Let me begin with a simple truth that many parents in Uganda still underestimate. Your child is already living in a world you barely understand. Their friendships are digital. Their assignments are digital. Their identity is digital. Their future wealth will be digital. And their biggest risks? Also, digital. Pretending cybersecurity is an “adult issue” is the fastest way to raise a vulnerable child in a dangerous world. This holiday, while everyone else is preparing to teach children new dances, cooking lessons, or driving skills, I want us to think differently. Your child does not need more entertainment. They need digital self-defence. And the earlier they learn it, the safer their future. The moment a harmless game became an investigation Two weeks ago, during a cybersecurity training session, a mother approached me worried about her son, let us call him Peter, a slender boy, always wearing bright T-shirts and moving with the restless attention of someone raised on screens. He had clicked on a “free upgrade” link inside a mobile game. Within hours, his phone, the one he borrowed, started sending strange notifications. Data got consumed at an alarming rate. Contacts synced to unknown servers. That is how easily a child can compromise an entire family. This is not a theoretical risk. Children are now the softest entry point for cybercriminals into homes, offices and top security places. They trust too quickly. They click too fast. They share too openly. And they rarely tell their parents until it is too late. That is why cybersecurity is no longer an optional talent. It is a survival skill. Why your child is the new target Children are now the easiest way for criminals to enter your household. And they do it quietly. Children trust screens more than people they know. They do not evaluate risk, they follow excitement. Their digital footprints outlive childhood. Criminals design attacks specifically for young users’ behaviour. Every online profile your child creates today builds a lifelong digital identity. Mistakes made at age 10 can haunt them at 25 in job applications. If you are with your child, ask them to Google their own name and see how much of their identity is already public. The shock alone begins the learning. A case of a simple school assignment gone wrong Subject B, a tall girl around 11, usually wearing her school uniform even during holidays, downloaded a “free PDF converter” for her homework. Hidden inside was spyware. It captured keystrokes, screen activity, and camera access. Her father did not believe it until we replayed a log showing screenshots of their living room taken without permission. Let us think differently. Children are not careless. They are untrained. Free tools often carry malicious add-ons. Children rarely read permission requests. Household devices become compromised silently. Attackers exploit educational habits, downloading, searching, sharing. Try it now. Ask your child to explain what each app on their phone does, what permissions it uses, and why. The gaps will reveal their vulnerabilities. The digital world your child walks into blindly We must stop pretending children are safe because they are “just on TikTok” or “only chatting with classmates.” Digital danger is not dramatic. It is quiet, gradual, and psychological. Social engineering now targets children first. Identity theft begins with small personal details. Cyberbullying leaves long-term behavioural scars. Strangers disguise themselves as peers effortlessly. What else to know? A child’s first online trauma shapes their confidence for life. I got a shock of my life when I did a simple online test at home. You too can try it. Run a mock phishing test at home. Send your child a harmless but deceptive link. Discuss why they clicked or didn’t click. This is the most practical lesson you can give. Why the holiday is the perfect time to train them Children learn best when routines are broken. Holidays give you uninterrupted time to build digital discipline without school pressure. Holidays expose children to longer screen time. Boredom pushes them into riskier digital spaces. Peer challenges increase unsafe behaviours. Supervision reduces; curiosity increases. Let us think differently. Cybersecurity is not about fear. It is about empowerment. Spend one hour daily teaching them simple tasks, checking browser history, identifying fake URLs, and turning on two-factor authentication. Or you can enrol them at the Institute of Forensics & ICT Security holiday program. This small routine builds lifelong digital instincts. The skills every child must have by the New Year If you want your child to thrive in a future driven by AI, automation, and digital identity, these baseline skills are non-negotiable. How to identify suspicious links and apps. How to create strong, memorable passwords. How to configure privacy settings on every platform they use. How to recognise manipulation—emotional, social, and digital. What else to know? These are the same skills required of cybersecurity professionals. Your child is building a career foundation without even realising it. Activity: Ask your child to “teach you” how to protect your phone. When they teach, they learn twice. We must face a hard truth. The school system is not built for the digital age. The curriculum is slow, the risks are fast. Teachers are overwhelmed; children are overexposed. Keep in mind that Most schools lack cybersecurity programs. Teachers often do not understand modern threats. ICT lessons focus on typing, not self-defence. Parents wrongly assume schools provide safety. Parental leadership is the new frontline of cyber protection. I encourage parents to create a weekly “digital briefing” with their child. Review their digital week the same way CEOs review operations. A deeper look at Subject A and Subject B Remember our two cases? Subject A’s curiosity led to malware infiltration that compromised household contacts. Subject B’s homework tool gave a stranger silent access to her home. The lesson? Cybersecurity failure rarely looks dangerous at first. It looks innocent. It looks harmless. It looks like “something small.” Children do not understand digital consequences. Small digital mistakes have a real-world impact and leave lifelong pain Attackers

