The first clue was not a missing file. It was a smile. A senior procurement officer at a well-known NGO, let’s call her Suspect 1, walked into work every day with disarming calm. She spoke softly, prayed before meetings, and was everyone’s go-to person for “urgent payments.” When auditors came, she baked muffins. For three years, she processed clean transactions until one junior accountant noticed something strange: three supplier invoices, printed on different letterheads, but sharing the same email domain. That single inconsistency unravelled a fraud web worth UGX 2.7 billion; money meant for maternal health projects in Gulu and Soroti. By the time the dust settled, the NGO’s reputation was shredded. The donors were furious. And the board, stunned, asked the same question every Ugandan institution eventually does: “How did this happen under our watch?” The answer was simple: no one in the room could think like a fraud examiner. The invisible crime wave Fraud is not loud. It’s quiet. It doesn’t kick down your door. It whispers through your payroll system. It hides in a decimal point. It wears a smile. Every year, Ugandan companies lose billions to what accountants politely call “irregularities.” But behind that polite term are real betrayals; finance managers approving ghost payments, internal auditors signing what they never reviewed, and system admins deleting evidence just before resigning. You don’t read about most of these cases because they’re buried in board minutes and NDAs. But if you sat in one of Summit Consulting Ltd’s investigations, you’d see the real movie. A CEO stunned by evidence he never imagined. A driver-turned-middleman ferrying cash to mobile money agents. And a junior staffer trembling as forensic analysts pull up the logs that tell the story his mouth cannot. That is the world of Certified Fraud Examiners (CFEs); the world behind the spreadsheets. The mind of a CFE. A Certified Fraud Examiner is not a detective with a magnifying glass. They are a strategist with a microscope. They see what others miss: the way a payment is approved at 8:17 p.m., always by the same person. The supplier who always wins tenders by one decimal point. The staff member who never takes leave because their fraud would unravel in their absence. To a CFE, every inconsistency is a clue, every anomaly a confession. And this November, Uganda’s next generation of CFEs will gather at the Institute of Forensics and ICT Security (IFIS) for the country’s most rigorous fraud investigation program, powered by Summit Consulting Ltd and certified by the Association of Certified Fraud Examiners (ACFE, USA). It’s not a workshop. It’s a battlefield simulation. Inside the training room. Day one begins with a sealed envelope marked Case 004 – The Ghost in Accounts. Inside: photocopies of supplier invoices, a list of suspicious transactions, and an anonymous whistleblower email. Participants work in teams. They cross-reference bank statements. They map out shell companies. They examine phone records. By the second hour, one team notices that the “supplier” shares an address with the agency’s own office. Another connects WhatsApp screenshots showing a procurement officer asking, “Have you received the fuel refund?” By day three, they’ve cracked it. They’ve reconstructed an entire fraud ring from fragments. Then Summit’s lead investigator walks in and says, “Congratulations. That was a real case we investigated. Everything you uncovered actually happened in Uganda.” The room goes silent. Some laugh nervously. Others stare. Because suddenly, theory has turned into truth. The crimes no one talks about. Fraud in Uganda has evolved from forged cheques to digital deception. In one 2024 case, a telecom engineer created “test SIM cards” for internal network trials, but later activated them for personal use. Each line was loaded with airtime and data meant for customers. Over 11 months, the scheme siphoned UGX 600 million. In another, a microfinance manager colluded with a mobile money agent to register ghost borrowers. The repayment system showed “active loans,” but the cash was being cashed out in Kyengera every Friday morning. And perhaps the most chilling, an insurance company’s data officer who altered claim details using stolen logins from a deceased colleague. Each case had one thing in common: the organization lacked a trained fraud examiner who could see the pattern early enough. Why November matters The November CFE intake is not just another course. It’s a national necessity. Uganda’s corporate world is entering a dangerous phase, with more systems, more data, and more vulnerability. Boards are approving digital transformation projects faster than they can understand them. Risk managers are drowning in compliance checklists while fraudsters automate their crimes. “The next big corporate scandal won’t start in IT,” said one panellist at the Cybersecurity Conference. “It will start in Finance and end in Forensics.” This is why IFIS, in partnership with Summit Consulting, designed the November CFE training as an investigative laboratory. Every lesson comes with a local case: How an insider diverted donor funds using payroll ghosting scripts. How Summit traced embezzled money through mobile wallets. How a forensic trail led investigators to a café in Ntinda, where the suspect logged in on public Wi-Fi. This is not an imported theory. It’s Uganda’s corporate underworld; decoded. From accountant to investigator. The CFE program transforms ordinary professionals into strategic fraud defenders. You will master four domains: Financial Transactions & Fraud Schemes – Learn how money moves in the shadows. Law – Understand evidence so airtight it survives court cross-examination. Investigation – Conduct interviews that extract truth without intimidation. Fraud Prevention & Deterrence – Design systems that make fraud unattractive. And when you pass, you join a global elite; over 90,000 Certified Fraud Examiners across 180 countries; trusted by banks, regulators, and governments to detect deception before it becomes a disaster. The Uganda story behind the credential In Uganda, CFEs are the unsung heroes behind high-profile recoveries. They’re the ones who sit behind the “management decision” headlines. It was a CFE who traced UGX 1.2 billion siphoned from a donor-funded project through a chain of boda riders’

