At 7:42 a.m. on a Tuesday in Kampala, the finance manager of a mid-sized logistics company received a WhatsApp message from the managing director. “Release the supplier balance before 10 a.m. We shall regularise the documents later.” The instruction looked normal, the profile photo was familiar, the tone was familiar, and the urgency was familiar. That was the problem. Fraud usually wears the clothes of routine. By 9:18 a.m., UGX 86 million had moved from the company account to a supplier the finance team had dealt with twice before. By 11:30 a.m., the real managing director walked into the office and asked why the supplier had called him to thank him for a payment he had not approved. The first person to panic was not the accountant who processed the payment, it was the IT officer. He ran to the finance manager’s laptop, opened WhatsApp Web, took screenshots, exported a chat, restarted the machine, checked the email inbox, and then proudly announced, “We have the evidence.” No, they had the remains of evidence. That distinction ruins cases. The legal issue was not whether the screenshot showed the instruction, it did. The investigative issue was not whether the payment was suspicious. It was. The real issue was whether the organisation could prove, with defensible evidence, who sent the instruction, from what device, using what account, through what channel, at what time, received by whom, acted upon under what authority, and preserved in what condition. That is where many investigations die quietly. Most practitioners confuse visibility with proof. A screenshot is visible. It may even be persuasive in a boardroom. But in a contested matter, visibility is not enough. A screenshot can be cropped, altered, misdated, staged, forwarded, retyped, or taken after the device state has changed. It may show content without source. It may show words without context. It may show a message but not the sender’s device, account session, IP trail, authentication event, deletion history, linked media, or companion records. A screenshot is a witness with poor memory. Useful, but not enough. The evidence trail that matters is usually wider than the document everyone is staring at. In this case, the WhatsApp message was only one tile in the floor. The real trail sat across the finance manager’s phone, WhatsApp Web sessions, browser history, device notifications, operating system logs, bank portal access records, payment approval timestamps, email correspondence, supplier master file changes, user access rights, call records, mobile money activity, CCTV footage near the finance desk, and the supplier’s bank account movement after receipt. If the company had preserved the finance manager’s phone properly, it might have captured the original message database, local timestamps, contact identifiers, attachments, deletion artefacts, and session details. If it had preserved the laptop properly, it might have captured browser session data, cache, clipboard artefacts, downloads, web tokens, synced devices, and recent access logs. If it had preserved the bank portal records, it might have shown whether the payment was made from the usual workstation, during normal hours, using a normal approval path, or under abnormal login behaviour. Instead, the IT officer touched everything because he wanted to help. Helpful people are dangerous in the first hour of an investigation. They click, open, forward, export, rename, restart, call suspects, ask witnesses what happened in a group meeting, and create new facts while trying to preserve old ones. Evidence can be technically present and legally weak. That is the uncomfortable truth. You may have the chat, but not the device state. You may have the email, but not the header. You may have the document, but not its metadata. You may have the file, but not the version history. You may have the approval, but not the access log. You may have the recording, but not proof of source. You may have a confession, but after an unfair process. You may have the truth, but in a form the other side can attack. A lawyer thinks in admissibility, relevance, authenticity, completeness, proportionality, privilege, and prejudice. An investigator thinks in sequence, custody, source, alteration, corroboration, motive, access, and opportunity. A good digital evidence examiner thinks in systems. The record is not just the thing on screen. The record is the thing, the system that made it, the user who touched it, the device that stored it, the network that carried it, the account that authenticated it, and the process that preserved it. That is why the first field method matters. When a suspicious instruction, transaction, deleted message or disputed document is discovered, do not start with interviews. Start with preservation. Interviews change stories. Preservation captures states. Freeze the relevant accounts. Do not disable them blindly if doing so destroys session data or alerts suspects too early. Preserve the mailbox, not just selected emails. Preserve the phone, not just exported chats. Preserve the laptop, not just screenshots. Preserve logs before retention periods expire. Preserve bank portal records before they are overwritten. Preserve CCTV before the system loops over itself. Preserve supplier master data before someone edits the record to look clean. Then document every action. Who touched the device? At what time? For what purpose? Was it powered on or off? Was it connected to the internet? Was it placed in airplane mode? Was it imaged? Was a hash value created? Was the original isolated? Was the working copy used for analysis? Who had access? Where was it stored? What tool was used? What was collected and what was excluded? This sounds tedious, that is why it works. The investigator must also ask better questions. Not “Who sent the message?” That is too narrow. Ask, which channel carried the instruction? Which accounts were active? Which devices were linked? Which users had authority to approve? Was the supplier record recently changed? Was the payment consistent with prior dealings? Who benefited from urgency? Who knew the managing director was unavailable? Who had access to his photo, style, travel schedule, and approval habits? Who bypassed the normal control and who accepted
Internal investigations, the lonely battle few executives understand
In 2016, I ran an investigation support program for one of the financial institutions. After the fraud investigations, from inception to disposition, training, Summit Consulting Ltd was retained to support the inhouse investigations team with case management work for on job training where we would work closely with the internal team to guide their investigations from inception, case strategy (fraud hypothesis and testing), statement taking, field investigations, digital evidence, and chain of custody, dealing with police officers and other agencies, etc. It was a great experience. The fraud investigation team occupied the smallest office on the floor. It had no fancy branding, no applause at staff town halls, and very few visitors except when something had gone terribly wrong. The people inside that office lived with an unusual burden. They were expected to uncover the truth in environments where people concealed it, protect the institution while remaining independent, and gather evidence strong enough to withstand scrutiny from senior management, lawyers, regulators, and courts. Yet the greatest challenge they faced was not technology, nor sophisticated fraudsters, but loneliness. I remember a case where I was invited to investigate a matter at a large institution after rumours began circulating quietly through corridors. The organisation was performing well, revenue targets had been achieved, the board was satisfied, and the executive team was confident. Then small anomalies began appearing. Supplier payments that looked ordinary at first glance started raising questions; a few invoices had similar descriptions but slightly different vendors; some approvals happened unusually fast, and a supplier that had never existed a few years earlier was suddenly receiving significant contracts. The internal investigations unit noticed the pattern, but the challenge was that nobody wanted to believe it. The head of investigations, a reserved gentleman with greying hair and sharp eyes, had raised concerns before. This time, however, the issue touched influential individuals. Suddenly the investigators found themselves isolated; people avoided them in corridors, requests for documents slowed down, witnesses became hesitant, and every question they asked was interpreted as an accusation. This is the