If there is one truth I have learned from decades of digital forensics and fraud investigations, it is that you never win an investigation in the field. You win it in the report. Courtrooms do not see your sleepless nights, your reconstructed log files, your digital breadcrumbs, or the clever trap you set at 3:07 a.m. They see your report. A weak report frees the guilty. A persuasive, fact-driven one convicts without drama. Let me share an experience to drive the point home. I will use generic descriptions to keep it professional, but I want you to feel the tension as if you were seated next to me in the digital lab. It began with a procurement refund. Nothing dramatic. A routine payment flagged by a junior auditor who had sharp eyes and a habit of taking notes on sticky papers. The staff member responsible, Subject 1, a short man in his late 30s with thick eyebrows and a soft-spoken demeanour, claimed it was a simple mistake. Mistakes rarely leave trails. But this one did. His device logged into the system at 11:48 p.m., long after the office had closed. The login came through a residential IP outside Kampala. The VPN he used had the unmistakable signature of a free-tier application. And the approval timestamp on the refund matched the exact minute his device connected. This was no mistake. This was a story waiting to be written, structured, and presented in a way that convinces without accusing. Why investigators lose cases Many investigators collect evidence like people collect souvenirs. Random, scattered, emotional. But persuasive report writing requires discipline. A good report does three things: It tells the truth plainly. It links events logically. It leads the reader to a conclusion without dragging them there. During log reconstruction, another unusual pattern emerged. Someone with customer support credentials had system access far above their role. That someone was Subject 2, a tall woman in her early 30s, always wearing oversized headphones and walking with a confident stride that made her presence felt before she spoke. Her role did not require approval rights, yet she had them. Quietly added. Quietly used. In a poorly written report, this would appear as a vague statement: “Subject 2 had unnecessary access.” That is not persuasive. A good report states: “Subject 2 held administrator privileges for Module X from 14 March to 22 June. System records show these privileges were not authorised by IT, HR, or management.” Facts speak. Your job is to present them without dramatising. Reconstructing the fraud pattern When we mapped six months of server interactions, a sequence emerged Subject 1 initiated small refund transactions outside working hours. Subject 2 approved them within minutes. The funds consistently landed in two mobile money accounts linked to a dormant sim recently reactivated. Withdrawals occurred within 15 minutes of deposit, at locations far from the main office. Notice the structure. Actions. Timing. Correlation. Behaviour. A persuasive report writes like a silent camera, not like a prosecutor. The power of digital breadcrumbs In digital forensics, nothing truly disappears. A careless tap on a phone. A forgotten location setting. A reused password. These are not mistakes; they are signatures. In this case, Subject 1 forgot to disable location sharing. One of the approvals placed him near a small food joint in Najjera. The GPS placed him there at the exact minute an unauthorised login occurred. Your report does not need to accuse him. It only needs to say: “Geolocation metadata from Device A (IMEI xxxx) places Subject 1 at Coordinates (xx, yy) at 21:42. This timestamp coincides with the approval action recorded under Username Z.” There is no need for adjectives. Evidence is its own witness. The technique: write to convict, not to entertain Courts and disciplinary committees operate on clarity, not emotion. A persuasive report uses four principles. Sequence – events arranged chronologically Correlation – linking logs, actions, and outcomes Neutral language – no adjectives, no passion Evidence anchoring – every assertion tied to a source When you master these, you no longer write a report. You build a conviction pathway. Let us return to the case. Building the narrative that stands in court Your report should walk the reader through the fraud as if they are discovering it themselves. For example: “On 11 April at 23:48, an unauthorised login occurred via IP xxx. The credentials belonged to Subject 1. Two minutes later, an approval for Refund Code 0098 was entered through Subject 2’s credentials. Both actions originated from devices not registered under the organisation’s asset list.” There is no accusation. There is only fact, timing, and source. That is what persuades. Most organisations write investigative reports like internal memos: short, vague, loaded with assumptions, and designed to please management. That is why most cases collapse. The winning investigator does not write to please; they write to prove. The secret is to structure the report so that the conclusion is irresistible. You do not need bold statements such as “Subject 1 committed fraud.” Instead, your evidence leads the reader to that conclusion gently, firmly, and logically. If your narrative is clear enough, the reader will convince themselves. To understand persuasive reporting, try this exercise with your team. Take a simple event, such as a lost office key. Collect every observable fact without opinion. Reconstruct the timeline from these facts. Write a one-page report stating only what is provable. Read it aloud. If no one can dispute your sequence, you have written persuasively. This exercise exposes how much noise investigators add unnecessarily.  What else should you know A persuasive forensic report has five components. Introduction: What triggered the investigation Methodology: how the evidence was collected Findings, facts arranged logically Analysis, connecting patterns and evidence Conclusion, a measured statement based strictly on facts The conclusion must never accuse. It must recommend. Accusation belongs to disciplinary or legal authorities. Investigators present truth, not judgment. A good conclusion reads like this, “Based on the evidence presented, the activities of Subjects 1

I have spent more than two decades in digital forensics, and one truth keeps confronting me: fraudsters do not vanish into thin air. They leave trails, subtle, scattered, and often arrogant trails. The tragedy is that organisations rarely look in the right place, at the right time, with the right discipline. That is why so many cases in Uganda, from banks to insurance firms to government agencies, quietly die in boardrooms, not due to lack of evidence, but due to lack of proper forensic pursuit. Let us walk through a real scenario. I will use generic descriptions to keep it professional. Visualise it as if I am taking you into a live investigation room. The unusual transfer It began with a single suspicious payment. An internal auditor noticed a strange mobile money transaction tagged to a procurement refund. The staff member responsible, let us call him Subject 1, a soft-spoken man in his early 30s, always in oversized shirts that made him look smaller than he was insisted it was an error. Errors do not repeat. And in this case, it was not the transaction, but the digital trail around it, that raised my eyebrows. The device he used was logged into the system after office hours. The IP address did not match the organisation’s network. A VPN with