It was a Wednesday morning in June 2024 when a mid-sized bank woke up to a nightmare. The ATMs in Ntinda and Kabalagala were spitting out cash in irregular amounts. Customers were lining up, bewildered, some receiving double withdrawals while others got “system busy” errors. The IT team, sipping tea at their head office, thought it was a minor switch glitch. But when the treasury officer reported UGX 2.8 billion missing in just three hours, panic set in. The fraudsters were not outsiders with hoodies in Europe. They were insiders, contract staff with legitimate access who knew which server patches were delayed and which passwords were recycled. They walked through the front door of trust because the organization had not yet embraced one principle: Zero Trust. This case became Summit Consulting Ltd’s assignment and a game-changing one. And like many of our CSI-styled investigations, it revealed a painful truth: trust is no longer an internal control. How the betrayal unfolded Let us rewind. The bank prided itself on a culture of family. Senior managers bragged that they could give staff system passwords “just in case,” without worrying about misuse. Vendors had VPN access without multi-factor authentication. Mobile money integrations were monitored by one junior officer whose job description was “support.” Here is how the scheme played out. Suspect 1, a contract IT officer, discovered that the ATM reconciliation system was not patched. It still relied on batch reconciliation at midnight, not real-time updates. Suspect 2, working in operations, knew that the switch logs were reviewed only once a week. Together, they ran a script that delayed reporting of ATM withdrawals by five minutes. Within that gap, they executed “phantom withdrawals” that never hit the core banking system immediately. The cash was laundered through mobile money wallets registered under boda boda riders in Kalerwe. Each wallet received less than UGX 4 million to avoid red flagging. From there, the funds were cashed out at kiosks and converted into dollars at Forex bureaus along William Street. By the time the auditors identified inconsistencies in the general ledger, the scheme had been in operation for six months. Losses: UGX 12.4 billion. The cultural conflict at the heart of the fraud Why did it happen? Internal interviews revealed a paradox: the bank’s executives believed trust equals loyalty. They feared that “treating everyone like a suspect” would kill morale. Staff whispered that managers often shared OTPs over WhatsApp for convenience. They forgot my grandpa’s advice: trust after controls. Plain trust is a bad business, life, or family decision. This is Uganda’s lived reality. A society where “trust me” is the most abused phrase in governance. Yet in cybersecurity and fraud, trust is a vulnerability, not a virtue. Enter Zero Trust Summit Consulting’s forensic team did more than trace the stolen billions. We challenged the board: “If your systems assume good faith, then fraudsters will always be two steps ahead.” Zero Trust is not a Western buzzword. It is a business survival manual. It means, Never trust, always verify. Even your managing director must authenticate like any other user. Least privilege. A teller should not have system admin rights, even “temporarily.” Continuous monitoring. Every click, every transfer, every login is logged and analyzed. Micro-segmentation. Your HR database should not talk directly to your payments system. Multi-factor everything. OTPs are not enough; use biometrics, tokens, and behavioural analytics. How the team cracked the case Our investigators followed the money trail with a mix of old-school grit and digital forensics Pulled ATM switch logs and overlaid them with mobile money transaction timestamps. Deployed anomaly detection scripts, and red flags appeared whenever withdrawals clustered around five-minute windows. Traced cash-out locations via mobile money agents. Many were in Owino market and Wandegeya, classic laundering hotspots. Interviewed staff. One slip, a contract officer bragged in a bar that he was “eating bank money faster than auditors.” The final report stunned the board: losses totalling UGX 12.4 billion, insiders colluding with mobile money agents, and controls bypassed with frightening ease. The red flags the auditor first saw The whole scheme could have been stopped earlier if the first red flags had been taken seriously Reconciliation delays. Daily reports showed unexplained “suspense balances.” Unusual clustering. Withdrawals often peaked at 2 AM, when no customers were around. Staff lifestyle inflation. A junior IT officer suddenly upgraded from a Bajaj Boxer to a Toyota Harrier. Vendor complacency. System patches were postponed repeatedly with excuses like “we are waiting for HQ approval.” But in typical fashion, the internal auditor’s reports were filed under “noted.” No follow-up. No escalation. Why Zero Trust is the new imperative Local organizations, banks, telcos, SACCOs, NGOs, are operating in a different battlefield today. Fraud is not just about missing receipts. It is about compromised cloud servers, cloned mobile wallets, and insiders who know every weakness in your control environment. Zero Trust does not mean mistrusting your people. It means protecting them and your organization by removing temptation and loopholes. It is like building a house in the city, you may love your neighbours, but you still put a padlock on your gate every night. How to implement Zero Trust Board-level mandate. This is not IT’s job. The board must demand it. Identify critical assets. What must never be compromised? (Core banking, payment switch, HR payroll). Map access rights. Who touches what system? Why? Cut privileges ruthlessly. Strengthen vendor oversight. Every vendor must meet your security standards. “They are from HQ” is no excuse. Continuous assurance. Use penetration testing, red-teaming, and live simulations. Not annual checklists. Ugandan executives often spend billions on flashy headquarters, branded T-shirts for staff, and retreat weekends at Speke Resort. But when asked to invest UGX 500 million in Zero Trust architecture, they call it “too expensive.” The fraud losses you suffer are the school fees you pay for refusing to invest in controls. In the case of the bank, the board learned a UGX 12.4 billion lesson. Summit Consulting and the Institute of Forensics & ICT