lonely reality of internal investigations. Investigators are expected to protect the organisation, but they often become unpopular when they do. The irony is painful. An organisation readily celebrates the sales team for bringing money in. It praises operations for efficiency, rewards innovation, but the investigators who quietly prevent losses, recover stolen assets and expose control failures often work in silence. It is like how the defenders who work hard to prevent conceding goals never get celebrated like those who score. A shepherd dog rarely receives applause while guarding sheep. It only gets attention when a wolf enters the flock. That is the life of an internal investigations team. How fraud hides behind normal business The investigation began with data. Most investigators start by interviewing people, but top investigators start by understanding systems. We obtained payment records, procurement logs, approval workflows, emails and access logs. The fraud did not reveal itself immediately as everything appeared legitimate. That is precisely how sophisticated fraud works. Fraudsters rarely create transactions that look suspicious. They create transactions that look ordinary. The suppliers had valid registration documents, contracts existed, approvals were properly signed, payments supported by invoices, and the control environment appeared functional. But forensic work is not about examining what is present; it is about noticing what should have been present but is absent. The investigators noticed that supplier onboarding documents contained unusual similarities, phone numbers overlapped, email recovery accounts pointed to related individuals, IP addresses used during supplier registration appeared linked, the timing of approvals was remarkably consistent, and several contracts were approved shortly after budget reallocations. Tiny details destroy large lies. A forged signature may escape attention, a manipulated invoice may appear convincing. But digital footprints are stubborn witnesses. Technology remembers but people forget. How investigators become isolated. The most difficult stage of any investigation is not collecting evidence, it is managing relationships. As suspicions grew stronger, pressure began mounting on the investigations team. Why are you investigating this supplier? Why are you asking about this executive? Are you certain your conclusions are correct? Could there be another explanation? Those questions are reasonable. Good investigators welcome scepticism but organised resistance feels different. Documents disappear, emails are deleted, witnesses suddenly forget, people become defensive, and some executives begin treating investigators as adversaries rather than protectors. This creates emotional isolation. Investigators cannot openly discuss their suspicions, they must remain objective. They carry confidential information and see the darker side of human behaviour more frequently than most professionals. The psychological burden is immense. An executive once told me something I never forgot. “When people see us entering a room, conversations stop. Yet when the organisation suffers losses, everyone asks where the investigator was.” That statement captures the paradox perfectly. The better investigators perform, the more worried they make dishonest people. Why ExCo matters more than it thinks The executive committee shapes the success or failure of internal investigations more than any technology. An unsupported investigations team becomes reactive while a trusted investigations team becomes transformational. ExCo must provide four things. Investigators should never fear consequences for pursuing facts. Digital investigations require specialised software, forensic expertise and continuous training. Tone from the top. Employees must understand that investigations protect the institution rather than target individuals. Investigators often uncover tough truths hence, they need assurance that integrity will be rewarded rather than punished. An organisation that weakens investigations weakens itself. A castle does not become safer by dismissing the guards. How digital evidence changed the case The turning point came unexpectedly. One investigator requested access to historical system logs, not summaries nor raw logs. The records showed unusual access patterns. A procurement officer’s account accessed supplier records outside normal working hours, changes were made shortly before approvals, several supplier details were edited repeatedly, and the logs were preserved carefully. This is where many investigations fail. Investigators focus on discovering evidence. Elite investigators focus equally on preserving it. Every action was documented, original files remained untouched, hash
The rise of synthetic trust
It is 7:42 a.m. on a wet Monday morning. The finance team of a regional financial institution is already tense because payroll is due, suppliers are calling, and the board pack must be closed before midday. A softly spoken finance officer, the kind who keeps two pens in his shirt pocket and avoids office politics, receives a message that appears to come from a senior executive. The tone, greeting and pressure are correct. The message says, a strategic partner must be paid urgently because the CEO is joining a regulatory meeting and cannot be disturbed. Then comes the video call. On the screen is a senior-looking man with a clean-shaven face, slightly tired eyes and the controlled impatience of someone used to being obeyed. He says, “Please handle this discreetly. We discussed it last week, send confirmation to the team.” The officer hesitates for three seconds. That hesitation later becomes the most important evidence in the case. Because in fraud, the truth often hides inside the smallest pause. The payment was processed in two tranches. The first went through a bank transfer to a local account that appeared to belong to a legitimate vendor. The second moved through mobile money wallets linked to field facilitators, allegedly for urgent mobilisation costs. The approvals looked clean, the email trail looked normal, the invoice carried the right logo, the payment narration matched previous transactions, and even the phone number used for confirmation had once appeared in an earlier supplier communication. That is synthetic trust. It is not merely deepfake video, it is fake email. It is the construction of a believable trust environment using fragments of truth stolen from ordinary work life. The attackers did not need to break every control, they only needed to imitate enough reality for busy people to stop thinking. In court, that distinction matters. A weak investigator calls it a cyberattack. A serious investigator calls it a trust manipulation scheme supported by digital impersonation, payment diversion, internal process weakness and human pressure. The fraud did not start on Monday, it started weeks earlier, quietly. The attackers studied the organisation’s rhythm. They knew when payroll pressure peaked, which suppliers were frequently paid, which executive travelled often, that approvals were commonly chased through WhatsApp after documents were uploaded into the system and that one department treated urgency as authority. One junior staff member later told the investigation team, “Sir, the instruction looked strange, but not strange enough.” That sentence should be written on every boardroom wall. Most fraud does not look abnormal but slightly faster than usual. The attackers used four layers. They created a credible email chain by copying old language from genuine correspondence. They used a cloned voice note to reinforce urgency. They arranged a short video call in which the “executive” spoke briefly and avoided long interaction. They pushed payment into a mixed channel, part bank transfer and part mobile money, to create speed and fragmentation. This is where average investigators miss the case. They chase the face on the screen and forget the payment behaviour. They admire the technology and ignore the control failure. They focus on the fake executive and forget the real question, who inside the organisation knew the payment habits, approval weaknesses and pressure points? Take note that: synthetic trust feeds on predictable behaviour. If your organisation always pays urgent invoices on Friday, if senior people always bypass normal channels, if finance fears upsetting power more than breaking controls, then attackers do not need magic. They need observation. authenticity is no longer proof. A voice can be copied, a face can be generated, an email can be spoofed, and a familiar writing style can