free-tier characteristics was hiding the location. And the timing aligned perfectly with the moment the payment left the organisation’s account. When you investigate long enough, you learn not to chase drama. You chase patterns. Drama is for television. In forensics, patterns tell the truth. Where breadcrumbs start to speak Fraud today is rarely analogous. Even cash-based fraud begins with a digital footprint. A password typed too fast. A login attempts from a phone the user “forgot.” A deleted message that was backed up somewhere else. Fraudsters underestimate the permanence of their own behaviour. While following Subject 1’s activities, I noticed a second actor Subject 2, a tall woman with sharp features and a habit of wearing large headsets even when not listening to anything. She worked in customer support. And yet, somehow, her workstation had administrator-level access for a module she never used. That is not a red flag. That is a red billboard. When organisations allow privilege creep where employees quietly accumulate system access, they should not have, you no longer require sophisticated hackers. You create them internally. Following the trail deeper We isolated three key breadcrumbs: The IP address mismatch The out-of-role system access Mobile money deposits repeatedly landing on a number linked to an unregistered sim card   When you see three digital anomalies within the same window of time, the odds of coincidence become statistically insulting. But instead of jumping to conclusions, a mature forensic investigator builds a hypothesis, tests it, and breaks it. I always tell boards: the worst investigators are the ones who rush to “the culprit.” The best ones rush to evidence. We pulled the server logs, network metadata, and mobile phone records. Then we mapped every transaction over six months. This is where many organisations panic: the fear of what they might find. Truth is expensive. But ignorance is catastrophic. How the scheme worked Subject 1 initiated payments disguised as supplier refunds. Subject 2 escalated system privileges to approve them. The digital movement was subtle, small amounts, spread across different dates, routed through two mobile money accounts and a dormant bank account belonging to a distant acquaintance. Here is the interesting part. The amounts were too small to trigger internal alarms but large enough to accumulate significantly over time. That is the new face of fraud in Uganda, slow, patient theft. It thrives in organisations where leadership only reacts to large explosions and ignores small smoke. Most organisations believe fraud is caught by “strong controls.” I disagree. Controls only detect predictable fraud. It is behavioural analysis, cross-matching logs, and understanding human patterns that expose the real schemes. Technology does not commit fraud; human motive does. And motives echo loudly through digital behaviour. Once we analysed login times, data entry patterns, device identifiers, and mobile money flows, the scheme became embarrassingly clear. You could predict the next attempted transfer before it happened. In one of the logs, Subject 1 forgot to disable location sharing on his phone. That single oversight placed him at a small local restaurant at the exact moment the irregular approval was logged. Digital breadcrumbs do not lie. Human beings do. What the board must understand Digital forensics is not about recovering deleted files. It is about reconstructing truth. In this case, we mapped the fraud from origin to execution: Access escalation Transaction manipulation Digital concealment attempts Proceeds routing Withdrawal behaviour When you show this trail to leaders, they often ask, “How did we miss this?” The honest answer is simple. It is because no one was looking for it. Ugandan firms still treat cybersecurity and digital forensics as IT support. Yet most fraud is authorised using legitimate credentials and insider access. This requires governance, not gadgets. What else you should know Digital forensics is not magic. It is meticulous discipline. If your organisation. does not centralise logs does not restrict privilege escalation does not segment networks does not review after-hours activity …you are not running a secure enterprise. You are running a house without doors, hoping no one walks in. When I train teams, I run a simple exercise. I ask them to check their personal email accounts and view their login history. Almost every time, someone discovers a login from a device or location they do not recognise. The real shock comes when they see how long that device has had access. The same shock awaits many organisations. Fraud will evolve. Human beings will not. Greed will remain constant. But so will digital footprints. The only question is whether your organisation is disciplined enough to follow them. Digital breadcrumbs do not disappear. They simply wait for the right investigator. And in a world where every action, login, tap,

Every company loves the idea of having strong investigators. Few appreciate what that means. They imagine trench-coat detectives with sharp instincts and thicker files, things they have watched on the Investigation Discovery (ID) channel. But in the real corporate world, the most powerful tool an investigator wields is not instinct, not authority, not software. It is the pen. And contrary to popular belief, the investigator’s pen does not record events. It reveals culture. Habits and red flags. I learnt this early in my career. I walked into an organization where every complaint began with the same refrain. “I reported this before, but nothing happened.” That line told me the investigation was already compromised. Where staff feel unheard, fraud flourishes by default. Not because people are inherently dishonest, but because silence becomes policy. And any investigator who ignores these frustrations is merely tracing shadows. A good investigator begins by reading the organization, not the evidence. In one bank, I advised, junior staff avoided eye contact. Not out of guilt, but fatigue. They had seen countless investigations launched, only to be quietly buried when the names involved were too politically expensive. Their behaviour, slow responses, guarded language, and selective memory were not an obstruction. It was survival. The investigator’s pen must capture these cultural fractures. If the culture is broken, the evidence will lie. Boards rarely hear this truth. Weak report writing destroys more cases than poor investigation technique. I have reviewed hundreds of internal investigation reports. Most are written like diary entries. Long paragraphs, emotional statements, shortcuts, and assumptions. They read like the investigator wanted to prove they were busy. But effective report writing demands the opposite. It requires discipline, neutrality, and precision. A case can be airtight, yet one ambiguous sentence can collapse