October is still on, the cybersecurity awareness month. Across Uganda, thousands of employees will walk into offices, open emails, and click without thinking. One careless click is all it takes. That is why Cybersecurity Awareness Month is not just another “theme month.” It is a survival drill. Cybercrime is no longer a distant story from America or Europe. It is a Ugandan reality. From SACCOs in Masaka losing millions via mobile money SIM swaps, to hospitals in Kampala locked out of patient records by ransomware, to government agencies paying ransom quietly, cyber risk is here. It is local. It is expensive. And it is growing. Why awareness matters The biggest myth in cybersecurity is that technology alone will protect you. Firewalls, antiviruses, and fancy dashboards mean nothing if your people are blind to threats. Eight out of ten breaches in Uganda begin with human error: a staff member reusing passwords, downloading fake invoices, or sharing sensitive data on WhatsApp. Cybersecurity Awareness Month exists to break that ignorance. To remind every staff member that they are the first firewall. The cost of ignorance A Tier 2 bank lost UGX 1.4 billion in a single phishing campaign. A private school had its entire website defaced, leaving parents questioning its credibility. An NGO donor froze funding after hackers exposed project data. None of these began with a “major hack.” They began with an ignored awareness. What must leaders do this October? Make cybersecurity cultural, not seasonal – One month of slogans is not enough. Embed cyber habits into daily work. Invest in drills, not posters – Staff remember simulated phishing tests, not motivational banners. Hold EXCO accountable – Cyber risk is a governance issue. Boards must demand evidence of preparedness, not promises. At Summit Consulting Ltd, we say: “Cybersecurity is not IT. It is a survival strategy.” This month, we are running free awareness trainings for organizations that dare to take risk seriously. One hour with us could save your organization billions. The question is not whether hackers will strike. It is whether your team will recognize the attack when it happens. Stay aware. Stay protected. Visit https://forensicsinstitute.org/ to access free resources. Be safe online. Cybersecurity Month 2025: Stay aware. Stay protected. One careless click. That’s all it takes to lose millions. Cybercrime is no longer a foreign headline; it is Ugandan. A SACCO in Masaka was wiped out via SIM swaps. A Kampala hospital was locked out of patient records by ransomware. A Tier 2 bank is losing UGX 1.4 billion to phishing. None of these started with “big hacks.” They started with ignorance. The truth? Technology won’t save you if your people are blind. Eight out of ten breaches in Uganda begin with human error, weak passwords, fake invoices, or sharing data on WhatsApp. This October, the Institute of Forensics & ICT Security, a technical training arm of Summit Consulting, is leading Cybersecurity Awareness Month. We are offering free awareness training to organizations ready to treat cyber risk as a governance issue, not an IT problem. Boards, EXCOs, and CEOs: stop asking “What if hackers strike?” Start asking: “Will my team recognize the attack when it comes?” Register your team today. Save your reputation tomorrow. events.forensicsinstitute.org. Stay aware. Stay protected.

When Uganda’s first mobile money platform launched in 2009, few could imagine it would one day carry the country’s economy. By 2025, over 33 million Ugandans will transact daily using their phones, buying food, paying fees, and even funding campaigns. The phone has become the bank, the ID, and the ballot box of modern life. But with every innovation comes a shadow. Beneath Uganda’s digital revolution lies a quiet war; one not fought with guns or politics, but with passwords, deception, and misplaced trust. And as the nation edges toward a more connected, election-season future, the question is no longer if we can go digital, but how securely we can stay that way. Tomorrow’s Uganda depends not on bandwidth, but on cybersecurity. The invisible economy of trust Every phone in Uganda is now a node in a massive digital network; a web of trust linking citizens, telecoms, banks, hospitals, and government services. Each transaction carries identity, intent, and value. The moment that trust falters, the entire ecosystem trembles. “Fraud today is not about hacking systems,” says a senior investigator at Summit Consulting Ltd, Uganda’s leading forensics and risk advisory firm. “It’s about hacking people.” Consider a recent case. At a hospital in Kampala, Suspect 1, posing as a telecom technician, convinced a nurse to read out a “verification code” she had just received on her phone. Within minutes, her WhatsApp and mobile wallet were hijacked. No malware. No brute-force attack. Just persuasion. This is what cybersecurity experts call social engineering: the weaponization of trust. It’s low-tech, fast, and devastating. The rise of such schemes marks a turning point. The old assumption that cybersecurity belongs to “IT departments” no longer holds. In 2025, everyone with a phone is part of the national security infrastructure. Identity: the new battlefield In the connected economy, identity has become currency. And whoever controls identity, controls trust. Telecom fraud no longer stops at SIM swaps. Criminal networks now reconstruct full digital identities, linking stolen ID photos, leaked phone numbers, and scraped social media data to create near-perfect clones of real users. In one investigation, Suspect 2, an insider at a mobile money aggregator, leaked subscriber data to an external ring that used the information to open “ghost accounts.” These accounts mimicked real users, same names, same dates of birth, and same photos. By the time anomalies were detected, a lot of money had moved through the network, all appearing legitimate. What makes identity fraud dangerous isn’t just financial loss; it’s systemic confusion. When fake and real identities overlap, accountability collapses. Who sent that money? Who posted that message? Who owns that number? In a politically sensitive season, such questions blur the line between cybersecurity and democracy itself. Future security, therefore, won’t rely on stronger passwords but on verified digital identities; encrypted, biometric, and traceable across systems. Uganda’s telecoms are beginning to explore blockchain-backed KYC (Know Your Customer) models, where