From vulnerable to vigilant: Building a risk-resilient organisation
The early morning storm. On 12th September 2023, a sudden downpour turned Kampala Road into a river. While taxi drivers cursed and boda riders fought for shelter, a quiet disaster unfolded in the basement of a city-centre insurance company. Their server room, yes, underground, beside a drainage pipe, flooded within minutes. By morning, customer policies, claims data, and even payroll files were inaccessible. Staff resorted to WhatsApp groups to track client requests. By the third day, their competitors were advertising on the radio: “Bring your policy here, we process in 24 hours.” The once-confident insurer was left begging clients for patience. The flood was not the real disaster. The real disaster was that the organisation was fragile. Imagine the entity that sells “peace of mind” becomes the one at rest at the core! When investigators are called in to investigate, it is not just what happened, but why. In this case, the findings were: “This company was vulnerable long before the rain came. The storm only exposed it.” Why organisations stay fragile Fragility is not caused by disasters. It is caused by denial. In Uganda, executives cling to optimism like a lucky charm. They assume: “That cannot happen to us.” “We have insurance.” “Our IT guy knows what to do.” But risk does not respect hierarchy or hope. Fragility thrives in cultures where bad news is buried, where internal audit reports are filed instead of acted upon, and where management believes resilience is an IT project, not a governance mandate. The anatomy of vulnerability Our investigation found three pressure points that doomed the insurance company. Single point of failure. All systems ran on one server in the basement. No redundancy. No cloud backup. Paper illusion. Business continuity plans existed, but in files, not in practice. Staff had never done a single simulation drill. Leadership blind spots. The board saw “risk” as a compliance checklist, not as a weapon of survival. When you run an organisation this way, you are not managing risk. You are praying. From vulnerability to vigilance The difference between the collapsed insurer and its competitors is simple. Resilience is built before the crisis, not during it. A risk-resilient organisation does not wait for the rain to test its roof. It assumes storms will come, insiders will betray, and systems will fail. And then it builds structures to bend but not break. Summit Consulting framed the rescue plan under three pillars Identify critical risks, not just obvious ones. Floods, cyber-attacks, power outages, insider fraud, supply chain choke points. Build buffers, backup servers, liquidity cushions, and cross-trained staff. Drill crisis responses, empower staff to act fast, and learn from every incident. The insider betrayal During our wider review, we uncovered a secondary scandal. While systems were down, Suspect 1, a finance officer, initiated manual claims payouts. Since controls were “relaxed due to crisis,” he colluded with Suspect 2, a junior IT support officer, to insert ghost claimants. Funds were sent to mobile money wallets registered under street vendors in Nakawa, Ntinda, Wandegeya and Kisaasi. Within three weeks, UGX 780 million vanished. Resilience is not only about floods. It is about human opportunism. When controls are weakened, insiders strike. How the fraud was cracked Here is how we conducted our forensic trail Extracted mobile money statements linked to claims. Found patterns, three different “claimants” withdrawing at the same kiosk daily. Cross-referenced with CCTV footage. Same boda rider, three SIM cards. Interviewed IT staff. One panicked and confessed. The board was stunned; the crisis had multiplied because fragility created gaps for exploitation. The red flags were ignored This company had been warned. Audit flagged the basement risk three years earlier. Management said moving servers was “too expensive.” IT requested cloud backup. Denied, “Why pay dollars when we can keep everything local?” Finance questioned lifestyle inflation. The finance officer who later stole UGX 780m had bought land in Mukono, but the HR file still listed him as “earning modestly.” Ignoring red flags is corporate suicide. The cost of fragility By the time Summit concluded the assignment, the insurer had: Lost UGX 780m to fraud. Spent UGX 1.2bn on emergency IT rebuild. Watched customer numbers fall by 40% in two months. Compare that with the cost of proactive resilience, estimated at UGX 350m annually for backups, drills, and monitoring. Fragility is always more expensive than vigilance. Building vigilance as culture How then can Ugandan organisations build resilience that lasts? Board ownership. Resilience is a strategy, not IT. The board must demand simulations and drill reports. Continuous rehearsal. Every quarter, simulate a crisis, cyberattack, power cut, or insider fraud. Measure response time. Never keep the crown jewels in one place. Spread servers, diversify suppliers, cross-train staff. Real-time detection. Use analytics to flag anomalies, not manual reviews weeks later. Culture of bad news. Reward staff who escalate problems early, not those who hide them. Executives often ask, “What if we invest in resilience and never face a crisis?” The correct response: “What if you do not invest, and face one tomorrow?” Fragility is invisible until it is fatal. Vigilance may look costly, but it is always cheaper than collapse. The insurer eventually survived, but as half its former self. Competitors took its market share. The board learned, too late, that risk resilience is not a choice but an imperative. A resilient organisation is not the one that avoids storms. It is the one that sails through them. Today, the difference between survival and extinction is captured in one equation: Vulnerability + denial = collapse. Vigilance + resilience = continuity. Which is your business equation? Copyright, IFIS, 2025. All rights reserved.