it. A regulator asked me to review a report on licensing fraud. The officer had written, Subject 1 manipulated the system to benefit an external party. On the surface, the statement looked clear. In reality, it was useless. What system? Which part? What action constituted manipulation? And what control deficiency made it possible? When I pressed the investigator, he simply said, “Everyone here knows what happened.” That casual comment exposed the real failure: an organization where shared assumptions replace documented facts. When assumptions enter an investigation, the truth bleeds out silently. The investigator’s pen exists to prevent such bleeding. Good investigators write as if every sentence must withstand courtroom pressure, opposing counsel scrutiny and boardroom fatigue. They know leaders are busy. They know executives skim. They know the legal department will interrogate every comma. So, they write with surgical restraint: fact, source, analysis. No gossip. No drama. No decorative English. Just the story the evidence tells. The quality of an investigator’s report is a reflection of the organization’s integrity. Poor reporting always signals deeper cultural rot. One time, I engaged with an insurance company where staff kept saying, “We do not want trouble.” They avoided giving statements. They avoided details. They avoided involvement. Their fear was not of the fraudster, it was of management retaliation. When investigators operate in such environments, their pens become timid. Reports become vague. Findings become diluted. And boards wonder why accountability never sticks. Investigators thrive where leadership is courageous. In one manufacturing firm, the CEO made a bold declaration before an investigation began, “No name is too big to be examined.” Staff relaxed. Evidence flowed. Interviews became honest. The final report was crisp, factual, and unambiguous. Why? Because the investigator’s pen could move without fear. And that is what most organizations lack: freedom for truth to breathe. Another example. A procurement officer in a public agency kept repeating, “I did what I was told.” That phrase became the skeleton key that unlocked a multi-layered collusion scheme. On paper, his actions were procedural. In practice, he was the perfect pawn. His repeated phrase was not a defence; it was a symptom. Good investigators hear these symptoms. They know behaviour talks long before evidence does. They follow discomfort. They pursue inconsistencies. They extract accountability from patterns ordinary investigators dismiss as staff attitude. The investigator’s pen, therefore, does more than write. It diagnoses. It exposes managerial hypocrisy. It highlights resource gaps. It reveals when a department is overworked, when employees feel unsafe, when leadership is absent, and when controls exist only on paper. Investigators who treat reporting as the final step misunderstand the craft. Report writing is the actual investigation. It forces clarity. It eliminates bias. It holds a mirror to leadership. If the culture is rotten, the report will smell. Good investigators understand that their job is not to punish. Their job is to illuminate. They know the goal is not naming and shaming, but strengthening the organization’s immune system. Fraud is merely a symptom. Culture is the disease. And the investigator’s pen is the diagnostic tool. Boards and executives must therefore stop celebrating fast investigations. Fast usually means superficial. Effective investigations require diligent listening, thorough documentation, and precise writing. They demand investigators who are humble enough to doubt themselves and brave enough to document uncomfortable truths. They demand leadership that welcomes those truths without flinching. So here is the uncomfortable conclusion. A good investigator is not judged by how many fraudsters they catch. They are judged by how well they help the organization confront itself. Their pen must restore trust, not theatrics. It must cut through politics, not dance around it. It must protect the evidence, preserve the process, and safeguard the organization’s integrity. If boards want real accountability, they must empower investigators to write without fear, review without bias, and report without interference. In the end, the investigator’s pen is the most honest voice an organization has, if leadership allows it to speak.

Dear colleague, Every week, I meet professionals who quietly admit a painful truth: the investigation was strong, but the report was weak. In boardrooms, HR offices, police stations, and compliance desks across Uganda, cases collapse not because the wrongdoer was innocent, but because the report could not stand up to scrutiny. In my work advising CEOs, auditors, investigators, and regulators, I have seen internal cases that read like audit summaries, not investigative reports. One company literally begged a fraudster to resign because their report could not withstand the questions of opposing counsel. Another lost a multi-million-dollar wrongful termination case because the report was built on hearsay instead of structured evidence. In the 2026 cycles, those who master investigative writing will stand apart. Not because they speak louder, but because their reports are clear, defensible, and impossible to ignore. I invite you to join a hands-on training session designed for professionals who cannot afford to have weak documentation. You will work on real-world cases. You will write. You will revise. You will learn how to transform raw facts into a report that wins. Why this session matters Because in the real world, a poorly written report can let a guilty party walk free or ruin an innocent person’s life. A strong report, however, protects your organisation, strengthens your decisions, and gives you the confidence to stand before any tribunal, board, or court. What you will gain A full suite of tools and templates, including an investigation report template Practical techniques for gathering, structuring, and presenting evidence Skills to write reports that survive scrutiny from lawyers, regulators, and senior decision-makers Hands-on exercises from real cases we have handled Clarity on legal, ethical, and procedural risks in investigative writing Available training dates Third week of January 2026 (Hybrid) Second week of February 2026 (Hybrid) Delivery options Attend our training institute, or bring us in-house for a customised session at your premises. Fee: UGX 500,000 per person (in-house arrangements negotiable) If you lead investigations, supervise them, depend on them, or are held accountable for them, you cannot afford to miss this. Secure your seat today. Strengthen your team. Protect your organisation. Reply to us: https://forensicsinstitute.org/contact/ or call us to register: +256 784 270586/ +256783373637 Your investigation is only as good as your report. Make it count.