be imitated. The question is no longer, “Does this look like the executive?” The better question is, “Can this instruction survive independent verification?” mixed payment channels are a red flag when urgency is used to defeat normal review. A genuine emergency may exist, but genuine emergencies still leave disciplined evidence. internal culture determines whether technology becomes protection or decoration. If staff are punished for asking questions, they will obey fraud politely. Take your last five urgent payments and reconstruct the evidence trail. Ask your team, “If this transaction were challenged in court, would we prove authority, purpose, beneficiary legitimacy and independent verification without relying on memory?” If the answer is no, you do not have a payment process. You have a trust ritual. How it was noticed The fraud was not discovered by a genius system, it was noticed by a stubborn internal auditor with the irritating habit of reading narrations slowly. She was a quiet woman, always carrying a small notebook, the kind of professional people underestimate because she does not perform intelligence loudly. She saw three things. The supplier invoice had the correct logo, but the spacing around the tax number was different from previous invoices. The email requesting payment had a familiar sign-off, but the punctuation was slightly cleaner than the executive’s usual messages. The mobile money schedule carried names that appeared unrelated to the vendor’s known field operations. Individually, none of these proved fraud. Together, they created what investigators call a pattern of discomfort. That is frontline skill. Good investigators do not start by accusing people. They start by preserving doubt. The auditor did not shout, she froze the next payment batch, requested the original supplier contract, obtained the vendor master change history, asked ICT for email header details, and requested call logs from the approving officers. She also did something many investigators forget. She wrote down the exact time she first noticed the anomaly. That timestamp later protected the integrity of the investigation. fraud detection begins with disciplined curiosity, not suspicion. Suspicion makes people defensive while curiosity makes evidence speak. small formatting changes are not small when money has moved. Courts respect consistency, and fraud often disturbs consistency before it exposes itself. a payment file must be read like a witness statement. Who created it? Who touched it? Who approved it? Who benefited?
Cybersecurity in the Age of Autonomous Agents
Who is really running your organisation today: your leaders, your systems, or the habits that nobody dares to confront? That is the question I ask Boards and CEOs whenever they tell me their biggest risk is cyberattacks, artificial intelligence, or digital disruption. Most of the time, it is not. The real risk is execution decay. I am facilitating a leadership retreat for one of regional largest institutions. The room is full. The CEO sits quietly at the front and the executives have just spent two hours discussing digital transformation, AI adoption and cybersecurity investments. Everyone sounds optimistic, the slides are beautiful, and the ambitions are grand. I ask a question. “What is the one thing keeping you awake at night?” The room goes silent. Then a middle manager at the back raises his hand. “Sir,” he says, “we do not have a technology problem; we have an honesty problem.” Everyone laughs nervously. He continues. “We buy systems but ignore reports, we have dashboards nobody opens, people arrive late and leave early, some managers protect poor performers because they are loyal, resources disappear slowly, not dramatically, and good employees stop trying because excellence and mediocrity receive the same rewards.” The room becomes heated up. I love it, because then I have their attention. Our biggest fear is not hackers entering our systems, it is people who have emotionally exited the organisation but continue occupying offices. I watch the CEO lean back because he knows it is true. The organisation looks modern from outside but inside, execution leaks from a thousand small behaviours nobody measures and nobody confronts. And then another executive speaks. “We have been trying to solve this with policies.” I smile. Policies do not change culture, technology does not create accountability and AI certainly does not fix leadership. The problem is the absence of disciplined execution. That afternoon, we do something unusual. Instead of discussing strategy, we list every recurring frustration. Delayed approvals, meetings without decisions, managers who escalate everything, teams that wait for instructions, cybersecurity incidents caused by shortcuts, projects launched enthusiastically and abandoned quietly. The patterns are astonishing. Most of the losses are not financial fraud, but execution fraud. People pretending to work, managers pretending to supervise, committees pretending to govern and everyone pretending the organisation is moving faster than it actually is. That is when the CEO says something profound. “We keep investing in better cars while ignoring the quality of our drivers.” Exactly. And that is where the conversation about autonomous agents must begin. The truth about AI and autonomous systems is this. They do not remove organisational weaknesses but amplify them. If your organisation rewards shortcuts, AI will accelerate shortcuts. If employees ignore controls, autonomous agents will scale those failures. If accountability is weak, technology simply makes mistakes happen faster and at greater scale. Many executives imagine cybersecurity in the age of autonomous agents as a technical war between defenders and hackers. That is yesterday’s battle. The new war is about execution. Imagine an autonomous purchasing agent authorised to negotiate contracts. What happens if procurement controls are weak? Imagine an AI agent approving expenses; what happens if fraud monitoring is poor? Imagine customer service agents operating independently; what happens if employees themselves ignore ethical standards? Technology does not create risk; it reveals the risks leaders have tolerated for years. That is why the Board’s most important cybersecurity question is changing. It is no longer: “Are our systems secure?” The more strategic question is, “Are our people, incentives, culture and governance mature enough to supervise intelligent machines?” Because autonomous agents do not get tired, they do not take leave. They do not wait for instructions but learn. They decide and act. And if they inherit a broken culture, they scale its weaknesses with frightening efficiency. I tell executives something that often surprises them. The organisations most vulnerable to AI-related cybersecurity risks are not necessarily those with outdated technology, but those where, performance management is weak, accountability is inconsistent, managers avoid difficult conversations, and poor performers face no consequences. Leaders confuse activity with results because intelligent machines thrive on clarity, and clarity begins with leadership. I have seen organisations spend millions on cybersecurity tools while ignoring basic execution disciplines. People share passwords casually, critical alerts remain unread, risk registers are copied from previous years, meetings produce minutes but no action, everyone is busy; few are accountable. And then leaders wonder why transformation stalls. The age of autonomous agents will punish this behaviour ruthlessly because the future belongs to organisations where execution becomes a strategic capability. Where leaders ask difficult questions, performance is transparent, trust is earned continuously, and cybersecurity is not an IT responsibility but a leadership discipline. The most secure organisation in the age of AI will not necessarily be the one with the most advanced technology but one where people do what they say, managers confront reality, accountability is immediate and autonomous agents operate under leaders who understand that technology is never the hero but Leadership. That is the challenge before today’s CEOs and Board and not whether AI will change the organisation, it already has. The real question is whether the organisation has the courage to change itself before autonomous agents expose the execution weaknesses leaders have been postponing for years. Because in the future, the greatest cybersecurity breach may not come from an external attacker, it may come from an organisation that automated its processes before it disciplined its culture.