identity verification becomes both private and auditable. But adoption remains slow. The insider problem Technology evolves faster than ethics. The most advanced system can still fail if the wrong person has the right access. According to Summit Consulting’s Project Frontline 2025 analysis, insider collusion accounts for over 65% of telecom-related fraud in East Africa. The typical case involves a mid-level employee, customer care, field operations, or data entry, who bypasses security protocols under the guise of “helping a customer.” In one case study, Suspect 3, a call centre agent, approved over 40 SIM swaps for “VIP customers” in a single week. Each transaction followed the procedure, was logged correctly, and passed internal checks. The fraud was only discovered when multiple clients reported losing access simultaneously. How did this happen? The answer wasn’t technical. It was cultural. Local telecom and financial industries, like many across Africa, are built on hierarchical trust; a culture where questioning authority can be mistaken for insubordination. Fraudsters thrive in such environments because silence is predictable. As the iShield Project 2025 notes, “Fraud doesn’t hide from systems. It hides in courtesy.” The future-ready solution is not more controls; it’s distributed accountability. Systems where no individual can both initiate and approve a high-value transaction. Where anomaly detection flags not just numbers, but behavioural deviations; logins at odd hours, unusual keystroke rhythms, sudden access to restricted modules. When data whispers, leaders must listen. The irony of modern fraud is that it’s often invisible, not because it’s hidden, but because it’s ignored. Every fraudulent transaction leaves a trail: timestamps, device IDs, and IMEIs that tell a story for those patients enough to listen. Yet most organizations drown in data but starve for insight. At Summit Consulting’s Digital Forensics Lab, investigators use AI-driven visualization to detect what the human eye misses: clusters of mobile transactions that occur at the same time, from the same device, across multiple accounts. The resulting heat maps are stunning: patterns that look ordinary on paper suddenly glow red with intent. In one such case, a telecom’s internal analytics flagged nothing unusual. Summit’s visualization revealed that all “routine” midnight transactions came from a single IP range, an employee dormitory near the data centre. The breach was not technical. It was behavioural. Future-ready risk management will depend on behavioural analytics; systems that don’t just secure data but learn from it. In an era where AI can detect emotional tone and typing speed, predicting insider risk is no longer science fiction. It’s a leadership necessity. From firewalls to digital immunity Uganda’s cybersecurity challenge isn’t about firewalls; it’s about mindset. In a country where most users think antivirus software is “for computers only,” building a cyber-resilient culture requires a shift from fear to literacy. Every citizen, from boda rider to banker, needs to understand that protecting their PIN is not paranoia; it’s patriotism. Telecoms are beginning to introduce “digital immunity” programs; training their agents to recognize social engineering, enforce transaction limits, and use biometrics for high-value approvals. Some banks now run internal “red team” exercises, where ethical hackers simulate real attacks to test employee readiness. Summit

When the fraud finally unravelled, it wasn’t through a sophisticated cyberattack or a shadowy hacker operating from a foreign server. It began, as many local fraud stories now do, with a six-digit code: 123456; typed casually into a phone. It was like a usual Thursday morning at a hospital when “Suspect 1,” a man dressed in a faded telecom-branded jacket, approached a nurse outside the outpatient wing. He spoke softly, like someone used to fixing problems others didn’t understand. “Madam, your SIM card needs verification. The system shows an update error. Please read me the code that just came to your phone.” She did. Within minutes, her WhatsApp was gone, her mobile money emptied, and her reputation compromised. No malware. No brute force. Just a human voice, a believable story, and six innocent digits. The illusion of safety Ugandans have come to see their phones as symbols of progress. Inside a single device lives the wallet, the ID, and the business ledger. Yet, in a country where over 30 million people rely on mobile money daily, the phone remains the least protected asset they own. Telecom fraud has become more human than technical. It no longer happens in dark server rooms but in bright daylight, through cloned SIMs, insider approvals, and misplaced trust. In one recent case, Summit Consulting Ltd, the firm called in to investigate a suspected data breach at a leading telecom agent, discovered that the root cause wasn’t software failure. It was a supervisor’s compassion. “Suspect 2,” a well-rated back-office employee, had approved a SIM swap for what she believed was a colleague’s sick mother. No verification, no ID scan, just empathy. The swap opened a gateway to over 200 million shillings in fraudulent withdrawals before anyone noticed. “We like to believe fraud happens because systems are weak,” said one investigator at Summit Consulting. “In truth, it happens because people are predictable.” The power of predictability In cybersecurity circles, “123456” has become a global joke; the world’s most common password, used by millions who assume no one would bother guessing it. Yet here in Kampala, it’s more than a punchline. It’s a mindset. Telecom engineers reuse it for testing accounts. Agents use it as a default PIN during customer registration. Bank tellers use it for their logins to emails. Even internal training systems default to it for convenience. The problem isn’t the number; it’s what it represents: human laziness disguised as efficiency. Summit’s forensic team once traced a fraud ring that had compromised over 50 dormant SIM cards. The team expected an advanced exploit or a stolen master key. Instead, they found that every account used the same default password left unchanged since activation. “The password wasn’t hacked,” one analyst explained. “It was inherited.” The cost of convenience, as it turned out, was 1.2 billion shillings in unauthorized airtime and mobile money transfers. Inside