How to Spot a Phishing Link Before It Steals Your Details

Imagine this: You're sitting in a daladala on your way home from work. Your phone buzzes. It's a message from "M-Pesa" saying your account has been locked and you need to "verify your details immediately" by clicking a link. You're tired, it's been a long day, and the message sounds urgent so you click.

That click could cost you everything in your account.

This is not a made-up story. It is happening every single day in Dar es Salaam, in Nairobi, in Kampala to real people, just like you and me. According to a World Bank survey, Tanzania ranks as the most exposed country in Sub-Saharan Africa for mobile phone fraud, with more than half of all users reporting they have received scam messages. Kenya comes in at number two, with 49% of phone owners targeted.

These attacks have a name: phishing (pronounced "fishing") because, just like fishing, the criminals throw out a hook and wait for someone to bite.

The good news? Once you know what to look for, you can always spot the hook before it catches you.

What Even Is Phishing?

Think of phishing like a thief disguised as a postman. The thief knocks on your door wearing a uniform and holding a package that looks real. But once you open the door and hand over your ID, they disappear with your identity.

Online, phishing works the same way. Cybercriminals pretend to be reputable companies, friends, or acquaintances in fake messages that contain links to websites designed to steal your personal information like passwords, bank PINs, and M-Pesa credentials.

These fake messages can arrive via:

• SMS/WhatsApp — the most common route in East Africa
• Email — especially targeting workers and business owners
• Social media — Facebook, Instagram, TikTok DMs
• Phone calls — where someone pretends to be from your bank or telco

And the stakes are massive. Mobile money social engineering attacks — including phishing cost Africa $1.5 billion in fraud losses in 2022 alone, across countries including Tanzania, Kenya, Uganda, and Rwanda. More recently, INTERPOL's Operation Serengeti in 2025 dismantled over 11,000 malicious digital systems and arrested 1,209 suspects across 18 African countries, including Tanzania. The criminals are organised. But so can you be.

The 7 Red Flags of a Phishing Link

🚨 Red Flag #1: The Message Is Screaming "URGENT!"

Picture Mama Aisha. She gets a message: "Your Airtel account will be DELETED in 2 hours unless you verify NOW!"

She panics. She clicks. She loses money.

This is the oldest trick in the phishing playbook. Criminals create artificial urgency to bypass your critical thinking because the more panicked you are, the less likely you are to stop and question things. Legitimate companies like your bank or M-Pesa will never demand you act within hours or face permanent consequences through a text message.

The rule: When a message makes you feel panicked, slow down. That panic is the weapon. The moment you pause, you've already won half the battle.

🔗 Red Flag #2: The Link Looks "Almost Right" — But Not Quite

This is where it gets tricky — and where most people fall. Scammers are clever enough to create website addresses that look almost identical to the real thing. Let's play a game. Can you spot the fake?

• www.vodacom.co.tz ✅ (Real)
• www.vodacom-verify.co.tz ❌ (Fake)
• www.nbc.co.tz ✅ (Real)
• www.nbc-bank-secure.com ❌ (Fake)

In early 2025, scammers ran a campaign imitating Microsoft Teams using the domain micros0ft-teams.net — replacing the letter "o" with the number "0" — and successfully tricked many users into entering their login credentials. One character difference. That's all it takes.

What to look for:

• Extra words added: nbcbank-secure-login.com
• Numbers replacing letters: m0biteI.co.tz
• Wrong domain endings: .com instead of .co.tz
• Hyphens where there should be none: equity-bank.co.tz

Scammers exploit our "quick-glance" reading habits. Just one character difference can deceive even careful readers.

📧 Red Flag #3: The Sender's Address Doesn't Match

You receive an email claiming to be from NMB Bank. But when you look closely at the "From" address, it says nmbbank-support@gmail.com.

Real. Red. Flag.

If an email claims to be from a reputable company but is being sent from a Gmail, Yahoo, or other generic address — or a domain that doesn't match the real company — it is almost certainly a scam. The real NMB Bank would email you from @nmbtz.com, not Gmail.

The same applies to WhatsApp and SMS. If your bank is texting you from a random mobile number (+255 7XX XXX XXX) instead of a registered short code, something is very wrong.

How to check on your phone: On WhatsApp, tap the sender's name at the top of the chat to see their full number and profile. On email, tap the sender's name — the real address will usually appear underneath.

🎁 Red Flag #4: "You Have Won!" — The Too-Good-To-Be-True Trap

"Congratulations! You have been selected to receive TZS 500,000 from our promotion. Click here to claim your prize."

If you didn't enter any competition, you didn't win anything.

Subject lines and messages with unexpected words like "Free," "Your funds," "Casino," or "You have won" should immediately set off alarm bells. Scammers exploit our natural excitement and curiosity. When something sounds too good to be true, it always is.

This trick is especially common in East Africa. In Kenya, fraudsters lured victims into fake investment schemes by promising high returns on initial deposits as low as $50, showing them fake account dashboards and blocking all withdrawal requests. INTERPOL eventually arrested 27 people in that operation alone.