The Deepfake CEO Is Calling
The call came late in the afternoon. The voice sounded calm, measured, and familiar. The Managing Director was travelling and he needed an urgent transfer to secure a confidential acquisition. The Chief Finance Officer was unavailable and the Board was not to be informed yet. Confidentiality was critical. The Finance Manager hesitated for a few seconds. The voice on the other end laughed softly and referred to a recent Board discussion that only senior executives knew. The transaction details followed on email, the signature looked right, the language matched previous communications and the urgency felt real. Money moved. A few hours later, the real CEO switched on his phone. He had never made the call. The organisation had just spoken to a machine. That is the new crime scene. Deepfakes are no longer amusing videos circulating on social media. They are becoming precision weapons aimed at trust itself. A criminal no longer needs to hack your systems if he can hack your judgment. He does not need to steal passwords if he can imitate the people you obey. This is what makes deepfakes dangerous. Cybersecurity professionals spend years building digital walls. Deepfakes simply walk through the front gate carrying the face and voice of someone trusted. The numbers are sobering. The global financial sector has already reported cases where artificial intelligence generated voices impersonated executives to authorize fraudulent transactions worth millions of dollars. One well documented incident involved a multinational company where employees transferred substantial funds after receiving what they believed was a call from their parent company’s executive. The voice had been cloned using artificial intelligence. The fraud succeeded because the attackers understood human behavior better than technology. The criminals start quietly with a speech uploaded on YouTube, an interview shared on LinkedIn, a podcast appearance, a webinar recording, or a graduation speech. Thirty seconds of clear audio is often enough to clone a person’s voice with remarkable accuracy. Public photographs help build facial models while public information provides the vocabulary, the habits of speech, and the context. The criminal builds a digital twin then waits. Like a fisherman who studies the river before casting his net, he learns who approves payments, who fears missing deadlines, who hesitates to challenge authority, and who is eager to impress. The attack itself is usually simple. A video call arrives with the CEO appearing anxious. Background noise makes the image imperfect, which ironically increases credibility. Humans associate poor video quality with authenticity because real internet connections are rarely perfect. The CEO requests an urgent transaction. There is pressure, secrecy, and artificial urgency. The target stops thinking critically. Money disappears. The tragedy is that many organisations still prepare for yesterday’s crimes. They invest heavily in firewalls, conduct penetration tests, buy endpoint protection, yet the greatest vulnerability remains the human instinct to trust familiar faces. Trust, once the glue of organisations, is becoming an attack surface. I recently reviewed an incident involving executive impersonation where the criminals did not exploit a single software weakness, no malware, no hacking and no broken encryption. They exploited hierarchy. Junior employees feared asking questions, senior managers assumed others had verified the request. So, everyone trusted the apparent authority of the caller and no one wanted to be the person who delayed an urgent executive instruction. The organisation had cybersecurity controls but lacked courage controls. That distinction is critical. The future of cybercrime will not revolve around breaking systems. It will revolve around manufacturing reality. Artificial intelligence now generates voices that mimic emotions. It recreates facial expressions. It synchronises lip movements. It adapts accents. The result is not a fake person. It is a believable lie and believable lies are extraordinarily dangerous. The legal consequences are equally serious. In Uganda, electronic fraud, impersonation, unauthorized access to computer systems, and computer misuse attract criminal sanctions under the amended computer misuse laws and related cybercrime legislation. Courts have increasingly emphasized the importance of preserving digital evidence, proving authenticity of electronic records, and establishing clear chains of custody during investigations. Electronic evidence that is poorly preserved can become worthless during litigation. That is why the response to a deepfake incident must begin with evidence preservation. Save the call recordings, preserve server logs, capture metadata, retain emails in their original form, secure mobile devices, and document every action taken. The difference between suspicion and conviction often lies inside tiny digital traces invisible to ordinary users. A deleted message leaves footprints, an edited video carries fingerprints, an AI generated voice contains artifacts that forensic experts can detect. Modern investigations examine waveform anomalies, compression signatures, source metadata, timestamp inconsistencies, network routes, and behavioural patterns. Sometimes the smallest clue becomes decisive, a background sound repeating unnaturally, a blinking pattern that does not match human physiology, a mismatch between device location and claimed location, an email routed through suspicious servers, tiny fractures in a carefully built illusion. The best investigators approach deepfakes like examining a forged land title. At first glance, everything appears genuine, the signatures look right, the stamps seem authentic, the language feels official but the truth hides in details. The spacing of letters, the order of approvals, the history of amendments and the invisible layers beneath the visible document. Technology has changed but human deception has not. That is why boards must rethink governance. The traditional approval matrix is becoming obsolete. Large transactions should require independent verification through separate communication channels. Voice instructions alone should never authorize financial transactions, video calls should not override policy, and executive authority should not defeat internal controls. The truth is that some of the biggest cyber losses occur because employees obey instructions they should question. After investigating several cases in Uganda, I have come to understand that a good employee follows procedures. A great employee protects the institution, even from what appears to be the CEO. This requires culture, training and psychological safety. People must know they will not be punished for saying, I need to verify this request because one day that hesitation may save billions.