the breach In most telecom fraud investigations, the trail doesn’t lead to an outsider; it leads to the inside. Fraud, in its most modern form, has become a quiet partnership between colluding employees and external agents. Take the case of “Suspect 3,” a retail agent operating from a dusty roadside kiosk in Mbarara. Every evening, he processed dozens of SIM swaps from “urgent corporate clients.” The data came from an insider, someone with system privileges, who sent him lists of numbers and ID details scraped from internal servers. The two shared profits through mobile money. When the fraud was finally detected, the system logs told a quiet but damning story: identical terminal IDs, midnight approvals, and transactions moving in neat 10-minute intervals. It wasn’t hacking. It was routine. The auditors had missed it for months because it looked too organized to be suspicious. The data never lies Telecom fraud, like all digital frauds, is never invisible. It always leaves digital fingerprints: timestamps, IP addresses, and login sequences that form patterns only data analytics can see. In one Summit Consulting forensic case, investigators visualized six months of mobile money activity on a heat map. What emerged was chilling: a single geographic cluster processing transactions between 1:00 a.m. and 3:00 a.m. daily, all linked to the same back-end approval node. The fraudsters weren’t hiding. They were working inside the system, confident no one was watching. “What kills organizations is not lack of data,” Mr Strategy noted in his post-investigation briefing to a client’s Audit Committee members. “It’s the refusal to listen to what data is screaming.” Even the simplest dashboard can flag fraud if someone pays attention. Yet, many institutions mistake dashboards for control, forgetting that detection without action is still negligence. Culture: the invisible firewall Every company –telecom or banks- boasts of firewalls, encryption, and biometric verification. Yet, the most effective control remains human behaviour, and that’s where Uganda’s telecom sector faces its greatest challenge. Fraud thrives in cultures where silence is rewarded, and questioning authority is frowned upon. When employees fear raising red flags or believe that “reporting a colleague” is betrayal, controls crumble. In one telecom case investigated by Summit Consulting, an internal audit officer admitted, off record, that he had noticed the irregular SIM swap pattern but didn’t escalate it because it involved a “high-performing staff member.” The loss? Nearly 181.4 million shillings. As Mr Strategy often says, Cybersecurity is not a department; it’s a culture of disciplined doubt. That means separating duties so no one can approve and verify the same transaction. It means training staff not to trust, but to verify. And most importantly, it means rewarding curiosity, not compliance. Building immunity, not walls As our digital economy deepens ahead of the 2026 elections, telecom networks will face their most complex tests yet. Disinformation, identity fraud, and insider manipulation will intersect in ways unseen before. Yet the solution is not more secrecy or blame. It’s transparency. Organizations must build immunity, not walls. Immunity comes from openness, collaboration, and real-time monitoring. When fraud happens, the first question shouldn’t be “who leaked?” but “which control failed and why?” Summit Consulting’s

As Ugandans prepare for elections, remember that the integrity of an election is no longer guaranteed by ballot boxes or transparent counting. It is guaranteed by secure data. Modern elections are information systems disguised as civic events. Every stage, from voter registration to results transmission, relies on digital infrastructure that can be corrupted long before a single vote is cast. The real battlefield is data integrity Every democracy stands on a digital skeleton: databases, networks, and authentication systems. If any bone is weak, the entire process collapses. A compromised voter register could silently disqualify some genuine voters. A hijacked transmission channel alters perception before verification. Compromised election results transmission could lead to unrest, are inaccurate results manipulated through hacking could be announced, thereby leading to false expectations. Cybersecurity, therefore, is not a technical add-on; it is the architecture of trust. The threats are systemic, not spectacular. In Uganda and across emerging democracies, the danger is not hackers in hoodies. It is insiders with access, temporary staff without training, and contractors using unsecured devices. When election data travels through flash drives, email attachments, or third-party servers, the opportunity for manipulation is constant. Cybersecurity provides the discipline, access control, encryption, and audit logs that ensure no one can quietly rewrite history. The fact is, cybersecurity equals credibility. An election’s legitimacy depends on evidence. When logs are immutable, every change has a signature. When databases are hashed and verified, every dataset can be proven authentic. When access requires multifactor authentication, insiders can no longer act invisibly. Cybersecurity converts process into proof. Without it, all that remains is faith. How to build resilience to prevent a crisis. Cybersecurity for elections is not about responding to hacks; it is about preventing suspicion. This can be achieved through: a) Voter data governance. This is the foundation of election integrity. It ensures that every citizen’s record is collected, stored, and maintained without alteration or loss. The first step is secure capture. During registration, data should be collected using tamper-proof devices connected to a secure network, not through shared laptops or unprotected USB drives. For example, if a registration officer in Gulu uses a tablet to capture details, the data should immediately encrypt and sync to a secure central server, not sit on the device overnight. This prevents local tampering and accidental leaks. The second step is encrypted storage. Every record in the voter database must be encrypted both “at rest” (when stored) and “in transit” (when being transferred). Think of encryption as locking every voter’s file in a digital safe. Even if a backup drive is stolen, the data is unreadable without the correct key. In practice, this means using tools like