🔒 Red Flag #5: The Website Doesn't Have a Padlock — Or Has a Strange One

When you open any website on your phone or computer, look at the very top of your screen where the web address is. Safe websites start with https:// and usually show a small padlock icon 🔒.

The "s" in https stands for secure, meaning your information is encrypted when you send it.

However and this is important — having HTTPS doesn't automatically mean a site is safe. Hackers can also obtain security certificates, and about 20% of phishing sites actually use HTTPS. So the padlock is a starting point, not a final answer. Always combine this check with looking at the domain name carefully.

If a site has no padlock at all and asks for your PIN or password — close it immediately.

📎 Red Flag #6: They're Asking You to Download Something You Didn't Request

You get a WhatsApp message: "Your salary slip for this month. Download to view."

You weren't expecting any salary slip. You open it anyway.

Unexpected attachments — especially ZIP files, EXE files, or documents that ask you to "enable macros" when you open them — are classic phishing traps. In March 2025, a scam campaign used ZIP files embedded with hidden malware to infect victims' devices.

The rule is simple: If you weren't expecting a file, don't open it. Even if the message appears to come from someone you know — their account may have been hacked.

👤 Red Flag #7: The Message Greets You Generically

When your actual bank or mobile operator contacts you, they know your name. They will say "Dear Amina Msafiri" or "Hello John."

Phishing messages almost always start with vague greetings like:

• "Dear Customer"
• "Dear Sir/Madam"
• "Dear Valued User"

Legitimate organisations that work with you know your name. A generic greeting is a clear warning sign that a message may not really be from your bank or service provider.

---

Before You Click: A Simple Safety Checklist

Think of this as your ngao (shield) against phishing attacks:

How to Check a Link Without Clicking It

Here's a trick most people don't know: you can preview a link before clicking it.

On a computer: Hover your mouse cursor over the link (don't click!). The real web address will appear at the very bottom of your screen. If it looks strange, don't click.

On a phone: Press and hold the link for a second or two. A small menu will appear showing the real URL destination. Read it carefully before opening.

Use a free safety checker: If you're not sure, copy the link (without clicking) and paste it into free tools like:

• Google Safe Browsing — trusted worldwide
• Bitdefender Link Checker — analyzes URLs for phishing threats in seconds, for free
• F-Secure Link Checker — checks the link's reputation against millions of analyzed websites

These tools cross-reference URLs against real-time databases of known malicious websites and give you a clear safety result. They are free and easy to use — even on a slow internet connection.

What If You Already Clicked?

Don't panic. Here's what to do — fast:

1. Do NOT enter any personal information on the page that opened
2. Close the website immediately
3. Turn off your internet/WiFi temporarily to prevent further data from being sent
4. Change your passwords for M-Pesa, your email, and any banking apps — immediately, from a different device if possible
5. Call your bank directly using the number on the back of your card or their official website
6. Run a security scan on your phone using a free antivirus app like Avast or Bitdefender
7. Tell someone — your family, your workplace, your church group. Warn them so they don't fall for the same attack

If you believe your financial information was compromised, contact your bank or mobile money provider immediately. The sooner you act, the better your chances of limiting the damage.

A Word to Parents, Grandparents, and Elders

If you are reading this for someone in your family who is not comfortable with technology, please share these three simple rules with them — in Swahili, in your local language, in whatever way they understand best:

1. Usipoombwa — usiamini haraka. (If you didn't apply — don't believe it quickly.)

2. Jibu la haraka ni jibu baya. (A rushed response is a bad response — always slow down.)

3. Shaka — uliza mtu unayemwamini kwanza. (When in doubt — ask someone you trust first.)

Technology should serve us — not be used against us. By teaching our elders, our children, and our neighbours to recognise these signs, we protect the whole community.

The Bigger Picture: Why This Matters So Much for Tanzania

We are living through a digital revolution. M-Pesa, Tigo Pesa, Airtel Money — these tools have changed millions of lives across East Africa. But that same revolution has brought new criminals who have moved online.

East Africa now records the continent's highest digital fraud rejection rate at 27%, and Tanzania specifically experiences significantly higher failure rates than most regional peers. The scale of attacks is accelerating, with Africa losing an estimated $5 billion to cybercrime every year.

But numbers don't change behaviour. Stories do. The next time you receive a suspicious message, remember Mama Aisha in the dalla-dalla. Remember that the feeling of panic is the attacker's most powerful weapon. And remember: the moment you pause and ask "Is this real?" — you've already outsmarted them.

One careful moment is all it takes.

Quick Summary: Your Phishing Defence Kit

✅ Slow down when a message feels urgent
✅ Check the sender's email or phone number carefully
✅ Hover or long-press links to preview before clicking
✅ Look for spelling errors in website addresses
✅ Use free tools like Bitdefender or F-Secure to scan suspicious links
✅ Never share your PIN, password, or OTP — with anyone, ever
✅ When in doubt, call the company directly using their official number
✅ Share this knowledge with your family and friends

Stay safe online. The internet is a powerful tool — and so are you.