp warning people not to use EcoCash, and especially not to keep money in their wallets, because the service “had been hacked.”
In the audio, a woman claims she woke up to find money transferred out of her EcoCash wallet without her authorisation. She says EcoCash advised her to open a police report, and that police officers told her they had handled thousands of similar cases.
It was a massive claim: that EcoCash had been hacked and that thousands of wallets were being drained. Unsurprisingly, the message spread fast. And then many other people added that they, too, had had their wallets drained.
The fear and confusion that followed forced Econet to issue a public response insisting that EcoCash remains “safe, secure and convenient”, while warning customers not to share their PINs or one-time passwords (OTPs).
So what is actually going on?
No Evidence of a System Hack, but People ARE Losing Money
We asked Econet/EcoCash directly, and they said they were not hacked: “The EcoCash platform was absolutely NOT hacked.”
However, that does not mean customers are imagining their losses or lying about what happened. People are genuinely losing money. The main issue is how they are losing it.
There are plenty of scammers doing their thing right now. In some of the scams, they trick people into handing over the information needed to take full control of their EcoCash wallets.
How the Scam Works
Scammers are setting up fake websites and promotions, advertising deals that are, as with most scams, simply too good to be true. Some of the examples shared with us by Econet include:
Extremely cheap data bundles, many using Starlink’s name
Instant loans claiming to be EcoCash loan products, such as Kashagi
Some of these websites use Econet branding and claim to be “Powered by Econet”, offering deals like 15GB for under US$1 or unlimited data for around US$4. Others promise instant loans ranging from US$50 to US$5,000, claiming that everyone automatically qualifies.
To access these offers, users are asked to:
- Enter their mobile number
- Enter their EcoCash PIN
- Enter a one-time password (OTP) sent to their phone
At that point, the scam is complete. They have everything they need to send money, cash out or pay for stuff using your account.
A scenario to explain what’s happening here
So in this case, the scammers are not really “hacking EcoCash,” they’re hacking people. Here’s a simple way to think about it.
Imagine you and ten other people all work at the same salon or barbershop. Each of you has your own chair, and each of you has a small cabinet where you lock up your combs, hair food, chemicals, clippers, and all your stuff at the end of the day.
Now, imagine someone approaches you selling hair gel at a very low price. To make the delivery easier, you give them the keys to the salon and the keys to your cabinet.
Instead of delivering the gel, they open your cabinet and steal everything inside.
You can’t then go to the other people in the building and say, “This place isn’t secure, thieves are breaking into cabinets.” The problem wasn’t the building. The problem is that you gave someone the keys.
In this analogy, EcoCash is the building.
Your EcoCash wallet is your cabinet.
And giving out your PIN and OTP is handing over the keys.
Why the OTP Matters So Much
An OTP is just some random numbers sent to the phone number registered on an EcoCash account.
That OTP is sent to your phone to prove you have the SIM card.
When you give someone that OTP, EcoCash thinks:
“This person has the SIM. This must be the account owner.”
So now the scammer can log into your EcoCash and move the money or cash out.
That’s how wallets are being taken over. And this is why sharing an OTP is so dangerous.
As Econet explained, once a customer submits their mobile number and PIN on a fake site, the scammer attempts to register or log into the EcoCash app using those details. EcoCash then sends an OTP to confirm access to the phone number. When the customer is tricked into sharing that OTP as well, full control of the wallet is handed over.
From there, funds can be transferred out and withdrawn very quickly.
Why “Don’t Share Your PIN or OTP” Is Not Enough
EcoCash has repeatedly warned customers never to share their PIN or OTP. While this advice is correct, it assumes people have some basic understanding of these things, which obviously many do not, if they’re falling for these scams.
The problem is that EcoCash legitimately asks for your PIN in some situations, including:
- When paying in supermarkets or shops
- When paying merchants, paying for stuff like airtime, Nyaradzo or ZESA
- When using the official EcoCash app, like in the image below:
To many users, seeing EcoCash branding and being asked for a PIN does not raise any suspicion. The difference between a legitimate payment prompt and a fake website requesting login details is not always obvious, especially for users who are still learning how smartphones and the internet work.
This is why some people may be better off sticking to *151# instead of trying to identify fake websites or verify whether an app is genuine.
How to Stay Safe
There are two simple rules that can help clear things up, and I’m talking to regular EcoCash users here, not merchants or business accounts.