AES-256 encryption for stored files and HTTPS/TLS connections for any transfer. The third step is verified backups. Regular backups protect against system failure or deliberate sabotage. But backups must themselves be verified. It’s not enough to say “we back up.” Each backup should be checked for completeness, encrypted, and stored off-site, say, one copy in a government data centre and another in a disaster recovery facility in a different district. A simple checksum or hash comparison between the main and backup data ensures nothing has been quietly altered. b) Access management,role-based rights, session timeouts, and real-time monitoring Access control determines who can do what, when, and how. The weakest system is the one where everyone can access everything. A good system has role-based rights. Each user, whether data clerk, supervisor, or IT administrator, must have access only to what they need. For instance, a district officer can update records for their district but cannot edit national data. Similarly, a helpdesk agent can view but not modify records. Role segregation prevents one insider from quietly manipulating entries without oversight. It also enforces session timeouts. Idle sessions are silent backdoors. If an officer logs in to the voter database and walks away, anyone passing by can make changes. Automatic session timeouts after 10–15 minutes of inactivity, combined with two-factor re-authentication, stop such unauthorized activity. It’s a simple discipline that saves millions in potential disputes. And above all, it enables real-time monitoring. Modern systems should record every access attempt, who logged in, from where, and what they changed. A monitoring dashboard can flag anomalies: e.g., “User X logged in at midnight from a different region.” Automated alerts to supervisors ensure accountability before damage spreads. A free election is one where no citizen is digitally excluded. A fair election is one where every data change is provable. When systems are tamper-evident, even disagreement cannot erode confidence. The absence of cybersecurity is the new form of disenfranchisement, quiet, technical, and irreversible. And as a Ugandan, I am happy for the voter registration campaigns that the government has been driving to get every citizen to participate in the next election. Bravo. c) Transmission integrity, end-to-end encryption, and public verification hashes for results When election results or register data move between systems, from polling centres to tally servers, integrity is everything. Two steps help achieve that: First, end-to-end encryption. Every transmission of results should travel in a secure, encrypted channel from origin to destination. Imagine each results file sealed in a digital envelope that only the official server can open. Even if the data passes through telecom networks or the internet, no one can read or alter it without detection. Using VPN tunnels or SSL/TLS ensures that what leaves a polling centre arrives unaltered at headquarters. Second, public verification hashes. Transparency builds trust. A hash is like a fingerprint for a file; if even one number changes, the fingerprint changes. By publishing verification hashes of official results or voter registers, the public and observers can confirm that the data they receive matches the authentic version. For instance, if a district tally sheet has a hash value “A9F3C…”, anyone can check that value against the published one to verify authenticity. This removes speculation and lets evidence speak. d) Incident response, pre-agreed protocol, and cross-party oversight for any anomaly No system is perfect.

Imagine walking into a hospital. The walls are clean, the staff is dressed in neat uniforms, and everything looks perfect on the surface, but behind the scenes, one nurse decides to skip washing her hands “just this once.” Maybe she’s tired, or in a hurry, or thinks nothing will happen. What follows is devastating: an infection spreads to patients and colleagues alike. Those who never broke protocol still suffer the consequences of one person’s negligence. This is exactly how cybersecurity works. One weak link, one careless act, can expose the entire organization to risks that no amount of sophisticated technology can fully contain. Cyber hygiene is not about the IT department working in isolation but about every single person, regardless of title, becoming a guardian of the organization’s digital well-being. When we talk about cyber hygiene, we are talking about the small, daily, almost invisible actions that build resilience. Just like washing hands, they are simple, but they matter more than we often realize. What does good cyber hygiene look like? Locking your screen: every time you step away, even if it’s just for a minute. Enabling Multi-Factor Authentication (MFA) and resisting the urge to disable it when it feels “inconvenient.” Updating your system promptly: not postponing it for “later” (which usually never comes). Refusing to share credentials: even with that trusted colleague who “just needs to check something quickly.” Being curious and cautious: about every link, attachment, or message, because cybercriminals thrive on trust. Sadly, in many workplaces, we have normalized cutting corners. We laugh at strong password requirements, we dismiss those “security pop-ups” as annoying, we say, “I trust my team,” and treat protocols as optional rather than essential. Trust without verification is not culture, it’s carelessness. An organization’s cybersecurity posture is only as strong as its weakest cultural link. It’s not the firewall or antivirus that will save you; it’s the everyday discipline of your people. Cyber hygiene must become second nature, like fastening a seatbelt or washing hands before surgery. And so, I challenge you: Who is your biggest cybersecurity risk? Is it your IT system… or is it your culture? Take a moment to answer this poll: “Who is your biggest cybersecurity risk?” We shall share the results at the Cybersecurity and Risk Management Conference on Thursday, 16th October 2025, at Speke Resort Munyonyo. Register:https://event.forensicsinstitute.org/ This conference will unpack not just the technology, but the human behaviors that shape organizational resilience. It is a conversation no serious leader should miss. Book your free cybersecurity session here and save up to UGX 5 million. Small habits save big money.