Risk is no longer a department
Who owns the risk when the next major fraud happens in your organisation, the ransomware message appears on every screen, a customer record is leaked, a regulator asks difficult questions, or a whistleblower reveals a scheme that has been running for three years, who owns the risk? Most organisations instinctively point to the Head of Risk. That answer is precisely the problem. The most dangerous risk in modern organisations is the belief that risk belongs to somebody else. I learned this lesson during an investigation involving a mid-sized company in Kenya some time in 2015. The company had a Risk Manager, policies, committees, quarterly reports, and colourful risk heat maps displayed during management meetings, yet it lost hundreds of millions of shillings through a fraud scheme that unfolded in plain sight. The strange thing was that nobody believed risk management was their responsibility. Everyone assumed somebody else was watching. The court would later care less about the existence of policies and more about whether people actually followed them. That distincition is critical. Lawyers, Judges and Investigators understand it but many executives do not. A policy is like a lock on a door and the court wants to know whether anyone actually locked the door. That is where our story begins. The company that had risk reports but not a risk culture Picture the scene, a slightly overweight finance manager sat comfortably in his office. A tall operations supervisor managed field activities, a young IT administrator monitored systems, and a confident procurement officer approved suppliers. All competent people, experienced, hardworking and yet collectively they created the perfect environment for a control failure. Nobody intended to commit fraud. Instead, they created something more dangerous. They normalised risk, small exceptions became routine, minor policy breaches became accepted practice, and controls became administrative inconveniences. Soon nobody could distinguish between operational efficiency and control circumvention. That is exactly how most major losses begin, not with criminal genius but with organisational convenience. Four lessons executives often miss Fraud rarely begins with theft but with tolerance of exceptions. Cyber incidents rarely begin with hackers. They usually begin with ignored warnings. Compliance failures rarely begin with bad people but with unclear accountability. Risk failures rarely originate in the Risk Department. They originate in everyday business decisions. Imagine your organisation lost internet connectivity tomorrow morning. Ask every department to write down who would be responsible. Now compare the answers. The confusion you discover is your first risk assessment. The invisible chain nobody investigated During the investigation, something interesting emerged. The finance manager believed procurement performed supplier verification, procurement believed finance validated supplier legitimacy, IT believed finance reviewed transaction patterns, Finance believed internal audit would identify anomalies, and Internal audit believed management owned operational controls. Everyone had delegated responsibility, nobody had accepted ownership. As investigators, we often call this the accountability vacuum. It is one of the most reliable predictors of organisational failure. Think about a road accident. The court does not simply ask who was driving. The court reconstructs the entire chain. Who maintained the vehicle? Who authorised its use? Who ignored warning signs? Who knew something was wrong? Who should have acted? The same principle applies in governance. Risk travels through chains of decisions, and losses occur when nobody examines the chain. Four lessons from the accountability vacuum Risk ownership cannot be delegated completely. Every critical process requires a named owner. Controls without accountability are decorations. Risk registers become meaningless if managers never discuss them. Activity Draw one critical business process. Use a flip chart. Identify every handoff point. Mark where assumptions replace evidence. Those points represent future incidents waiting to happen. The cyber lesson nobody saw coming The company’s fraud investigation eventually uncovered a cybersecurity weakness. A seemingly harmless shared password had existed for years. Several employees knew it, nobody documented its use, reviewed access logs, or challenged the arrangement. One day a suspicious transaction occurred. The organisation wanted to know who performed it, nobody could prove anything. The digital evidence was contaminated before the investigation even started. This is where digital forensics becomes important. Courts love evidence that is reliable, preserved, and attributable. Courts dislike speculation. A shared password destroys attribution. Once multiple people use one account, proving who performed an action becomes extremely difficult. That is a detail many organisations overlook. The incident itself may be recoverable but the evidence may not. Four digital risk realities Convenience often defeats security. Shared accounts destroy accountability. Logs become critical evidence after incidents occur. Evidence preservation starts before investigations begin. Why risk training changes everything Many organisations train people on procedures. Very few train people on judgement. That difference matters. During interviews, the tall operations supervisor made a revealing statement. I thought somebody else was checking. That sentence explained the entire failure. Risk culture training teaches people to think differently. Instead of asking, “Is this my job?” People begin asking, “What could go wrong?” Instead of asking, “Who approved this?” People begin asking, “What evidence supports this?” That shift appears small. It transforms organisations. The best risk cultures create thousands of human sensors. Employees become active participants in protection rather than passive observers. Outcomes of effective risk culture training Employees recognise warning signs earlier. Managers escalate concerns faster. Teams challenge unusual activity constructively. Accountability becomes part of daily operations. Why spreadsheets cannot win this battle Now let us address an uncomfortable truth. Most organisations still manage risk using spreadsheets, emails, and disconnected reports. That approach worked twenty years ago but it struggles today. Modern organisations generate too much complexity. Too many systems, too many regulations, stakeholders, and threats. Risk information becomes fragmented. A procurement issue sits in one spreadsheet, a cyber issue sits in another, an audit finding sits in a PDF, and a whistleblower report sits in an email. Nobody sees the complete picture. This is precisely why technology matters, not because technology eliminates risk, but because technology democratizes risk management. How MelaGRC changes the conversation One of the strongest lessons from investigations is that visibility
Rationalization: The hidden driver of fraud
The issue was not the missing money, which came later. The real issue was a sentence repeated quietly by a trusted staff member in a medium-sized Ugandan organisation: “After all I have done for this place, this small facilitation is not theft.” That sentence was the crime scene before the crime scene. By the time Summit Consulting was called in, the organisation had already lost money through irregular payments, inflated supplier invoices, split procurements, cash advances that never retired properly, and mobile money transactions disguised as field facilitation. On paper, everything looked normal, the vouchers had signatures, suppliers existed. The approvals appeared complete. The finance files were neat enough to impress a casual reviewer. But fraud does not always enter the building wearing a mask. Sometimes it enters wearing loyalty, long service, family pressure, delayed promotion, unpaid allowances, and the dangerous belief that management also eats. That is rationalization, the inner lawyer that defends a wrong action before the first shilling is taken. In this case, the main actor was Suspect 1, a calm middle-aged officer with a tired face, an old laptop, and the confidence of someone who knew the organisation’s weak points better than the policy manual. Suspect 2 was a field supervisor, energetic, always moving, always on calls, the kind of person people trusted because he looked busy. Suspect 3 was a supplier representative, soft-spoken, patient, and unusually available whenever urgent paperwork was needed. The scheme was simple because most successful frauds are simple. Suspect 2 would initiate field activity requests