1. EcoCash never asks for your PIN or OTP on a website
If you open something in a browser and can see any website address (for example, ending in .com, .net, co.zw or .app), close it immediately. That is not EcoCash.
2. An OTP is for logging in, not for buying things
When paying for goods or services, you should never be asked for an OTP. So, whatever you’re trying to pay for, whether it’s data bundles or Starlink or some physical thing, the message that pops up on your phone should only tell you what you’re about to pay for, and then ask for your PIN.
If anything asks for an OTP, stop and find someone you trust who has a better understanding of these things. Or better yet, get in touch with EcoCash directly.
In legitimate shop payments, the merchant sends a payment request to your phone, and you enter your PIN on your device. You do not type your PIN into a website or share it with anyone.
In all this, the chances that you are trying to log into your account are low, so this rule will keep you safe: If something asks for OTP, stop and ask EcoCash.
What EcoCash and Econet Say They Are Doing
Econet has been running awareness campaigns warning customers not to enter their details on unverified sites or share PINs and OTPs over WhatsApp, SMS or phone calls.
The company has also shared examples of scam websites with us and says it is working on ways to flag or blacklist such links on its network.
EcoCash has also issued a more detailed public warning acknowledging the scams, explaining how they work, and reminding customers that they should never share their security details.
The Bigger Issue
This situation shows us where the real problem is. Almost everyone in Zimbabwe uses mobile money, but many users still have a limited understanding of how the internet, websites and apps work.
Security messages that rely on users recognising fake websites, inspecting URLs or understanding how apps work may not help in a market where smartphones are often shared, where people still hand over their phones to strangers so that they can install WhatsApp or ShareIt for them, and other stuff like that.
So, the scale of these scams makes one wonder about what’s needed to protect users who are not yet ready to be on the internet safely.
We will be digging into just how widespread this whole scam thing is over the next few weeks and months because we now understand it’s much bigger than we realised.
For now, the safest advice remains simple. If an offer looks too good to be true, asks for your PIN or OTP, or directs you to a website, stop. When in doubt, use *151#, ask someone you trust, or contact EcoCash directly before proceeding.
Too good to be true
Do note that most of these kinds of scams would not succeed if we were all a little more sceptical. The excitement of finding what you think is a good deal clouds your judgment. And if you don’t know how much something should cost, then you should not be ashamed to ask someone to verify that the price range is reasonable.
Like, if I saw a sewing machine going for $200, I would have no idea if it’s overpriced or so much lower than it should be, so I would not be suspicious of anything. But if I saw a loaf of bread going for 5 cents, I would pretty much tell everyone not to buy, even if I hadn’t tested it out myself. Because I know that bread should cost more than that and so it’s too good to be true.
That’s exactly what happens with offers for unlimited data for $3.99 for a whole month. For someone who knows how much it should cost, they will tell you to run. Even if they haven’t even seen where or who you got the offer from.
So, there might be safety in numbers. Before getting any good deal on the internet, ask someone you trust what they think about it. Now back to EcoCash.
Comments
3 responses
I would not advise people to have those eye-popping balance in the bank accounts or wallets used for everyday banking. Those wallets and accounts with fantastic balances should never be used for day-to-day transactions such as grocery shopping or buying airtime.
Reserve separate and independent accounts and wallets for those huge amounts of cash.
Wallets for day-to-day transactions, if you can set rule for like maximum daily purchases or maximum amount for a purchase; do by all means set those limits. The total amount in these account or wallets should never be such as to put you into huge financial or mental distress if scammed.
keep safe
There is no antidote for stupidity. Ecocash could stand on the tallest mountain and shout as loud as they can, it will not help.
Ecocash and Econet are at fault.
Their Ecocash App platform and Virtual MasterCards are being used by hackers to carry out the phishing attacks.
The Ecocash platform has been compromised.
Vulnerabilities
1) The scammers have access to personal details, numbers and wallet balances(how else would they know you’re on ecocash and have money in your wallet)
2) The scammers are using the PINs and OTPs remotely. (A serious Ecocash system vulnerability)
3) Econet failing to identify or break the ring of scammers
4) Econet’s Virtual MasterCards – if I am a scammer and can command the econet platform remotely I can open a Virtual Card and withdraw from the Ecocash platform.
5) Phishing messages being sent via Econet’s SMS platform
Econet’s team is overlooking the fatal vulnerabilities and blaming victims for not being careful against organized crime.