 Why SACCOs are prime targets. In March 2025, a rural SACCO in Mbarara lost UGX 64 million. No hacker was involved. No firewall was breached. The loss was purely internal, orchestrated by an insider who approved loans to ghost members and routed funds to mobile wallets owned by associates. When the police cyber unit was called, the investigators found a simple truth: the fraudster never needed to hack the system; he only needed access to a logged-in computer. Small SACCOs assume they are beneath the radar of cyber criminals. That assumption is their first vulnerability. Fraudsters target them precisely because they are small, where one staff member often handles accounting, teller, and system administration. In such setups, segregation of duties is a dream, not a practice. The illusion of “low risk” creates a fertile ground for invisible fraud. Members trust managers implicitly, and managers, overstretched by operational chaos, rarely scrutinize logs. The fraudster thrives in this trust gap. During training, Summit Consulting, in partnership with the Institute of Forensics & ICT Security often simulates this by setting up a dummy SACCO system. When the teller logs in, a remote monitor records the session. The teller steps away, and “Suspect 1” walks in, authorizes a fake loan, and withdraws funds. No hacking tools. Just an opportunity. To drive the point home, participants are asked to list three roles in their SACCO that are combined in one person. Most realize, with unease, that one staff member has the keys to the kingdom, from cash handling to system administration. The chair problem, unattended desktops A security guard at a SACCO branch once noticed something strange. Every lunchtime, the teller’s computer remained open, with the system logged in. One day, the guard saw a man in a reflective vest, supposedly a maintenance worker, approach the computer, type something quickly, and leave. Later, the SACCO’s system showed that UGX 3 million had been transferred to an account named “Member 112B.” The name didn’t exist in the records. Unattended desktops are the silent epidemic in SACCOs. Staff assume that physical access is protection enough, “after all, who would dare touch my computer?” Yet, anyone with five minutes and a curious mind can reroute funds, alter records, or delete evidence. Fraud today doesn’t require coding skills. It requires patience, observation, and a moment of negligence. As part of Cybersecurity Awareness Month, we made participants watch a live simulation. A staff member logs in and leaves for “a quick errand.” Suspect 1 enters, approves a pending transfer, then logs out. The transaction looks legitimate because it came from a valid session. Thereafter, each participant is asked to role-play the same scenario in their teams. The lesson is clear: a single unattended session can destroy years of trust. Ghost members and internal collusion In 2023, a SACCO in Masaka discovered that 47 “members” in their database were either deceased or non-existent. The records had been created over time by a staff member who recycled data from real ID copies. Loans were processed in the ghosts’ names, approved using colluding officers’ credentials, and withdrawn immediately after disbursement. This is the classic ghost-member fraud. It thrives in environments where oversight is manual and verification is relaxed. Staff exploit the lack of data validation by using relatives’ national IDs or editing one digit of an existing member’s number. The collusion extends upward. Supervisors sign off without cross-checking NIN details or confirming that the supposed member ever visited the SACCO. In many rural branches, loan verification calls are “too costly.” The mobile money trap In the same Masaka SACCO referred to above, every transaction was confirmed via mobile money. Yet, something didn’t add up. Deposits recorded on the MoMo statement didn’t match the SACCO’s ledger. An agent, working with an internal staff member, had perfected the art of double-posting. Here’s how it worked: when a member deposited UGX 500,000, the agent processed the transaction twice. One went through the official channel, while the second was entered manually into the SACCO’s system as a “pending update.” The manual entry inflated balances temporarily, giving the illusion of cash availability. When reconciliation was done, it was brushed off as “system delay.” The fraud continued for months. By the time it was discovered, the SACCO had lost over UGX 40 million. During training, we usually give participants a printed MoMo statement and a system ledger. They must match entries line by line, an eye-opening task that shows how simple reconciliation could have prevented massive loss. Loan approval collusion Every fraud has a timing window. In SACCOs, that window often opens after 5 p.m., when managers leave and systems are “quiet.” That’s when Suspect 1 strikes. Using saved passwords in browser autofill, they log in as the manager, approve a batch of loans, and disburse them before anyone notices. Loan approval fraud is elegant because it hides behind authority. The system records a valid approval under a legitimate account. The next morning, everything appears normal until funds start disappearing. The trick thrives because managers are careless with password security. Many still rely on autofill or share credentials “for convenience.” Yet convenience is the first cousin of catastrophe. While making a cybersecurity presentation to participants are asked to map their SACCO’s loan approval process and highlight every point where one person can act without oversight. The discovery often leads to uncomfortable silence. The printout manipulation trick Fraud in SACCOs often hides not in digital systems, but in paper trails. Receipts, those little pieces of printed proof, can be the biggest deception tools. In a Gulu SACCO, members began to complain that their savings were “missing.” They had receipts showing deposits of UGX 300,000, yet the system reflected UGX 100,000. Upon investigation, Summit found that staff were saving receipts offline as image files, altering the numbers in editing software, and printing them out as genuine receipts. The audit team never cross-verified printed receipts with system-generated ones. They trusted paper more than data. To demonstrate the risk, I usually show