Boardroom briefing: what every executive must know about cyber risk
The Tuesday morning breach On Tuesday, 13th February 2024, at exactly 9:18 a.m., a finance officer at a local SME clicked on an email link that looked routine, a “payment confirmation” from a well-known shipping partner. The email address matched the supplier’s almost perfectly, except for one barely noticeable swapped character. When the officer clicked the link, nothing seemed to happen. The email closed. She carried on with her morning. By 11:47 a.m., the attackers were inside the company’s enterprise resource planning (ERP) system. By 1:15 p.m., three supplier payment instructions had been altered, directing UGX 890 million to accounts that did not belong to any supplier the company had ever dealt with. It took less than four hours for the company to lose what amounted to almost two months of operating profit, and not a single firewall alert or antivirus pop-up warned them. The internal blame game When the loss was discovered two days later, the board was called for an emergency session. The meeting quickly descended into an accusatory free-for-all. The Chief Information Officer insisted this was a “sophisticated, targeted attack”, something no reasonable security system could have stopped. The Finance Director countered that the breach was possible only because IT had failed to disable old vendor portals and user accounts. The CEO looked visibly shaken. The company had spent UGX 420 million the previous year on “cybersecurity upgrades,” complete with glossy board reports and vendor presentations about “world-class defenses.” Now, they were staring at a catastrophic failure. Summit Consulting Ltd was called in with one directive: establish exactly how this happened, identify the internal and external actors, and advise how to ensure it never happens again. How the scheme was engineered a) The inside knowledge Suspect 1, a former procurement officer, had been laid off in a cost-cutting exercise the previous year. He left bitter and broke, but with an intimate knowledge of the company’s supplier payment cycles, approval hierarchies, and cyber hygiene weaknesses. Suspect 2, a small-time tech “consultant” with connections to cybercrime syndicates in Nairobi, became Suspect 1’s partner. Together, they designed a social engineering attack that would look completely legitimate to anyone inside the company. b) The phishing bait They registered a domain name one letter off from the shipping partner’s actual domain, then sent an email to the finance officer who handled most high-value transfers. The email referenced real shipment numbers, cargo descriptions, and delivery dates, information stolen months earlier when Suspect 1 downloaded supplier correspondence before leaving. The link in the email wasn’t a document. It was a malicious script that installed a remote access tool (RAT) on the officer’s computer, giving the attackers full visibility of her emails and the ERP interface. c) Altering the payment trail Over the next week, the attackers observed the finance officer’s daily activity, noting the time she logged in, when payment batches were prepared, and which managers approved them. On 13th February, just after she prepared a payment batch for three overseas suppliers, the attackers logged in remotely, intercepted the batch before final approval, and replaced the bank account numbers with accounts under their control. These accounts were registered in the names of shell companies created barely a month earlier, using forged incorporation papers and fake national IDs. d) Cashing out Once the payments landed, the attackers moved quickly. Funds were withdrawn in UGX 19.5 million tranches, just under the daily reporting threshold, from bank branches in Jinja, Mbale, and Masaka. From there, large portions were moved to mobile money wallets registered to boda boda riders, market vendors, and even a retired primary school teacher in Soroti who later told investigators he “was only keeping the money for a friend.” A smaller chunk was converted to USD through informal forex traders in Kikuubo, with some of it later traced to Dubai-based electronics suppliers. The red flags that were missed The company had procedures that could have caught the breach, but they were ignored in practice: Supplier account changes were supposed to require direct phone verification with the supplier. No one made the call. Multi-factor authentication was configured but disabled for “convenience” for staff logging in from home. Vendor portal clean-up had not been done for over 18 months, meaning dormant accounts were still active. The catch The fraud might have gone unnoticed for weeks if not for the external auditor conducting a quarterly payment review. While sampling transactions, the auditor noticed that three suppliers who had been paid in February had no corresponding goods received entries in the warehouse management system. He phoned one of the suppliers directly. They confirmed they had not received any payment in February and were still awaiting settlement for January invoices. That call triggered an emergency escalation to the audit committee, which contacted Summit Consulting for an urgent forensic investigation. Our forensic team started by isolating the finance officer’s computer. The RAT was still active, connecting to a command-and-control server in Mombasa. Tracing the server’s activity logs revealed multiple login sessions from IP addresses in Kampala, Jinja, and Nairobi. Next, we reviewed the ERP logs. The altered payment details were entered using the finance officer’s credentials, but at times when she was physically logged out, confirmed by building access records. The real breakthrough came from bank withdrawal CCTV footage. The same individual, later identified as Suspect 2, was captured making multiple withdrawals across different branches, often wearing different caps and jackets to avoid detection. Cross-referencing mobile money records revealed a web of linked numbers, all ultimately tied to SIM cards purchased in bulk by an agent in Mukono who knew Suspect 1 personally. The failed controls This case was not about the absence of controls; it was about a culture that treated them as optional: Process discipline was poor. Controls that looked robust on paper were routinely bypassed for speed. Board oversight treated cybersecurity as an IT cost centre, not a core business risk. Access rights for ex-staff were not revoked promptly, allowing insiders to retain system visibility. Incident
