M-PESA Number Masking: How Safaricom is Ending Transactional Spam

In a massive win for digital rights, the High Court of Kenya has officially ruled that registered mobile phone numbers are not just communication tools—they are digital identifiers that constitute sensitive personal data. The landmark judgment places phone numbers in the same protected category as ID and passport numbers under Article 31 of the Constitution. This ruling has immediate, far-reaching implications for how telecommunication companies and businesses handle your information.

The court case was sparked by a petition that challenged the industry practice of reassigning dormant SIM cards to new users. The court found that recycling numbers without strict safeguards creates a “real and immediate risk” of privacy breaches, as new owners could gain access to the previous user’s mobile banking, M-PESA history, and social media accounts.

Telcos are now prohibited from automatically reallocating inactive numbers without the original owner’s verifiable consent. The Attorney General has been given six months to develop a robust regulatory framework that includes mandatory notifications and technical safeguards to ensure a “digital death” of the previous owner’s data before a number changes hands.

Coinciding with this legal shift, Safaricom has officially launched its data minimization feature for M-PESA. Designed to combat the rampant “harvesting” of phone numbers for spam and social engineering scams, the update ensures that your full 10-digit number is no longer visible in transaction notifications.

Instead, recipients of “Send Money” (P2P) transactions and SME merchants (Buy Goods/Paybill) will see a partially hidden format, such as 0722***000. Additionally, the sender’s name is now trimmed to just two identifiers. This move effectively breaks the link that scammers used to collect contact details from transaction alerts to launch cold-calling campaigns or fraudulent “reversal” requests.

For the average user, this means a significant reduction in unsolicited marketing messages and a higher level of security during everyday payments. However, for small businesses that rely on phone numbers to reconcile sales or follow up with customers, the change introduces a bit of “productive friction.”

If a merchant genuinely needs a sender’s full details—for instance, to resolve a payment dispute—Safaricom has introduced a consent-based lookup system. By forwarding the transaction SMS to 334, a request is sent to the original sender. The sender then has a window to either approve or decline the sharing of their full name and number, keeping the power of data disclosure firmly in the hands of the user.

This double-layered shift—judicial recognition and corporate technical implementation—signals that Kenya is moving toward a “Privacy by Design” ecosystem. While the convenience of M-PESA remains, the “hidden trade-off” of exposing your identity with every cup of coffee or bus fare is finally coming to an end. As Safaricom looks to extend this masking to bank-to-M-PESA transfers by the end of the year, your phone number is evolving from a public-facing label to a secure, private backend credential.