for work that was partly genuine, partly exaggerated, and sometimes entirely recycled from previous assignments. Suspect 1 would process the payments using familiar descriptions such as transport refund, urgent community mobilisation, emergency supplies, field meals, airtime facilitation, and temporary labour support. These descriptions were not dramatic. That was the genius of it. Nobody steals loudly when the system rewards quiet paperwork. Money moved in small amounts first, UGX 450,000 here, UGX 780,000 there, UGX 1.2 million for field facilitation, UGX 2.4 million for supplier support. Some funds went through mobile money numbers registered in names that looked unrelated to staff, but the investigation later showed links through family members, former casual workers, and contacts saved in phones under innocent labels. Some money was withdrawn in cash and shared. Some was paid to Suspect 3’s small supply business, which issued invoices for items delivered in lower quantities than stated. Some transactions were reversed in practice but not in records, meaning the field activity closed administratively while value leaked quietly. The fraud was noticed not because the controls were strong, but because one auditor refused to accept a beautiful file as proof of reality. That is a lesson many leaders must hear. A complete file is not the same as a true transaction. The auditor noticed four things. the same wording appeared repeatedly across different payment requests, as if several activities had been copied from one old template and only dates and amounts changed. field activities seemed to attract similar costs even when the locations, number of participants, and duration differed. some mobile money numbers kept appearing around different activities, not as official beneficiaries, but as informal recipients of facilitation. supplier invoices had the same formatting errors, the same spelling habits, and the same rushed signatures, even though they were supposedly from different business days. That is how fraud begins to cough, not loudly, just enough for a trained ear to hear. When Summit Consulting entered, we did not start by accusing people. That is amateur work. We started by rebuilding the transaction story. Every payment was treated like a witness, every voucher had to explain itself, every mobile money number had to find its owner, every supplier invoice had to meet delivery evidence, and every approval had to be matched against authority, budget, activity reports, and actual field confirmation. The breakthrough came when the team compared activity dates with vehicle movement records, staff attendance, mobile money withdrawals, and supplier delivery notes. One activity claimed to have taken place in a field location, yet the vehicle assigned to that work was recorded elsewhere. Another payment claimed support for community mobilisation, yet the listed participants could not confirm attendance. A third transaction showed supplier delivery of materials, yet the store records carried no matching goods received note. The file was speaking in fragments, so the investigator’s work is to make fragments testify. In interviews, Suspect 1 did not begin with denial. He began with justification. He spoke about years of service, poor pay, pressure from home, unfair promotions, and how senior people wasted more money through bad decisions. Suspect 2 said field work was difficult and sometimes required flexibility. Suspect 3 said he only supplied what he was asked to supply and assumed internal people had obtained the right approvals. That is the anatomy of rationalization. The fraudster does not always say, I stole. He instead says, I compensated myself, I was only borrowing, the organisation owed me, everyone does it. They say, no one was hurt, but the organisation is always hurt, trust is hurt, cash flow is hurt, staff morale is hurt, strategy is hurt, and the board is hurt because it made decisions based on numbers that were quietly bleeding underneath. In law, motive does not clean dirty hands. A person may have pressure, frustration, family obligations, or resentment, but those circumstances do not convert unauthorised benefit into lawful entitlement. A hungry man may explain why he entered the garden, but the court will still ask who owned the cassava, who harvested it, who carried it away, and whether permission existed. That is why evidence matters. The investigation closed the matter by showing the pattern, not just the isolated transactions. One payment could be explained away, two could be coincidence, ten with the same behaviour became a scheme the team prepared a loss schedule, linked payments to beneficiaries, identified control failures, preserved the supporting records, documented interview explanations, and separated confirmed loss from suspected exposure.
Why fraud examiners and investigators tend to be lonely
The case fell apart in the final stretch, not because the facts were weak, but because a witness who had sounded confident in the interview room suddenly became selective in memory, a senior executive who had privately demanded decisive action began speaking the language of caution, and a colleague who had praised the rigor of the investigation quietly asked whether the matter could be “handled internally for the good of the institution.” That is when younger investigators learn the profession. Fraud examination is not lonely because investigators dislike people, but because truth has poor social skills. The organisation in question looked healthy from the outside. Clean offices, good branding, public confidence, and a digital transformation programme everyone was proud of. Inside, something was bleeding through vendor payments linked to a technology modernization initiative. Small amounts at first, too small to trigger panic, then patterns emerged, duplicate invoices with minor alterations, banking details changing without credible escalation, supporting documents that looked legitimate until someone examined metadata, font substitutions, creation timestamps, and document revision traces. The internal auditor, a composed woman with sharp observational skills, noticed something that ordinary people often ignore. Three invoices from supposedly different vendors had identical PDF production signatures, same document generator, embedded author tag, and compression pattern. That was the hairline crack. A digital forensics review expanded the picture. Email header analysis showed routing inconsistencies, reply paths differed from visible sender identities, login telemetry suggested one compromised mailbox had been accessed through anomalous authentication behavior inconsistent with the staff member’s normal usage pattern. Vendor onboarding records showed suspicious timing. Approval sequencing was unusually compressed, and a staff member who usually asked questions had approved without challenge. Then the social weather changed. The moment suspicion moves from theory to human beings, loneliness enters because fraud investigation is not accounting but structured disappointment. Courts continue to place value on evidential discipline, authenticity, and procedural integrity, particularly where electronic evidence is concerned, which means investigators who contaminate digital trails, rely on screenshots without provenance, or fail to preserve original records damage their own case before defence counsel says a word. That legal reality shapes investigator behavior. You become careful with words, assumptions, friendship, internal politics, and people interpret caution as distance. That is how the isolation begins. People stop speaking freely around you Put yourself in the office canteen. Conversation changes when you arrive, the joke pauses, the side glance appears, someone lowers their voice, not because you are dangerous in a dramatic sense, but because investigators change the emotional economics of casual conversation. Most professionals live by relational shortcuts, trust, familiarity, and shared assumptions. Investigators are trained to test narratives, verify records, examine inconsistencies, and separate what was said from what can be proven. That habit does not switch off neatly. A good fraud examiner listens differently. When someone says, “I always follow procedure,” the investigator quietly translates that into a testable statement. When someone says, “Everyone knew,” the investigator asks who exactly. When someone says, “It was obvious,” the investigator asks obvious to whom. That mental posture is useful professionally and awkward socially. A locksmith eventually notices weak doors everywhere, a surgeon notices poor hygiene in restaurants, an investigator notices story gaps. Learn disciplined