At IFIS, our mission has always gone beyond technical excellence. While we are known for shaping professionals in digital forensics, cybersecurity, risk management, and ICT governance, our core belief remains unchanged: a nation only grows when its people grow together. Community is the heart of sustainable progress. It is where families are formed, values are nurtured, and hope is restored. And for many Ugandans, faith spaces, especially churches, have long stood as pillars of strength, comfort, and unity. They are places where people run to in times of joy and in times of need. Places where spirits are lifted, relationships are strengthened, and futures are rebuilt. It is in recognition of this deep cultural and spiritual foundation that IFIS is honoured to support the construction of the new church at St. Balikuddembe Catholic Sub-Parish, Kisaasi–Kyanja. This church is not just a physical structure but a sanctuary that will stand for decades, shaping lives and nurturing faith. It will host baptisms, weddings, confirmations, and community gatherings. It will become a center for prayer, renewal, and direction, especially for young people seeking identity and families seeking peace. The new building will offer a dignified, welcoming environment for worship, free of the limitations that have challenged the parish for years. It will allow the church to expand its ministries, empower youth groups, strengthen family fellowships, and grow community outreach programs. Faith Meets Purpose: IFIS CSR in Action Our CSR vision is rooted in giving back to the communities that nurture the very professionals we serve. Supporting the construction of a church aligns with our values of integrity, service, and nation-building. When a community’s spiritual foundation is strong, its people are stronger—and this strength radiates into schools, workplaces, and society at large. By contributing to this project, we are not just funding construction materials. But we are investing in: Community unity and resilience Youth moral development and mentorship Family support systems Strengthening social fabric and shared identity A legacy of faith that will outlive all of us This is development that begins in the heart and spreads outward. An Invitation to Join Hands Great community projects succeed when many hearts pull in the same direction. We therefore extend a warm invitation to our partners, alumni, clients, friends, and well-wishers to join us in supporting the completion of this sacred space. Every contribution, big or small, adds a brick to a legacy that will stand for generations. Donate here: https://app.twezimbe.com/crowd-funding/campaigns/9f318a1b-44d2-48a6-9f2f-5a57b78c17db Your generosity helps transform faith into action and intention into impact. As IFIS continues to empower professionals with knowledge and skills for the digital future, we remain committed to strengthening the moral and spiritual foundations that keep our communities whole.  

Every scam begins long before the money moves. It begins with a story; one written for you, rehearsed by someone else, and perfected to make you believe you’re in control. Whether it’s a phone call, an email, a text message, or even a well-dressed stranger at your office reception, every scam follows a predictable script. And the sad truth? It works because people stick to theirs; polite, trusting, distracted, and afraid to offend. Fraudsters don’t steal your money. They borrow your confidence and make you hand it over. Scams are not random. They are performances, each with a cast, a plot, and an audience: you. The actor (the fraudster) studies your habits, your tone, and your weaknesses. The script is tested and refined on thousands of victims before it reaches you. And the stage is wherever you feel safe: your phone, your office, your inbox, or your church WhatsApp group. The moment you engage, the scene begins. “Good morning, this is the bank. We’ve detected unusual activity on your account…” Or, Congratulations! You’ve been shortlisted for an interview; please confirm by paying a processing fee.” Each line is rehearsed to trigger emotion, fear, greed, curiosity, or guilt. And once you respond, the scam doesn’t need force; it has your trust. Why smart people fall for scams “Intelligence doesn’t prevent fraud. Ego enables it.” Executives, bankers, and engineers; they all get conned. Not because they are naïve, but because they believe they can’t be deceived. That’s exactly what scammers count on. In one investigation Summit Consulting handled, Subject 1, a senior procurement officer, received an email “from a supplier” offering a bulk discount. The email signature matched the real vendor. The only difference? A single letter in the domain name. He approved the transfer. UGX 86 million gone in a day. When interviewed, he said, “It looked real.” Of course, it did. It was designed to. Fraudsters don’t need to hack your system; they hack your assumptions. Every scammer studies one thing religiously: human behaviour. They understand how we respond to urgency, authority, and validation. They use simple tactics: Fear: “Your account will be closed if you don’t act now.” Greed: “You’ve won a prize but need to pay a processing fee.” Flattery: “We’ve selected you for an exclusive opportunity.” Guilt: “I’m in trouble, please help; you’re my only hope.” Each message triggers a reflex, not reflection. The moment emotion replaces reason, the script wins. You don’t need to be foolish to fall for a scam; you just need to be human. The new frontier: corporate scams Fraudsters have upgraded. They no longer target individuals alone; they target systems through people. They impersonate CEOs through email spoofing, requesting “urgent wire transfers.” They infiltrate board communication channels with fake attachments. They pose as vendors seeking “payment verification.” In one Ugandan firm, Suspect 2 impersonated a regulator and sent “compliance forms” to the finance team. The forms carried malware that captured passwords. By the time IT noticed, the company’s vendor accounts had been drained. Every scam has a script. The question is: why do organizations keep playing along? Because culture rewards compliance, not curiosity. Staff are trained to respond quickly, not wisely. When professionalism becomes vulnerability In many organizations, employees are taught to be polite; to respond immediately, to trust hierarchy, to avoid questioning authority. That’s precisely what fraudsters exploit. They impersonate bosses because they know subordinates won’t verify. They rush requests because they know no one wants to delay “urgent” matters. They use an official tone because we equate professionalism with legitimacy. “The same obedience that makes you efficient can make you a victim.” Good governance requires courage to question, not just competence to act. How to break the script The only way to beat a scam is to step off the stage. Pause before you respond. Fraud relies on urgency. Every scam begins with “now.” Delay is your best defence. Verify the source. Call the organization using official contacts, not the ones provided in the message. Normalize scepticism. Doubt is not rudeness; it’s due diligence. Report and educate. Every scam you report protects someone else. Scammers lose when people share their stories. Silence sustains the script. Case study: the deepfake deception In 2024, a multinational firm nearly wired $1.1 million after its CFO received a video call from the “CEO.” The call was perfect: voice, face, gestures; all AI-generated. The scam failed only because the finance officer noticed the CEO’s background was slightly blurred and called to confirm. Technology is no longer the threat. Trust is. As AI advances, fraudsters no longer need access; they need believability. Boards must prepare for a future where seeing is no longer believing, and verification becomes a moral duty, not a bureaucratic step. The greatest threat to your organization is not external fraud; it’s internal compliance without critical thinking. Fraudsters don’t always need your password; they need your cooperation. They script the lines. You deliver them faithfully. Risk management, therefore, is not just about controls; it’s about consciousness. Train your people to think, not just to follow. To question, not just to act. Because when everyone performs their role perfectly, the scam runs smoothly. Scams succeed when leadership underestimates human vulnerability. Boards must demand cyber awareness that’s continuous, not ceremonial. Ask management: How often do we test staff with simulated phishing attempts? How quickly are fraud reports escalated? Who owns the culture of verification here? Make fraud awareness part of board oversight, not IT housekeeping. Leadership is not about trusting less; it’s about verifying more intelligently. Every scam has a script. It’s predictable, emotional, and always urgent. But every leader has a choice: to play along or to rewrite it. Fraud prevention begins the moment you stop being an actor and start being an author of your own vigilance, your own decisions, your own awareness. Because in the theatre of deception, the smartest person is not the one who knows the lines; it’s the one who walks off stage.

