How Omundo stole money using ATM cards that were not his

This case is about a man who tricked the banking system and stole Kshs. 732,033 (USD 5,700) from Kenya government cash transfer accounts. The money was meant for elderly and vulnerable people under the Inua Jamii program, a financial aid initiative in Kenya.

Between 2018 and 2022, Omundo illegally obtained multiple ATM cards that did not belong to him. Instead of using the real owners’ fingerprints, he registered his fingerprint on these accounts and withdrew the money over time.

His scheme was exposed when a banking agent noticed suspicious withdrawals and reported him. When the police investigated, they found he had 10 ATM cards from different beneficiaries.

How he executed the fraud

Getting ATM cards that were not his

1. The suspect somehow gained access to multiple Inua Jamii ATM cards.
2. He may have worked with insiders at the bank or the registration offices to get these cards.
3. The real ownrs of the cards were unaware that someone else was withdrawing their money.

Using his fingerprint to access accounts

1. The banking system required only an ATM card and a fingerprint to withdraw money.
2. Instead of using the real beneficiaries’ fingerprints, he registered his fingerprint on their accounts.
3. This allowed him to withdraw money as if he were the real owner of the account.

Making multiple withdrawals at banking agents

1. He visited different KCB agent banking shops to withdraw money.
2. On May 10, 2022, he withdrew money from three different ATM cards at the same shop.
3. The banking agent became suspicious because the system allowed only one card per person in the Inua Jamii 

Returning the next day and getting caught

1. On May 11, 2022, he returned to the same banking agent with seven more ATM cards.
2. The agent had already reported the suspicious transactions to the police.
3. As soon as he tried to withdraw money, the police arrested him on the spot.

The investigation –how he was caught

Checking his bag and finding ATM cards

1. The police searched his bag and found 10 ATM cards that belonged to different people.
2. None of the cards were in his name.

Reviewing bank records

1. The bank provided transaction statements that showed money had been withdrawn from these cards between 2018 and 2022.
2. The withdrawals happened across different locations, meaning he moved around frequently to avoid suspicion.

Testimony from a victim

1. One of the victims went to withdraw money but found that someone else had already taken it using his card and ID.
2. He reported the case, saying he had never shared his ATM card or PIN with anyone.

Suspect’s weak defense

1. The accused claimed that a bank official named Julius had asked him to help register elderly people for the cash transfer program.
2. He said the official would then use his fingerprint to approve transactions.
3. The court dismissed this as an excuse to cover up his fraud.

The punishment – what the court decided

The suspect was charged with three crimes under the Computer Misuse and Cyber Crimes Act.

1. Identity theft and impersonation. He fraudulently used other people’s ATM cards and identities to steal money.
2. Unauthorized access to computer systems. He accessed bank systems without permission using his fingerprint on stolen ATM cards.
3. Accessing systems with intent to commit a crime. He withdrew money knowing that he was not the rightful owner of the accounts.

The sentence

The court found him guilty on all counts and sentenced him to:

1. 2 years in prison for identity theft and impersonation.
2. 2 years in prison for unauthorized access.
3. 5 years in prison for accessing systems to commit fraud.
4. A fine of Kshs. 200,000 (USD 1,560) for identity theft.
5. A fine of Kshs. 3,000,000 (USD 23,400) for fraud-related crimes.

At first, the court said the sentences should run one after the other (consecutively), meaning he would serve a total of 9 years. However, on appeal, the judge ruled that the sentences should run at the same time (concurrently), reducing his total prison time to 5 years.

Lessons – how to prevent such fraud

Stronger verification methods

1. Banks should use multi-factor authentication (MFA) instead of relying only on fingerprints.
2. Adding PINs or ID verification would have stopped the fraud.

Better monitoring of transactions

1. If the bank had been checking withdrawal patterns, they would have noticed one person using many different cards.
2. Real-time fraud detection systems should flag suspicious activity.

Training for banking agents

1. The banking agent in this case noticed something was wrong and reported it.
2. All banking agents should be trained to detect fraud and report it early.

Public awareness for vulnerable people

1. Elderly and vulnerable people must be educated about financial fraud.
2. They should be encouraged to check their account balances regularly and rep0rt missing funds.

Tighter laws and enforcement

1. Cybercrime laws should not only punish fraudsters but also protect victims.
2. Banks should be required to refund stolen funds if fraud happens due to system weaknesses.

This case proves that fraud is not always about hacking into systems. Sometimes, criminals find loopholes and exploit them. If banks and government programs do not strengthen security, fraudsters will keep stealing from the most vulnerable people in society.

It is time for banks, government agencies, and individuals to work together and stop identity theft before it happens.

Case reference: Omundo v Republic (Criminal Appeal 94 of 2023) [2024] KEHC 4579 (KLR)

I remain Mr Strategy.