compartmentalization. Professional skepticism is a tool, not a permanent personality. Truth rarely makes you popular The board may request an investigation; management may authorize the review, Legal may approve the scope, HR may support the process, then evidence starts pointing toward someone influential. Watch the room change. The executive who demanded speed asks for balance. The manager who praised rigor asks whether reputational considerations should be weighed. A stakeholder suddenly raises procedural fairness concerns after ignoring them for months. That does not mean the concerns are invalid. Fairness matters deeply, but seasoned investigators learn something difficult. Many people love investigation as an abstract principle until evidence becomes expensive. This creates professional loneliness because investigators are often standing between institutional convenience and evidential reality. A barrister testing your work will not care that leadership felt uncomfortable. The court will care whether your evidence is authentic, preserved, attributable, and fairly obtained. That is why experienced investigators sometimes seem emotionally detached. They are not detached, but they are protecting the case. You see what others miss, and that changes you The average employee reads an email. An investigator reads the sender path, linguistic style, urgency framing, timing, recipient structure, and attachment behavior. The average manager sees a payment approval, an investigator sees control bypass, authority exploitation, and evidence generation points. The average executive sees a missing laptop, a digital investigator sees credential exposure, cached tokens, cloud synchronization risk, remote persistence, browser artifacts, and potential lateral movement. Technology has made this sharper. A deleted WhatsApp thread may still leave cloud artifacts, a USB insertion event can leave operating system traces, PDF metadata can expose authorship patterns, email transport headers can reveal routing anomalies, browser history reconstruction can expose access chronology, and mobile device logs may show application interaction timing. Even absence can be evidence. A suspect claiming not to have opened a document while endpoint telemetry suggests interaction is not a philosophical disagreement. It is a factual contradiction. This knowledge changes how you experience ordinary life as you stop trusting surface narratives. That can be isolating unless balanced with emotional maturity. Confidentiality creates distance A priest carries confessions, investigators carry institutional secrets. That difference matters. You may know why someone resigned, why a cyber breach was worse than publicly stated, why an internal theft narrative is incomplete, why an executive narrowly escaped a fraud event. You often cannot discuss it. That silence creates social separation. Friends interpret discretion as coldness, colleagues interpret non-disclosure as arrogance, and family members wonder why you seem mentally elsewhere. Confidentiality is not merely professional etiquette, it is often a legal and evidential necessity. Loose conversation can taint witness recollection. Premature disclosure can prejudice proceedings. Careless commentary can create defamation exposure. Evidence handling failures can undermine admissibility. So investigators become quieter, not because
The difference between internal audit and investigations
The problem started with fuel. Not millions disappearing overnight. Real fraud rarely behaves like a dramatic movie. It moves carefully, almost politely, through weak controls until somebody notices a detail that does not fit the rhythm of normal operations. A regional services company with field vehicles had approved unusually high fuel expenditure for several months. Management blamed operational expansion. The transport officer, a broad-shouldered man who spoke confidently and liked using operational jargon, explained that field activity had increased. The finance department accepted the explanation because revenue had also grown. Nobody wanted to slow the momentum. Then an internal auditor noticed something irritatingly small. One vehicle had consumed more fuel during a weekend when GPS logs showed limited movement. Not impossible, just not making sense. That single observation eventually exposed duplicate fuel claims, manipulated mileage reporting, unauthorised fuel card use, weak supervision, and collusion between an internal officer and an external station attendant. The internal auditor did not conduct the matter like a criminal investigation initially. And that distinction matters more than many organisations understand. Internal audit and investigations are cousins, not twins. Confusing them damages cases, destroys evidence, weakens disciplinary actions, and sometimes collapses matters in court because the organisation approached a potential evidential issue as if it were merely a routine compliance review. That is where experienced investigators become careful. Because the moment fraud suspicion emerges, the terrain changes legally, operationally, emotionally, and technically. Courts continue to emphasize procedural fairness, evidential reliability, authenticity of records, and proper handling of electronic evidence, especially where allegations carry employment, criminal, or reputational consequences. That means one careless interview, contaminated laptop, improperly extracted WhatsApp screenshot, or one rushed accusation can poison an otherwise strong matter. A butcher and a surgeon both use sharp instruments. The difference is intent, method, precision, and evidential consequence. That is the difference between internal audit and investigations. Internal audit looks for control weaknesses The internal auditor in this case started where auditors are supposed to start. Risk, controls, process reliability, policy compliance, and Data consistency. The auditor was not trying to prove theft. She was testing whether operational controls produced reliable outcomes. That distinction protects objectivity. She reviewed fuel trends, compared mileage against consumption, sampled approval records, checked weekend usage patterns, and compared fuel station invoices against operational schedules. She noticed inconsistent handwriting patterns on supporting documents and approvals occurring unusually late at night. An internal audit asks questions like these. Are controls designed properly? Are they operating consistently? Are approvals functioning? Are reconciliations effective? Is segregation of duties working? Can management rely on the process? The purpose is organisational assurance, not criminal attribution. That is why auditors normally operate using sampling, materiality thresholds, process reviews, trend analysis, and control testing. Internal audit is fundamentally preventive and advisory, even when uncomfortable findings emerge. The internal audit examines systems before individuals. Investigations often move toward individuals because attribution matters. Auditors work with reasonable assurance, not absolute certainty. Investigators pursue factual reconstruction. Audit documentation must remain disciplined because working papers can later become part of litigation or disciplinary review. The practical activity I give teams is simple. I ask one group to act as internal auditors reviewing a fuel management process. Another group acts as investigators examining suspected fraud in the same process. Within minutes, the room sees the difference. Auditors ask whether controls failed. Investigators ask who exploited the failure, how, when, and whether evidence supports attribution. Investigations begin when suspicion hardens The shift happened quietly. The auditor expanded sample testing and discovered multiple fuel slips linked to impossible mileage patterns. One vehicle appeared to travel farther than mechanically realistic, based on fuel tank capacity and route history. Then the GPS data conflicted with manual logs. At that moment, the matter stopped being merely operational. It became evident that transition is where many organisations fail badly. Management often says something careless like, “The audit should just continue and finalise.” Dangerous instruction. An investigation has different objectives, standards, evidence requirements, legal sensitivities, and procedural risks. Once suspicion of fraud emerges, evidence preservation becomes critical. Devices may need isolation, access logs may require retention, witness contamination becomes a risk, and document integrity matters. Chain of custody begins to matter. The standard changes from operational assurance toward factual proof. The investigator in this matter requested fuel