Risk appetite vs. risk blindness: Striking the right balance
On 4th September 2023, leaders at the agribusiness cooperative approved a UGX 280 million loan to a long-standing distribution partner. The justification was simple: the partner had been with them for 11 years, always paid on time, and was “part of the family.” The loan committee barely glanced at the due diligence report. The risk appetite for such lending was generous; in fact, the board often praised management for “trusting our partners” instead of “wasting time with too many checks and balances.” By December, the partner had defaulted. Attempts to trace the funds revealed something chilling: the money hadn’t gone into expanding distribution capacity. It had vanished into a coordinated fraud scheme that had been set up months before. What looked like an act of business generosity was, in reality, a textbook case of risk blindness, the point where an organization’s tolerance for risk turns into an inability to see it at all. Summit Consulting Ltd was brought in after a junior accountant, frustrated by the lack of progress in recovering the debt, sent an anonymous tip to the board chair: “You need to look inside, not outside.” The boardroom split When we arrived, the leadership was sharply divided. The CEO and a few directors insisted this was just a “business risk gone wrong”, a bad loan, nothing more. Others, particularly the audit committee, suspected internal collusion. The tension was almost physical in that boardroom. On one side, senior executives are defending their decision-making; on the other, internal audit and compliance officers are insisting the loss was avoidable. The phrase “risk appetite” was being thrown around like a shield. But as we dug deeper, it became clear this wasn’t about appetite; it was about blindness. How the scheme was engineered a) The perfect storm of trust and process gaps Suspect 1, the cooperative’s head of credit, had been with the organization for over a decade. Known for his “relationship management skills,” he often skipped formal vetting for long-time partners, arguing it was a waste of resources. Suspect 2, the director of the distribution partner, had deep personal ties to Suspect 1. Their families had attended weddings together, and they were co-investors in a small real estate venture in Mukono. When Suspect 2 proposed the UGX 280 million “expansion loan,” Suspect 1 bypassed several standard steps: no updated credit risk assessment, no collateral verification, and no cash flow projections. Instead, he prepared a glowing internal memo recommending immediate approval. b) The paper trail illusion The loan documentation was immaculate, contracts signed, disbursement schedules approved, and even bank guarantees attached. But the guarantees were forged. The “issuing bank” stamp was a near-perfect imitation, created by a contact of Suspect 2 in Kampala’s backstreet printing trade. c) Moving the money Once disbursed, the UGX 280 million moved fast. Within 24 hours, UGX 50 million was withdrawn in cash at a bank branch in Jinja. The withdrawals were made in tranches of UGX 9.9 million to stay under reporting thresholds. From there, the cash was split into three channels: UGX 120 million was converted into USD through forex dealers in Kikuubo and sent to a Dubai-based electronics supplier, payment for high-end gadgets that would later be sold locally for cash. UGX 80 million was sent via mobile money to 14 different numbers registered under various names, then withdrawn in rural districts in Busoga to avoid detection. UGX 30 million went directly into Suspect 1’s real estate project account in Mukono, disguised as “investor contributions.” The red flags that should have sounded the alarm A basic risk review would have caught several glaring anomalies: The borrower’s financial statements were six months out of date. The collateral offered, a warehouse in Iganga, was already mortgaged to another lender. The bank guarantee was printed on paper stock not used by the alleged issuing bank. But in a culture of “we know our partners,” these red flags never made it to the decision table. How the auditor spotted the cracks Ironically, the fraud wasn’t discovered by the risk team. It was uncovered by an external auditor reviewing year-end loan classifications. The auditor noticed that the loan had been disbursed without any updated credit scoring, contrary to the cooperative’s lending policy. Digging further, the auditor found that the loan approval memo came exclusively from Suspect 1, with no evidence of independent review. This triggered a direct report to the board’s audit committee, which in turn called in Summit Consulting. Our first step was to follow the money. We obtained court orders for bank statements, mobile money transaction histories, and forex dealer records. The forex trail led us to a warehouse in Nakulabye, where electronics worth an estimated UGX 140 million were stored, goods imported from Dubai using the diverted funds. The mobile money trail was more complex. The SIM cards used were registered in the names of boda boda riders, market vendors, and even deceased individuals, classic “layering” to make tracing harder. But cross-referencing withdrawal points with CCTV footage revealed that the same two individuals collected most of the cash: Suspect 2’s younger brother and a former cooperative cashier who had resigned two years earlier. The smoking gun was the UGX 30 million “investment” into Suspect 1’s property project. Bank records showed the money entering his account just days after the loan disbursement. The internal controls that failed This wasn’t just a case of a bad actor. It was a failure of governance and risk oversight: Risk appetite misunderstood: The board allowed high-trust relationships to bypass established due diligence. Segregation of duties ignored: Suspect 1 could recommend, approve, and oversee disbursement without independent checks. Collateral verification absent: No site visits or title searches were conducted. No post-disbursement monitoring: The cooperative never tracked whether funds were used for their stated purpose. The total confirmed loss was UGX 280 million. Recovery efforts through asset seizures are ongoing, but early indications suggest that less than 40% will be recovered. The cooperative has since suspended Suspect 1, terminated the partner relationship, and
