The rise of invisible theft
It doesn’t start with a gun. It starts with a click. A wrong link. A fake email. A too-good-to-be-true job offer. Online fraud is no longer the exception, it’s the rule. And in Uganda, cases reported to the CID’s Cybercrime Division have quadrupled in the last two years. From Kampala to Kabale, cybercriminals are no longer hiding in the shadows. They’re hiding in your inbox.
The con in convenience
We investigated a recent case in Mbarara involving a school bursar who lost UGX 38 million to a fake supplier portal. The fraud started with a well-crafted email mimicking the Ministry of Education’s supplier payment platform. Everything looked authentic: logos, language, and layout. All it took was one click.
Once she logged in, the fake site harvested her credentials. Within two hours, the fraudsters had logged into the real platform, changed the payment details of three contractors, and diverted the funds to mobile money accounts registered under fake national IDs.
How the red flags were spotted
It wasn’t the police who spotted it. It was the school’s internal auditor. During routine review, he noticed discrepancies in contractor payment confirmations; payment vouchers existed, but no contractor acknowledged receipt. He called one of them directly. That call saved the school millions more.
He froze all pending transfers and initiated a forensic review. When our team from Summit Consulting was brought in, we traced the IP addresses to a rented office space in Kikuubo where a cybercrime ring was using VPNs and rented laptops to coordinate the attacks. These weren’t just unemployed youths; two of them were IT interns from a local university.
The money trail
The UGX 38 million was broken down and split into 19 different mobile money accounts, each capped below UGX 2 million to avoid triggering suspicious transaction alerts. The withdrawals happened across three districts within hours. This was not amateur fraud. This was industrialized deception.
What you must do now
If you’re a CEO, audit head, or accountant, stop thinking cybercrime is an IT problem. It’s a leadership problem. It’s a culture problem. And it’s a systems problem. You must invest in continuous fraud risk assessments, mandatory staff leave, dual approvals, and penetration testing. Do not wait for URA or NITA to tell you. Act.
Because online fraud doesn’t just steal your money. It erodes trust. And when trust goes, your business dies next.