card records, GPS telemetry, mobile money traces, and CCTV retrieval from selected fuel stations. One fuel station attendant appeared repeatedly during irregular transactions. Transaction timestamps showed clustering during periods with weak supervision. Then another detail emerged. Some fuel transactions occurred within minutes of each other at geographically impossible locations. That is where digital evidence becomes powerful. Technology does not merely create fraud risk. It creates reconstruction opportunities. Investigations pursue factual reconstruction, not process commentary alone. Evidence preservation must begin early because digital artefacts degrade, overwrite, or disappear quickly. Investigations require procedural fairness because conclusions may affect employment, liberty, licensing, and reputation. Investigators must distinguish suspicion from proof carefully. A control weakness alone does not prove criminal intent. The practical activity is revealing. Ask participants to examine the same set of records twice. First, as auditors. Second, as investigators, the auditor asks whether the policy was followed, the investigator asks whether evidence can survive cross-examination. That difference changes everything. Internal auditors sample. Investigators reconstruct The transport officer eventually claimed the irregularities were clerical errors caused by field pressure and delayed submissions. A weak investigator stops there emotionally, while a disciplined investigator reconstructs events. Vehicle movements, GPS records, fuel card logs, authorization trails, mobile communications, station CCTV, device access history, operational schedules, witness statements, and digital timestamps. Investigators build chronology because chronology destroys imagination. Defence counsel loves ambiguity. The moment facts become sequential, verified, and independently corroborated, explanations become narrower. One investigator reconstructed a suspicious Saturday in detail. Fuel purchase at 8:14 a.m. GPS location inconsistent with claimed route. Another fuel purchase at 8:39 a.m. Vehicle engine inactivity during the claimed operational period. Mobile tower records placing the driver near the fuel station for an extended
Strategy without security is risk
The issue began with a strategy meeting that looked successful from a distance. A financial services company had approved a new digital growth plan. More customers would be onboarded through mobile channels. Loan approvals would be faster. Field officers would use tablets. Agents would collect client information in the field. Management would receive dashboards every morning. The board wanted growth, efficiency, and better customer reach. You know, in this era of generative AI, ideas are plentiful, and those who execute well win. The mobile app plan was great. Nothing was wrong with that ambition. Security was treated as something to be added after the strategy had already been approved. In my experience as a cybersecurity practitioner, I know that is how risk enters the room politely. The chief operations officer was a tall man with a calm voice and tired eyes. He was respected because he got things done. The finance manager was sharp, careful, and slightly impatient with paperwork that slowed business. The IT officer was young, technically strong, but not yet senior enough to challenge executives with confidence. The internal auditor was soft-spoken, observant, and dangerous in the best way because she noticed what others dismissed. Three months after the digital rollout, a payment went out to a new technology support vendor. The invoice looked clean, the approval trail looked normal, and the email instruction appeared to come from the operations office. The payment was not large enough to shock the board, but it was large enough to matter. What raised suspicion was not the amount but the language. The email said, “Kindly expedite as per our strategic priority and urgency”. The internal auditor paused. The operations officer never used that phrase. He normally wrote short instructions, usually with one line and one attachment. This email had three polished paragraphs, a bank account change, and pressure to move faster. That is where the case started. The issue Strategy creates movement while security controls the quality of that movement. In this case, the company had digitised approvals without redesigning authority, verification, evidence retention, and exception handling. Everyone believed the new system was efficient because approvals moved faster. The attacker saw something different. Faster approvals meant fewer questions, weaker pauses, and more room for impersonation. The fraudster did not attack the firewall first; he attacked the operating rhythm. He studied who approved payments, who feared delaying strategy, who handled vendor onboarding, and who could be pressured with the language of growth. That is modern cyber risk. It does not always arrive as a noisy breach. Sometimes it arrives as a normal request wearing the clothes of strategy. The Computer Misuse Act, 2011, recognises offences related to unauthorised access, unauthorised use, interception, obstruction, disclosure, and electronic fraud, while Uganda’s Electronic Transactions Act recognises electronic records and gives them evidentiary value when properly authenticated and preserved. That means an organisation must think like a business and like a future witness simultaneously. If the matter reaches court, the question will not be whether people felt deceived. The question will be whether the evidence proves what happened, who did it, how the data moved, and whether the record is reliable. The first insight is that security is not the enemy of speed. Poorly designed security is the enemy of speed. Good security removes confusion before pressure arrives. Cyber risk follows strategy. When you launch a new channel, migrate to the cloud, automate approvals, onboard vendors, or expose APIs, you also create new doors. Attackers prefer business processes with authority and urgency. Procurement, finance, HR, legal, customer support, and executive offices are attractive because people there can move money, data, or decisions. Digital evidence must be protected from the first hour. A forwarded screenshot, a deleted email, or a casually handled laptop can weaken an otherwise strong matter. The activity I would give the room is simple. Take your current strategy and circle every place where money, customer data, authority, or decisions move without face-to-face confirmation. Then ask one question for each point: “What must be true for this step to be trusted?” That answer is your security requirement. How it happened The attack began before the payment. The attacker had collected public information. Company brochures showed the digital transformation programme, social media showed the operations officer speaking at a stakeholder breakfast, a staff post showed the finance team celebrating a system launch, a procurement notice revealed the kind of vendors the company used, and a leaked email thread from an old supplier dispute gave the attacker the company’s writing style, approval language, and internal signature format. That is the first lesson investigators must teach executives. Criminals do not need to know everything; they need enough truth to make the lie feel familiar. The attacker created a lookalike email domain with one letter changed. He sent a vendor onboarding request to a junior staff member, copying what appeared to be a senior manager. The junior officer did not notice the domain difference because the name displayed correctly. The request came at 5:46 p.m., when people were closing the day and preparing to leave. The attached documents included a certificate, a tax identification reference, a bank letter, and a quotation. They were not perfect documents, but they were good enough for a tired organisation that had confused urgency with performance. The finance manager approved the payment because the invoice matched the strategic project line. The operations officer later denied sending the instruction. At that point, the room did what many organisations do badly. People started arguing before preserving evidence, which nearly damaged the case. A good investigator slows the room down, procedurally, not emotionally. The mailbox must be preserved, and the laptop must be isolated. The payment trail must be requested, email headers must be extracted, domain registration must be checked, and vendor documents must be compared against independent sources. The approval workflow logs must be exported, and user access logs must be retained. The mobile messages must be captured properly, and witness accounts must