At 10:42 a.m. on Thursday, 18th January 2024, the operations manager of a large regional logistics company opened an email that appeared to come from their insurance partner. The subject line read: “Renewal Quotation for 2024 Coverage – Urgent Action Required.”
It looked legitimate, company logo, polite language, even the signature of a contact he had dealt with before. He clicked the PDF attachment. Nothing opened. He shrugged and moved on with his day.
What he didn’t know was that in that single click, he had just given a group of cybercriminals full access to his company’s internal systems.
By 3:00 p.m., their accounts payable ledger was being silently altered. Payment instructions for three major suppliers had been replaced with bank details controlled by the attackers. By 6:00 p.m., UGX 640 million had been approved for payment to accounts that had nothing to do with their suppliers.
This wasn’t a case of a “clever hacker in a hoodie” somewhere abroad. This was a calculated cyber-enabled fraud with local fingerprints all over it.
When the breach was discovered two days later, the boardroom turned into a war zone. The IT manager insisted this was an unavoidable “zero-day” cyberattack, a once-in-a-lifetime breach that no one could have prevented. The finance director wasn’t buying it. She believed the problem was weak internal processes and careless staff, not sophisticated hackers.
Tensions rose because the company had spent over UGX 500 million in the past two years on “cybersecurity upgrades.” Now, they were facing a multimillion-shilling loss and public embarrassment.
Summit Consulting Ltd’s iShield360 Cybersecurity was called in with one instruction: find out exactly how the breach happened, who was involved, and whether it could have been prevented.
How the scheme was engineered
a) Reconnaissance
Suspect 1, a disgruntled former IT officer, had left the company the previous year after a bitter dispute over unpaid overtime. He knew exactly which systems were vulnerable, who approved payments, and how poorly the staff were trained on phishing threats.
Suspect 2, an outsider posing as a “cyber consultant”, was the connector. He had relationships in both the hacking underground and Uganda’s informal financial channels. He set up a fake email domain almost identical to the company’s insurance partner and created an email thread that looked like an ongoing conversation.
b) The phishing hook
The email to the operations manager was crafted with details only an insider could know, supplier names, past invoice numbers, and even the exact insurance renewal date. All this came from internal documents that Suspect 1 had downloaded before leaving.
The PDF wasn’t a PDF at all; it was a malicious file that installed a remote access tool (RAT) on the operations manager’s computer, giving the attackers control over his email and access to the accounts payable system.
c) The payment diversion
Once inside, the attackers didn’t rush. They monitored email traffic for weeks, studying the payment cycles. On the third Friday of January, they struck.
They replaced bank details in three high-value supplier payment instructions. These new accounts were opened in the names of shell companies, registered in Kampala just weeks earlier, with directors who were paid by street vendors, people who would never be questioned if they disappeared.
The bank accounts were in three different banks to avoid triggering automated fraud detection. Once the money hit, it was withdrawn in cash in amounts just under UGX 20 million per transaction, spread across multiple branches and ATMs.
Mobile money then came into play. The cash was deposited into dozens of SIM cards registered to boda boda riders and market vendors in Kisekka Market. From there, it was either withdrawn in rural districts or converted into USD on Kampala’s informal forex circuit.
The red flags that were missed
The finance team failed to notice that the supplier bank details had changed, a classic red flag. The payment approval system didn’t require a callback to the supplier to confirm new account numbers.
The IT department never disabled the ex-employee accounts in all systems. Even worse, password policies were so weak that some accounts still used variations of “CompanyName@2022” as their login credentials.
Staff had undergone a “cybersecurity awareness” training the year before, but it was a two-hour PowerPoint session with no simulations or follow-up.
How the auditor connected the dots
The breach only came to light because the company’s external auditor spotted an anomaly during their quarterly review. They noticed that three supplier accounts showed zero activity since the payments were made, no goods received, no follow-up invoices, nothing.
They called one of the suppliers directly. The supplier confirmed they had not received payment for the January invoices and were on the verge of halting deliveries. That phone call triggered the emergency board meeting and our investigation.
Summit Consulting’s forensic team began by isolating the infected workstation. We found the RAT still active, connecting to a command-and-control server in Nairobi. That server, when traced, led to an IP address linked to a small cybercafé, one that had been closed for months. It was a relay.
We then analyzed email metadata. The phishing email had been sent from a domain differing from the genuine supplier’s by just one character. Cross-referencing registration details with company records revealed that the domain was purchased using an email address previously used by Suspect 1.
The real breakthrough came from following the money. While most withdrawals were in cash, one shell company account made a UGX 9.8 million mobile money transfer to a number registered to Suspect 2’s cousin. That cousin claimed he “was just asked to keep the money for a friend.”
From there, the mobile money transaction history gave us a spider web of payments, all leading back to Suspect 1’s known associates.
Which controls lapsed?
This case was not just about a clever cyberattack. It was about leadership failing to treat cyber risk as a business risk.
- Access controls were weak. Former employees could still log into critical systems.
- Supplier payment verification was nonexistent.
- Cyber awareness was box-ticking, not culture-changing.
- Incident detection relied entirely on external auditors, not real-time monitoring.
The confirmed loss stood at UGX 640 million. Insurance coverage was denied because the company had failed to follow its IT security policy, a clause buried in the fine print.
The board has since overhauled its cybersecurity governance, with Summit Consulting leading the redesign of controls. Measures now include multi-factor authentication for all systems, mandatory supplier callback verification, quarterly phishing simulations, and automated account deactivation for staff exits.
But the scars remain. One senior manager told me privately, “We thought cybersecurity was an IT cost. Now we know it’s a survival cost.”
Cyber risk is not about firewalls, software, or clever jargon. It’s about understanding that your data, payment systems, and operational continuity are now as critical as your physical assets.
The attackers in this case didn’t break into the company’s servers by force; they walked in through a single click, armed with insider knowledge, and exploited processes that were never designed for today’s threats.
In Uganda’s corporate landscape, this is not an outlier. This is the new normal. If your board still treats cyber risk as a quarterly “IT update” instead of a standing agenda item, you’re already one breach away from your own January morning disaster.