Cyber risk is business risk: Time to treat it that way
At 10:42 a.m. on Thursday, 18th January 2024, the operations manager of a large regional logistics company opened an email that appeared to come from their insurance partner. The subject line read: “Renewal Quotation for 2024 Coverage – Urgent Action Required.” It looked legitimate, company logo, polite language, even the signature of a contact he had dealt with before. He clicked the PDF attachment. Nothing opened. He shrugged and moved on with his day. What he didn’t know was that in that single click, he had just given a group of cybercriminals full access to his company’s internal systems. By 3:00 p.m., their accounts payable ledger was being silently altered. Payment instructions for three major suppliers had been replaced with bank details controlled by the attackers. By 6:00 p.m., UGX 640 million had been approved for payment to accounts that had nothing to do with their suppliers. This wasn’t a case of a “clever hacker in a hoodie” somewhere abroad. This was a calculated cyber-enabled fraud with local fingerprints all over it. When the breach was discovered two days later, the boardroom turned into a war zone. The IT manager insisted this was an unavoidable “zero-day” cyberattack, a once-in-a-lifetime breach that no one could have prevented. The finance director wasn’t buying it. She believed the problem was weak internal processes and careless staff, not sophisticated hackers. Tensions rose because the company had spent over UGX 500 million in the past two years on “cybersecurity upgrades.” Now, they were facing a multimillion-shilling loss and public embarrassment. Summit Consulting Ltd’s iShield360 Cybersecurity was called in with one instruction: find out exactly how the breach happened, who was involved, and whether it could have been prevented. How the scheme was engineered a) Reconnaissance Suspect 1, a disgruntled former IT officer, had left the company the previous year after a bitter dispute over unpaid overtime. He knew exactly which systems were vulnerable, who approved payments, and how poorly the staff were trained on phishing threats. Suspect 2, an outsider posing as a “cyber consultant”, was the connector. He had relationships in both the hacking underground and Uganda’s informal financial channels. He set up a fake email domain almost identical to the company’s insurance partner and created an email thread that looked like an ongoing conversation. b) The phishing hook The email to the operations manager was crafted with details only an insider could know, supplier names, past invoice numbers, and even the exact insurance renewal date. All this came from internal documents that Suspect 1 had downloaded before leaving. The PDF wasn’t a PDF at all; it was a malicious file that installed a remote access tool (RAT) on the operations manager’s computer, giving the attackers control over his email and access to the accounts payable system. c) The payment diversion Once inside, the attackers didn’t rush. They monitored email traffic for weeks, studying the payment cycles. On the third Friday of January, they struck. They replaced bank details in three high-value supplier payment instructions. These new accounts were opened in the names of shell companies, registered in Kampala just weeks earlier, with directors who were paid by street vendors, people who would never be questioned if they disappeared. The bank accounts were in three different banks to avoid triggering automated fraud detection. Once the money hit, it was withdrawn in cash in amounts just under UGX 20 million per transaction, spread across multiple branches and ATMs. Mobile money then came into play. The cash was deposited into dozens of SIM cards registered to boda boda riders and market vendors in Kisekka Market. From there, it was either withdrawn in rural districts or converted into USD on Kampala’s informal forex circuit. The red flags that were missed The finance team failed to notice that the supplier bank details had changed, a classic red flag. The payment approval system didn’t require a callback to the supplier to confirm new account numbers. The IT department never disabled the ex-employee accounts in all systems. Even worse, password policies were so weak that some accounts still used variations of “CompanyName@2022” as their login credentials. Staff had undergone a “cybersecurity awareness” training the year before, but it was a two-hour PowerPoint session with no simulations or follow-up. How the auditor connected the dots The breach only came to light because the company’s external auditor spotted an anomaly during their quarterly review. They noticed that three supplier accounts showed zero activity since the payments were made, no goods received, no follow-up invoices, nothing. They called one of the suppliers directly. The supplier confirmed they had not received payment for the January invoices and were on the verge of halting deliveries. That phone call triggered the emergency board meeting and our investigation. Summit Consulting’s forensic team began by isolating the infected workstation. We found the RAT still active, connecting to a command-and-control server in Nairobi. That server, when traced, led to an IP address linked to a small cybercafé, one that had been closed for months. It was a relay. We then analyzed email metadata. The phishing email had been sent from a domain differing from the genuine supplier’s by just one character. Cross-referencing registration details with company records revealed that the domain was purchased using an email address previously used by Suspect 1. The real breakthrough came from following the money. While most withdrawals were in cash, one shell company account made a UGX 9.8 million mobile money transfer to a number registered to Suspect 2’s cousin. That cousin claimed he “was just asked to keep the money for a friend.” From there, the mobile money transaction history gave us a spider web of payments, all leading back to Suspect 1’s known associates. Which controls lapsed? This case was not just about a clever cyberattack. It was about leadership failing to treat cyber risk as a business risk. Access controls were weak. Former employees could still log into critical systems. Supplier payment verification was nonexistent. Cyber awareness was box-ticking,