Fraud never walks through the front door. It slips in quietly, wearing a company ID, armed with trust, and fluent in your internal processes. It doesn’t shout; it whispers. It doesn’t rush; it waits. Every fraud I’ve ever investigated began with something ordinary, a trusted staff member, a small exception, a delayed reconciliation. And yet, months later, it always ends with executives asking the same question: “How did we miss it?” The answer is simple. Fraud hides best in places where everyone believes it cannot exist. The illusion of loyalty The first mistake leaders make is confusing loyalty with integrity. In many organizations, loyalty is the highest currency. “He has been here for ten years,” they say proudly, as if tenure guarantees honesty. But long service doesn’t create integrity; it creates access. Fraud thrives not in chaos but in routine. The longer someone works within your systems, the more invisible their actions become. When Suspect 1, a mid-level accountant, started approving vendor payments without secondary review, it was not because he was cunning. It was because no one imagined he could be deceitful. He was “family.” He had signed the visitors’ condolence book, led morning prayers, and even chaired the welfare committee. By the time Summit Consulting Ltd was brought in, he had siphoned over UGX 420 million in small, unremarkable transfers; all within approved thresholds. The anatomy of invisible fraud “Fraud is not a storm. It’s a slow leak you mistake for humidity.” Most frauds begin as an opportunity disguised as a necessity. An employee feels underpaid, overworked, or overlooked. They see a loophole and convince themselves it’s temporary. Fraud follows a predictable lifecycle: Rationalization: “They owe me this.” Opportunity: Weak oversight, manual controls, or predictable approvals. Capability: Knowledge of how the system works and how to exploit it. By the time external auditors arrive, the fraudster has already perfected the cover-up. They understand your audit cycles, your risk appetite, and your blind spots. They operate beneath thresholds and within policies, using your own procedures as camouflage. When systems become accomplices In one government agency, Subject 2, a systems administrator, used dormant supplier accounts to authorize “system test” payments. Each was below the internal approval limit, so no red flags appeared. When questioned, he said, “It was just a test transaction.” It was for the first six months. By month twelve, he was testing his retirement plan. Fraudsters love predictable systems. When every control operates the same way every time, they know exactly when to strike. Static controls create dynamic vulnerabilities. That’s why your internal control manual isn’t enough. Fraud doesn’t need to break your system; it only needs to understand it better than you do. The culture that nurtures fraud Fraud doesn’t start with accounting entries; it starts with organizational silence. In one case, a junior staff member suspected that cashiers were “rounding off” daily collections. But when she raised the issue, her supervisor told her, “Stop being paranoid.” Six months later, the company discovered UGX 90 million in unaccounted cash. The red flag wasn’t missed; it was dismissed. When staff stop speaking up because no one listens, you create the perfect ecosystem for deception. Culture, not control, is your first line of defence. You can install the best fraud detection software in the world, but if people fear being labelled “troublemakers,” fraud will continue to thrive, politely, quietly, and profitably. The problem with traditional audits Boards often say, “Our auditors will catch it.” They won’t. Not because they’re incompetent, but because audits are designed to confirm accuracy, not detect intent. Fraud operates between transactions, in timing, relationships, and subtle behavioural changes. Auditors test samples; fraudsters manipulate exceptions. In one bank, a teller consistently reversed customer transactions after hours, claiming “system errors.” Because reversals matched entries, the system showed no loss. Only when Summit conducted a forensic data analysis did patterns emerge; reversals clustered around end-of-month reconciliation dates. The insight? Fraud lives in patterns people stop noticing. The key to early detection is not more data; it’s sharper interpretation. Here’s what I teach boards: Look for behavioural anomalies. Fraudsters change before systems do. Sudden defensiveness, reluctance to take leave, or late-night logins are red flags. Follow the flow of exceptions. Fraud often hides in “temporary” approvals, “manual adjustments,” or “test accounts.” Watch your culture metrics. When staff turnover spikes in finance or IT, fraud risk rises. Good people don’t leave strong cultures. Fraud detection is not a forensic task; it’s a leadership discipline. Fraud is not about bad people. It’s about good people making bad choices in environments that allow it. When leaders treat fraud as an external enemy, they miss the point. Fraud doesn’t invade; it emerges. It grows in cultures where success is celebrated but process is tolerated, where speed trumps scrutiny, and where leaders mistake charisma for credibility. “You don’t prevent fraud by locking doors. You prevent it by unlocking conversations.” If you want to spot fraud before it strikes, build an organization that sees everything twice: once through data, and again through human judgment. This means: Rotating responsibilities: No one should handle end-to-end processes for too long. Rewarding transparency: Make it safer to report anomalies than to ignore them. Modernizing detection: Deploy continuous monitoring tools that flag unusual trends in payments, vendors, or access logs. And most importantly, train leadership to see silence as a symptom. When staff stop raising issues, don’t celebrate; investigate. The board’s responsibility Boards must move beyond the comfort of audit reports. They should demand behavioural dashboards, not just financial ones. Ask management: What percentage of staff are overdue for mandatory leave? How many system access rights exceed job responsibilities? When was the last time whistle-blower data was analysed for patterns? Fraud awareness should be a standing board agenda item, not a post-crisis topic. Because the true measure of governance is not how you respond to fraud, but how you prevent it from becoming a headline. Fraud in the shadows is like a termite in wood: quiet, patient, and