Your silence is a breach, inside Uganda’s quiet regulatory crisis, fueling cybercrime On the morning of August 22, 2022, a bank manager in downtown Kampala received a call that froze her. Overnight, over UGX 3.6 billion had been siphoned from the bank’s mobile money settlement account. The digital trail led nowhere. The servers had been tampered with, and the audit logs had been wiped clean. The fraudsters had used legitimate system credentials, but from devices that were never registered on the corporate network. It is a standard protocol for banks to report such incidents to regulators. When the bank escalated the breach to its regulator, the reply came three days later: “We are reviewing the incident and will issue guidance.” That silence was all the hackers needed. In those 72 hours, similar attacks hit two microfinance institutions, one telecom, and a payment aggregator. The pattern was identical: insiders colluding with external attackers, exploiting delayed advisories, and vanishing into the fog of digital cash. Please note that, as part of Cybersecurity Awareness Month 2025, we continue to share cases we have handled to create awareness. Some names, facts, and specifics have been changed to protect the identity of our clients as part of our non-disclosure. These cases take a lot of time to compile and write. To support us, attend the cybersecurity and risk management conference, register here>> https://forensicsinstitute.org/ Across Uganda’s fast-digitizing economy, this story is repeating itself; quietly, systematically, and dangerously. The slow response and silence of some regulators is the hacker’s opportunity. The quiet gap that cost billions In the early 2000s, Uganda’s regulatory ecosystem was built around compliance, not cyber resilience. Banks and insurance companies submitted quarterly reports, telecoms filed annual statements, and regulators conducted routine on-site inspections. It worked until the economy went digital. Today, more than 70% of Uganda’s financial transactions move through digital rails: mobile money, online banking, fintech apps, and agent networks. The system is fast, but regulation is still slow. “Regulatory inertia is the new insider threat,” says a cybersecurity expert at Summit Consulting Ltd, which recently led a forensic investigation into a UGX 4.8 billion digital fraud scheme. “When you delay an advisory or a policy response, you’re not being neutral, you’re helping criminals by default.” The expert, who asked to be referred to as Witness 1 to maintain anonymity, described the months-long delay between incident reporting and public disclosure. “Hackers read the same policies we do,” he said. “They know how long it takes for a circular to be approved. They exploit that gap.” How a single memo unleashed a chain of breaches In May 2025, a leaked internal memo from a regulator detailed an upcoming policy on “Secure Cloud Hosting for Financial Institutions.” The memo wasn’t public yet, but insiders knew it would require banks to migrate to approved local data centers by December 2025. Within weeks, two consulting firms began quietly offering “pre-compliance migration” services. Behind one of them was Suspect 2, a former systems administrator turned contractor. His company convinced several mid-sized institutions to move data to cheaper, unverified servers hosted abroad, offshore, untraceable, and vulnerable. By the time the official circular came out, hackers had already gained privileged access to the cloned environments. The forensic audit by Summit Consulting later found logins from Nigeria, Russia, and Gulu, all using valid user credentials. It was an insider-assisted breach born from premature policy leakage and delayed enforcement. “The regulator should have issued an emergency alert the moment that memo leaked,” says Suspect 3, a cybersecurity auditor. “Instead, they waited for a full review. The criminals didn’t wait.” The anatomy of regulatory silence To understand why regulators delay, you must look at how they are structured. Most regulators are designed to prevent corruption and maintain order, not to fight real-time cyberattacks. Their processes reward caution over speed, hierarchy over agility. A single advisory may pass through five desks: legal review, policy, communications, directorate approval, and finally the board. Each stage adds risk of leaks, political editing, and inertia. By the time an advisory reaches the public, it’s already obsolete. Consider this: in 2024, while global regulators were issuing real-time ransomware alerts, a local regulator was still revising its 2020 Information Systems Guidelines. During that same year, an estimated UGX 25 billion was lost to electronic fraud in the banking sector alone. “Silence is not neutrality, it’s negligence,” says a senior executive at a commercial bank who requested anonymity. “We cannot defend systems against attacks we don’t yet know are happening.” The ripple effect of delayed advisories Every delayed advisory creates what cybersecurity experts call a “window of exploitation.” That window, whether a week or a month, becomes the sweet spot for criminals. When a regulator delays announcing a new SIM card verification protocol, syndicates exploit the old one. When they postpone guidelines on agent liquidity, fake agents flourish. When they hesitate to enforce data localization, offshore fraud networks thrive. For example, in Uganda, there is a lacuna in the procurement laws that allows international consulting firms, whether in cybersecurity or other sectors, to operate without being required to first register locally or partner with a Ugandan company. This gap grants such firms unrestricted access to sensitive intellectual property and exposes national systems to significant risks. In one case investigated by Summit Consulting, hackers used unrevised Know-Your-Customer (KYC) rules to register 400 fake SIM cards. Each SIM was linked to a dormant bank account. In a single night, they routed UGX 1.1 billion through those accounts using automated scripts. The regulator issued a public circular, two months later. “By then, the trail was cold,” recalls a forensic investigator. “We found digital breadcrumbs, VPNs from Nairobi, IP jumps through South Africa, then exit nodes in Finland. But the money had already been laundered through crypto wallets.” Not all silence is accidental; some is intentional. Uganda’s regulators often face subtle forms of regulatory capture, when the entities they supervise wield more influence than the regulators themselves. In sectors like telecoms and fintech,