Third-party risks: Your weakest link could be your supplier
On a Tuesday morning in March 2024, a procurement officer at a mid-sized local manufacturing company approved what looked like a routine payment to a long-time supplier of spare parts. The supplier had been with the company for over 12 years. Their trucks were a regular sight at the plant gates in Namanve. On paper, the relationship was solid, predictable, and “trustworthy.” Two weeks later, the company’s finance manager noticed something odd: the same supplier had invoiced for an unusually high quantity of industrial bearings, all marked as “urgent replacements” for a breakdown that never happened. The amount? UGX 480 million. The finance manager raised a cautious eyebrow but signed off. After all, the procurement team vouched for it. What the company didn’t know was that this “routine” transaction was the final stage of a meticulously orchestrated fraud scheme that had been unfolding for months, not by outsiders, but with the willing hands of insiders. Summit Consulting Ltd was brought in after the company’s board received an anonymous whistleblower email. The subject line was only three words: “Check your suppliers.” The invisible war inside the company By the time our investigation team arrived, the company’s leadership was split into two camps. One believed this was a supplier’s deception, a classic case of overbilling. The other suspected something darker: internal collusion. This tension was palpable in the boardroom when I first met them. You could tell who was on which side by their body language. Procurement heads leaned forward aggressively, defending their processes. Finance people sat stiff, arms crossed, as if they’d been forced to attend a court hearing. As a fraud investigator, I’ve learned that fraud thrives where relationships blur the line between professional and personal trust. And here, that line was so faint it was practically invisible. How the scheme was engineered a) The entry point Suspect 1, a mid-level procurement officer, had been employed by the company for eight years. A quiet man, often described by colleagues as “the guy who never talks in meetings,” he was the perfect camouflage. His link to the supplier went beyond work. He grew up in the same village as the supplier’s operations manager, Suspect 2. Their families had shared meals, funerals, and even loan guarantees. In late 2023, Suspect 2 approached Suspect 1 with an idea: create “ghost orders” for spare parts, mark them as urgent, and get them paid before anyone could question the need. In return, Suspect 1 would get a cut, discreetly handed over in cash after payment cleared. b) The paperwork game The fraud relied on manipulating the company’s procurement system. Every purchase request had to be justified with a “Breakdown Report” signed by maintenance. Suspect 1 convinced a junior maintenance supervisor, Suspect 3, to sign off on fake reports in exchange for a smaller payout. These reports listed machinery breakdowns in jargon so technical that most finance staff wouldn’t dare challenge them. c) Moving the money Once invoices were approved, payments were made directly to the supplier’s bank account. This was the legitimate part, but the supplier’s accounts officer would then withdraw large sums in cash over several days, breaking them into amounts under UGX 20 million to avoid triggering bank reporting thresholds. From there, the cash moved through Uganda’s informal transport network. Motorbike couriers (“boda riders”) collected envelopes from the supplier’s office and delivered them to Suspect 1 in parking lots near supermarkets in Kyaliwajjala. Suspect 1 would then meet Suspect 3 and pass on their share. Occasionally, to speed things up, mobile money was used, but never in amounts over UGX 5 million per transaction, and always sent through numbers registered in other people’s names. The red flags the auditor caught The scheme might have continued indefinitely if not for one anomaly spotted by the external auditor. While reviewing supplier payments, the auditor noticed that the “urgent” spare parts orders for bearings all fell on Fridays, and often in the last week of the month. Digging deeper, they found that the quantities ordered were inconsistent with the plant’s production volume. Bearings of that size typically lasted 12 months, yet some were being “replaced” every two months. The auditor quietly flagged this to the board chair, who immediately engaged Summit Consulting Ltd for a discreet investigation. Our team began with supplier payment data from the past three years. Within days, patterns emerged. The suspicious invoices all originated from a narrow set of purchase request numbers, and all bore the digital signature of Suspect 1. Next, we visited the supplier under the guise of conducting a “vendor performance review.” Their delivery records were sloppy, deliberately so. But we found GPS data from their delivery trucks showing no actual trips to the plant on the dates of the alleged urgent deliveries. We then traced the cash withdrawals from the supplier’s bank. The timing matched exactly with payments from the manufacturing company. CCTV footage from the bank branch in Mukono captured the supplier’s accounts officer withdrawing the money, often accompanied by Suspect 2. The final piece came from mobile money transaction logs. One phone number, registered in a woman’s name from Mbale, repeatedly received UGX 4.9 million in the days following these withdrawals. That number, we discovered, belonged to Suspect 1’s live-in girlfriend. The internal controls that failed The company’s internal controls were not just weak; they were actively bypassed through collusion. Segregation of duties was compromised. Suspect 1 could both initiate purchase requests and approve them when the supervisor was “away.” Supplier vetting was cosmetic. Long-standing relationships were never re-evaluated, creating a comfort zone ripe for exploitation. Maintenance reporting relied on a single signature with no technical verification. Payment verification assumed that approved purchase orders were genuine; no one cross-checked with actual delivery records. By the time the dust settled, the total confirmed loss was UGX 1.28 billion. Recovery efforts are ongoing, but as in many Ugandan fraud cases, much of the money has likely been spent on plots of land in rural districts, luxury goods,
Cyber Defense in the Age of AI: Are You Prepared?
