By 
There is a gap in digital literacy now being weaponized by scammers. A wave of panic recently swept through Zimbabwe’s digital platforms following a circulating voice note. In the recording, a woman tearfully recounts how her EcoCash wallet was emptied, claiming that police are overwhelmed by thousands of similar cases. People thought EcoCash had been hacked.
However, investigations and official statements from Econet paint a different, more complex picture. The platform itself remains unbreached. Instead of a technical system hack, Zimbabweans are falling victim to a human hack, a sophisticated wave of social engineering that is draining life savings in minutes.
The bait is an obviously too good to be true offer. The scam rarely starts with a direct threat. Instead, it begins with an irresistible offer. Scammers are flooding WhatsApp and social media with fake websites that mimic official branding.
These sites target current consumer needs, such as starlink special data: Offers of 15GB for under US$1 or unlimited monthly data for $4, instant Kashagi loans Promises of loans up to US$5,000 with automatic approval for everyone
and EcoCash promotions of Fake giveaways claiming to be powered by Econet.
To the untrained eye, these websites look legitimate, often featuring the familiar official logos. But the moment a user clicks, they are entering a digital trap.
Unlike a traditional payment where you enter your PIN on your own phone’s pop-up menu, these fraudulent sites ask you to type sensitive information directly into the browser:
1. Your Mobile Number
2. Your EcoCash PIN
3. The One-Time Password (OTP) sent to your phone
This is the critical moment of failure. When you enter these details on a website, you aren’t paying for a service, you are giving a criminal the credentials to log into your account from their own device. The OTP is the final safeguard, it’s the code EcoCash sends to verify that the person logging in actually holds the physical SIM card. By sharing it, you effectively hand the thief your digital keys.
Econet’s standard advice “Never share your PIN” is becoming less effective because the lines between secure and scam have blurred.
Many users are accustomed to entering their PIN at supermarkets or when buying ZESA tokens. To a user who doesn’t understand how URLs work, typing a PIN into a website feels no different than typing it into a merchant’s terminal.
There are two golden rules to protect your hard-earned money and these two are non-negotiable rules:
- EcoCash NEVER asks for a PIN on a website: If you see a web address (anything ending in .com, .net, or .co.zw) asking for your PIN, it is a scam
- OTPs are for LOGGING IN, not BUYING. You should never need an OTP to pay for bread, data, or electricity. If a payment screen asks for an OTP, someone is trying to hijack your account.
While EcoCash is working to blacklist malicious links, the ultimate defense is skepticism because in which world will 15GB worth of data in Zimbabwe cost $4.
If a deal looks too good to be true, it almost certainly is. Before entering your details anywhere, stop and ask a trusted friend or contact EcoCash directly. In an era of human hacking, your caution is your only true firewall.
Comments