The biggest uninsured risk is your own IT team It began, as most tragedies do, with trust. In a local insurance company, the head of IT had been there for eight years. Loyal, quiet, and efficient. The kind of man who never raised his voice or suspicion. Yet beneath the hum of the servers he managed, a quiet betrayal brewed. Insurance firms love to talk about coverage, floods, fires, and car crashes, but the greatest uninsured risk sits inside their own offices: their IT teams. When fraud happens, people look outward, to hackers, ransomware, or “Russian IPs.” The truth? Eight out of ten breaches in the insurance industry start from within. A clever IT officer with domain access can bury evidence so deep even the best auditors will call it “a system glitch.” Ask yourself right now, who in your organization has access to the system administrator password? If you need to think about it, you are already in danger. “The next breach won’t come from a hacker in Moscow. It will come from the man who fixed your printer last week.” The hidden syndicate inside The insurance IT department is often small, five people, maybe fewer. They eat lunch together, go for coffee together, and sometimes, retire together. That’s how a syndicate forms, not in dark alleys, but in fluorescent-lit server rooms. In one Ugandan insurer, “Suspect 1” and “Suspect 2” perfected the art of invisible fraud. They started by deleting a dormant policy record to test system sensitivity. When no one noticed, they created a fake claim worth UGX 2 million. Just a test. Then another. And another. The pattern was too small to catch. But that’s how syndicates grow, not by greed at once, but by confidence over time. Draw a map of your IT team and claims officers. Who could collude without triggering a system alert? The ghost claim factory This is the dark heart of insider fraud: data manipulation. Using authentic customer data from onboarding systems, the syndicate built “ghost policies”, fake but perfectly formatted. Real agents’ names. Real policy numbers. Real dates. Payments were made to mobile money accounts registered under false IDs. No one noticed because the amounts were small, UGX 300,000 here, UGX 450,000 there. Spread over months, they totaled millions. The fraud didn’t need hacking skills. It needed only access, routine, and a deadened sense of accountability. Activity Pick three random claims from your system today. Verify the identity of each beneficiary beyond the policy file. Do it physically, not digitally. You will be shocked at how many ghosts you’re insuring. “In Uganda’s insurance sector, the most profitable customer may not exist at all.” The “patch update” disguise Every fraud needs a disguise. For insiders, that disguise is maintenance. “We’re applying a patch,” they say. “The system will be down for one hour.” That hour is eternity in digital terms. It’s during these “updates” that configurations are changed, logs are deleted, and backups are quietly replaced. The IT world calls it maintenance. Investigators call it the crime window. When Summit Consulting Ltd investigated one insurer, we found that every fraudulent claim coincided with a “patch update” entry in the maintenance log. That’s no coincidence but camouflage. Review your maintenance schedules. Who authorizes them? Who supervises them? Who reviews logs after? If it’s the same person, that’s the first control failure. Collusion between IT and claims officers Fraud rarely happens in isolation. IT provides access. Claims officers provide the cover story. Together, they build the perfect loop: fake claim, approved payment, deleted evidence. One insurer discovered that its “system crash” reports always followed large claim approvals. When digital forensics reconstructed deleted records, two logins emerged, one from IT, one from Claims, five minutes apart. Coincidence? Not a chance. List all functions in your claim approval chain. Is there a single point where one person can approve, pay, and erase a transaction? If yes, you have already written your own fraud policy. “Fraud is not born in dark rooms. It’s born in relationships of trust, between people who know each other too well.” The mobile money loophole Convenience kills control. Mobile money has become the new frontier for insurance payouts, fast, low-cost, and paperless. But it’s also a paradise for ghost claimants. Fraudsters exploit untraceable SIM cards, splitting payouts across multiple numbers registered under relatives or acquaintances. In one case, investigators found 14 wallets linked to the same device IMEI (International Mobile Equipment Identity). The system checked phone numbers, not devices. Audit your last 100 mobile payouts. Check if any numbers share the same device IMEI or transaction fingerprint. If they do, call the telecom. You’re funding a ghost. The failed segregation of duties Ugandan insurers love to talk about “internal controls.” Yet most IT departments have one person who serves as system admin, database admin, and backup admin. That’s like letting one man hold both the bank keys and the CCTV remote. When Summit Consulting reviewed an insurer’s access matrix, we found one user with privileges to alter claim approvals and purge logs, a digital superuser. The man was on leave. But his credentials were active. Print your IT access list. Count how many people can both approve and delete system data. The number should never exceed one, and even that one should have a watcher. “In cybersecurity, segregation of duties is not a principle but survival.” How red flags were missed Auditors came every quarter, ticked boxes,  confirmed that backups existed, verified that reconciliations matched, and never asked how. The losses, about UGX 3.4 billion, were hidden in plain sight across 312 micro-claims. None exceeded the internal audit materiality threshold. That’s how insiders think: below the radar, above the suspicion. Lower your internal audit threshold for random testing. Sometimes the smallest losses reveal the biggest scandals. How the investigators cracked it When the insurer’s new CEO noticed that “fraud recoveries” kept reappearing every quarter, he called Summit Consulting Ltd. The digital forensics trail led us to late-night VPN logins, falsified timestamps, and system