In every boardroom I visit, there is one phrase that signals danger: “Let us not overreact.” It sounds rational, even mature. But in the world of risk in which we live, those four words have birthed more crises than any cyberattack, audit failure, or fraud scheme combined. Because risk ignored is not risk removed. It is risk deferred, and deferred risk always returns with interest. Human beings crave stability. When everything looks fine, leaders convince themselves that it is fine. The dashboard is green, sales are steady, and compliance is “under control.” But green does not mean safe; it often means blind. Every crisis you have read about, from failed banks to corporate collapses, began as a small, ignored signal. A delayed report. A whistleblower dismissed. A vendor anomaly is buried in “reconciliation issues.” No catastrophe arrives unannounced. It is preceded by ignored emails, unreviewed minutes, and board papers full of polite silence. In one investigation Summit Consulting Ltd handled, a medium-sized institution experienced a massive data breach. The root cause was not the hackers; it was complacency. Months earlier, IT had flagged unpatched servers. The CIO promised to “look into it next quarter.” The quarter passed. Then the hackers came. By the time management reacted, the system was already compromised. Risk did not act suddenly; it simply waited for them to stop paying attention. When comfort becomes culture The most dangerous risk in any organization is not external, it is internal comfort. Success makes leaders lazy. When profits rise, risk reports become ceremonial. Meetings are filled with optimism bias, an invisible belief that “it cannot happen here.” Leaders love predictable numbers and smooth dashboards, but predictability is the first enemy of vigilance. The paradox is this. The more successful an organization becomes, the less it questions itself. Executives stop challenging assumptions. Teams stop reporting bad news. And soon, everyone is playing defence against the truth. A weak control is ignored because “it has never failed before.” An over-reliant supplier is tolerated because “they have always delivered.” A minor policy breach is excused because “he is a good performer.” Risk management becomes reactive, not preventive. “What you ignore in good times will define your headlines in bad times.” Crises are simply risks that have grown tired of waiting. Look at any recent corporate scandal and trace it backward, and you will find ignored red flags dressed as “normal.” In one organization, a junior internal auditor noticed that supplier invoices always ended with sequential numbers. She raised it. Her manager laughed it off. Six months later, the company discovered a UGX 513 million procurement fraud; all through fake vendors created by an insider. The first alert had come, but no one listened. Leaders don’t get blindsided by risk; they get seduced by routine. You can’t predict every threat, but you can guarantee one thing: denial multiplies damage. The leadership blind spot Most boards talk about “risk appetite,” but few truly define it. They discuss risk in financial terms: losses, exposure, and capital buffers, but rarely in cultural terms. Yet every financial failure starts as a cultural one. When staff fear speaking up, risks mutate unseen. When senior management rewards obedience over curiosity, no one challenges weak controls. That is how organizations build quiet pipelines of disaster. A “yes culture” is a risk culture. The absence of dissent is not unity; it is suppression. Leaders must create an environment where uncomfortable truths are welcomed early, not celebrated post-mortem. Ask your team: What risk are we pretending does not exist? Which issue have we normalized because it is inconvenient to fix? Who benefits from us staying silent? Those questions do more for resilience than any quarterly audit report. The fraud connection, when risk meets rationalization Fraud is not a financial problem. It is a risk management failure. In nearly every fraud Summit Consulting investigates, there was a prior control weakness that someone had already documented. It was in an internal audit report, a management letter, or a risk register, but it was “low priority.” The fraudster simply acted on what leadership ignored. When Suspect 1, a senior accountant, embezzled over UGX 300 million, it was not because he was clever. It was because risk management was passive. Segregation of duties had been waived “temporarily.” Reconciliations were delayed “due to staff shortage.” Audit recommendations were marked “ongoing.” In other words, leadership left the door open, and someone walked through. Ignored risks invite betrayal. It is a fact of life that risk is not necessarily bad. Let me say what most executives will not: risk is not the enemy. The absence of risk means the absence of ambition. The goal is not to eliminate risk; it is to domesticate it. Successful leaders do not fear uncertainty; they shape it. That begins by reframing risk conversations from “compliance” to “competitive advantage.” Strategic risk tells you where your blind spots are. Operational risk tells you how resilient your systems are. Reputational risk tells you how authentic your culture is. Risk management, when done well, is not bureaucracy; it is strategy. It helps you act early while others react late. Building a culture of foresight Boards must evolve from passive oversight to active foresight. That means embedding four disciplines: Curiosity over comfort. Reward those who ask “what if,” not just those who deliver results. Data-driven vigilance. Use predictive analytics to detect weak signals before they become losses. Decentralized ownership. Make every employee a risk owner, not a risk reporter. Real-time learning. After every incident, update controls and culture, not just procedures. The best organizations do not just survive uncertainty; they anticipate it. They treat early warning signs as gifts, not nuisances. Risk is everyone’s job. The board’s role is to ensure that risk awareness is institutional, not departmental. Risk cannot be managed in a spreadsheet maintained by one person in the corner office. Every department must translate the concept of “risk” into its own everyday language. Finance must think about liquidity and credit exposures. IT must think