“The attackers are not coming. They are already inside, and they are faster than you.” In March 2025, a mid-sized SACCO in central Uganda noticed something odd. An internal report had been edited at 2:13 AM by someone who was not on shift. The login credentials matched the CFO. The IP address didn’t. By sunrise, UGX 60 million had vanished, transferred across multiple mobile money accounts, routed through betting wallets, and laundered via crypto platforms no one on the team had ever heard of. The forensic audit, led by Summit Consulting Ltd, uncovered a chilling reality. The attack was not orchestrated by a human being. It was executed by an AI bot, trained to mimic staff behavior, learn login patterns, and adjust its syntax to sound like internal memos. The most worrying part is that the fraud scheme is scalable. Welcome to the new battlefield. AI has changed the rules of cyber warfare We have crossed the line where cybercriminals write code. Now, code writes itself. Using open-source AI models, attackers in Kampala, Nairobi, Lagos, or anywhere can now: Clone a CEO’s voice from a 7-second video Auto-generate phishing emails that bypass 2FA Learn employee login habits and strike when vigilance is lowest Simulate chats, modify documents, and even impersonate support tickets This is not a future threat. It is already happening, and your firewall doesn’t stand a chance unless it, too, can think. Are you managing risk, or merely reacting? Many institutions, especially those outside Tier 1 banks, have weak, outdated defenses; No AI-driven SIEM tools No behavioral anomaly detection No tested cyber incident playbooks And worse, they do not simulate breaches. They assume insurance will clean up the mess. Spoiler alert: it will not. The human firewall is failing. Train smarter. Your team is your greatest vulnerability, or your strongest defense. The AI phishing scams you need to track include; Emails from regulators demanding a refund form update WhatsApp voice notes from “HR” asking you to approve a salary adjustment Deepfake calls mimicking a Managing Director authorizing an emergency transaction All designed by AI. All emotionally timed. All targeted. Training must now go beyond awareness into behavioral resistance. Test phishing simulations monthly Run deepfake impersonation drills Build a zero-trust culture (verify always, trust never) Predictive cyber defense is now your new perimeter What worked five years ago is now a liability. Legacy systems? Sitting ducks. Antivirus? Irrelevant. Firewalls without AI? Decorative. You must deploy tools that see patterns before breaches happen. That means: AI-augmented threat detection SOCs that learn from each breach Instant alerting systems when anomalies are detected Third-party risk mapping and mobile app scanning Summit Consulting recently implemented such a system for a microfinance institution. Within 48 hours, they detected two dormant accounts activated for fraudulent funds transfers. Attack averted. Trust preserved. Regulators are watching. And they will not be kind. Under Uganda’s Data Protection and Privacy Act, you are accountable for not just data loss, but failure to prevent it. And boards are being advised to: Request AI-enhanced cyber dashboards Include cyber risk in the Top 5 Risk Universe Test incident response at the board level Assign cyber risk to a named EXCO member Failure to comply is not just non-compliance. It is negligence. And that is what plaintiffs’ lawyers love most. What is at stake? Let’s break it down: Reputation: Once the story breaks, it is not just a loss, it is a betrayal. Revenue: Downtime = lost sales. AI attacks = longer, costlier outages. Regulatory sanctions: Fines, blacklisting, and even license suspension. Internal trust: Staff morale collapses when systems are breached. In the Age of AI, delay is danger. What must you do now? Audit your AI readiness. Implement threat simulation drills. Invest in an AI-augmented SOC. Train staff monthly, not annually. Update your cyber crisis playbook Get a board-level cyber readiness briefing. AI is here. So are its weapons. It can predict threats. But it can also be a threat. If you are not fighting fire with fire, you are flammable. Summit Consulting Ltd provides: Cybersecurity audits AI-driven fraud simulations Deepfake attack resilience testing Board and EXCO cyber briefings Call: +256 775 845691
From target to defense: Tackling data breaches in institutions
During one of our board-level presentations in August 2024, a financial institution’s Director asked, “You are the experts. How do the attackers identify their targets and exploit them?” The truth is that cybercriminals are highly organized. They take time to study their target and find the most effective way to strike. Our research shows that clients and customers are often at the top of the target list by hackers. This highlights the fact that vulnerabilities in a company’s network can easily spread beyond its direct control. It also points to the need for businesses to recognize that some employees, due to their job roles, visibility, or access to sensitive data, are more likely to be targeted by attackers than others. A high-profile employee is more likely to be targeted by advanced malware attacks, while someone with access to the CEO may face phishing attacks that impersonate the CEO or other executives. Assessing an employee’s vulnerability involves looking at several factors: the cloud apps they use, the number and type of devices they have, their level of access to sensitive information, their interests and how often they are targeted, and whether they follow good digital security practices. These factors help determine how exposed an employee might be to cyber threats. Figure 22: Customers remain a top target. Companies