“Every fraud I have ever investigated began with trust. Not fake trust, genuine trust.” In every boardroom, trust is praised like a virtue. “We are like a family here,” someone says, and heads nod approvingly. But after two decades in fraud investigation, I now know that statement is often the prelude to scandal. Because families forgive. Families look away. Families assume good intentions even when the numbers tell a different story. And that precisely is where fraud begins. Fraud does not start in dark alleys. It starts in bright offices, between colleagues who know each other too well. The paradox of trust Trust is the oxygen of collaboration. It allows organizations to move fast and innovate. But when unguarded, it becomes poison. I have seen many executives confuse loyalty and integrity. “He has been with us for ten years,” they say, as if tenure immunizes one from temptation. It does not. It only expands access and knowledge of control weaknesses. Fraud thrives where trust is absolute and oversight is absent. When Summit Consulting Ltd was called to investigate a mid-sized firm, the main suspect was not a stranger. It was Suspect 1, a veteran accountant everyone called “uncle.” He was diligent, faithful, and even prayerful. He also created fake suppliers with nearly identical names to legitimate vendors. Over 18 months, he quietly siphoned UGX 371.8 million through mobile money transfers. No breaking in. No hacking. Just comfort, routine, and trust. Fraud is not theft. It is a conversation gone wrong. “It begins as a story people tell themselves to justify small compromises.”  “I will just borrow and pay it back.” “They don’t value me anyway.” “Everyone does it.” Those are the real beginnings of corporate fraud, not elaborate schemes, but emotional rationalizations. Fraudsters rarely start as criminals; they start as disappointed employees seeking fairness their own way. The danger is psychological. When someone feels invisible, they construct private systems of justice. And once the first theft succeeds without consequence, it evolves from an act into a habit. The myth of the small fraud Boards often comfort themselves by saying, “It’s only a small loss.” But small frauds are not harmless; they are rehearsals. The first UGX 100,000 stolen is never about the money; it is about testing the system. When nothing happens, the next theft becomes UGX 2 million. Then UGX 10 million. Fraud is behavioural conditioning. When wrongdoing has no cost, it becomes culture. Many organizations in Uganda and the region at large do not lack systems; they lack courage. Employees see anomalies but hesitate to speak up. Fear of labelling, fear of job loss, fear of being called “difficult.” That silence is where fraud flourishes. The courage to distrust; intelligently High-trust cultures are not naïve. They practice structured scepticism. “Do not distrust people. Distrust blind systems.” Fraud prevention is not paranoia; it is professional hygiene. Here is the formula Summit teaches: The Circle of Intelligent Distrust: Segregate duties: No one should initiate, approve, and reconcile the same transaction. Automate analytics: Let systems flag anomalies in real time. Protect whistleblowers: Make honesty safe, not heroic. It is not about suspicion: it is about design. The best control systems make fraud difficult even for good people tempted by bad moments. Peter Drucker’s timeless phrase rings true in fraud management. Culture does not just eat strategy for breakfast; it eats controls for lunch. You cannot enforce integrity with policies alone. When leaders bend rules “because time is short,” they model deviance as efficiency. When a board ignores a conflict of interest “for now,” they signal that ethics is negotiable. As Mr Strategy loves to say: “Fraud prevention is not an audit function; it is a leadership function.” Culture flows from tone, and tone flows from example. You cannot demand compliance from a staff you publicly undermine. Boards must stop delegating integrity Fraud is not an accounting issue. It is a governance issue. Too many boards outsource ethics to audit committees as if integrity were a department. It is not. It is a discipline that starts in the boardroom itself. A winning board does not wait for forensic audits; it anticipates fraud through sharp questioning: Who reviews the reviewer? Which red flags are being ignored because they involve “trusted” people? How are we rewarding ethical courage, not just performance metrics? Boards must remember: when fraud breaks, the public does not blame the accountant; they blame the brand. From awareness to architecture Every November, the world marks Fraud Awareness Week. But awareness without architecture is time wastage. Do not just print posters saying, “Stop Fraud.” Build systems that make fraud unattractive. Below are the recommended practical steps for this month: Simulate fraud response. Run live scenarios. Audit the audit. Review who validates reconciliations and supplier approvals. Incentivize honesty. Publicly recognize employees who report control lapses early. Fraud awareness isn’t a campaign. It’s an ongoing redesign of trust. The digital frontier: new trust, new risks Uganda’s financial landscape is digitalizing at breakneck speed; mobile money integrations, fintech wallets, and instant payments. But technology amplifies whatever culture it finds. A dishonest employee with system credentials is more dangerous than any hacker. Boards must treat cybersecurity as an extension of fraud management. That means embedding behavioural analytics, systems that detect anomalies in user activity, not just system breaches. One lesson I have learned over the years is that “You don’t fight digital fraud with firewalls. You fight it with foresight.” The final lesson: leadership defines the temperature of integrity In one case, Suspect 2, a procurement officer, confessed: “I didn’t think they’d find out. Even the bosses do it.” That is the ultimate audit finding: hypocrisy at the top. Integrity is not enforced through slogans; it is modelled through decisions. When leaders compromise once, they license everyone else to compromise repeatedly. Fraud risk, therefore, is a mirror. It reflects the character of leadership more than the cleverness of employees. As we mark Fraud Awareness Week, every board and executive must face one question: How is