need to understand the degree to which some employees, because of their visibility, work routine or level of data privilege may be more vulnerable to attacks than others Addressing data breaches Reducing the risk of a major data breach is now a top priority for most companies in Uganda, as cybersecurity has become a key topic in boardrooms and among regulators and industry leaders. This is a positive step, with strong support from the board and executives for efforts to manage cybersecurity risks. Boards must be regularly informed about these risks to stay ahead of potential threats. How are companies tackling data breaches? Many start by centralizing their cybersecurity efforts to build a culture of security that includes every employee, every department, and all business operations. This approach ensures that everyone understands the role they play in protecting the company’s networks and sensitive data. Figure 23: Ongoing staff training empowers your staff to be responsible when it comes to cybersecurity management, starting at the personal level For cybersecurity education and training to be effective, it must actively involve employees at every level. It’s not just about providing information-it’s about raising awareness and giving employees the tools to understand and manage their security risks. This requires regular engagement, such as monthly check-ins with each department, to monitor and reinforce key practices. For example, tracking employee behaviors like whether they are using the correct authentication methods when logging in ensures that everyone is following the necessary security protocols. By staying engaged, organizations can foster a culture of continuous vigilance and responsibility. This article draws on key findings from The iShield Project’s Frontline Report 2024, offering a snapshot of the region’s evolving cybersecurity landscape. For deeper insights, case studies, and recommendations: Download the PDF here. If you are interested in a full report, please contact us
Dealing with data breaches
Data breaches are increasingly damaging businesses globally, with significant consequences for financial institutions and telecom companies. A notable example is the October 2020 cyberattack, where hackers exploited 2,000 mobile SIM cards to breach the mobile payment system. This attack targeted Pegasus Technologies, MTN Uganda, Airtel Uganda, and even the Bank of Africa, resulting in UGX 10.5 billion in losses within just two days. This event highlighted the severe vulnerabilities in digital payment systems and the devastating financial impacts of cyberattacks. Insights from organizational leaders reveal that data breaches are widespread. Most organizations (74%) have experienced at least one data breach in the past decade. Large institutions, especially in finance and telecom, face even greater risks, with 68% reporting four or more violations in the last five years. In contrast, smaller organizations, with fewer digital assets and smaller attack surfaces, reported significantly fewer breaches (32%). This disparity illustrates how larger institutions, like high-value targets, attract more sophisticated cybercriminals. The impact of data breaches extends far beyond financial loss, as illustrated in the chart. Loss of revenue is the most significant repercussion, cited by 46% of respondents. Imagine a pipeline with a breach, and money flows out as the organization scrambles to stop the leak. Following revenue loss, termination of staff involved ranks second at 27%. This often reflects the fallout from negligence or internal lapses, illustrating how breaches can impact not only careers but also company operations. Loss of clients, cited by 16%, is another critical impact. Customers lose trust in companies that fail to secure their data, much like a patron abandoning a restaurant after a food safety scandal. Lastly, loss of intellectual property and data, reported by 11%, represents a long-term strategic threat. Intellectual property theft can erode competitive advantage, akin to losing the blueprints to a product that differentiates a company in the market. Data breaches have both immediate and cascading effects. Organizations must treat cybersecurity not as a back-office function but as a core part of their business strategy. Proactive measures, including incident response plans, regular audits, and continuous employee training, are essential to mitigate these risks. Without such defenses, the consequences can spiral out of control, impacting not just the bottom line but also organizational trust and reputation. Figure 20: Cyber attacks are more financially motivated acts leading to loss of revenue iShield 360 experts predict that data breaches will increase, with 17% of financial institutions expected to face a major breach in the next five years. It’s no surprise that companies that have already experienced one or more breaches in the past ten years are much more likely to expect another breach within the next three years, compared to those that haven’t faced any breaches yet. This highlights the ongoing risk for businesses, especially in the financial sector. Many companies in Uganda are still in the early stages of creating strong strategies to prevent and respond to data breaches, as well as reduce their impact. Not every business leader fully realizes that even a large company can be crippled by a single cyberattack. To protect themselves, organizations need to build a solid and reliable security structure to achieve true cyber resilience and be better prepared for potential threats. This also speaks to the people factor in organisations. This article draws on key findings from The iShield Project’s Frontline Report 2024, offering a snapshot of the region’s evolving cybersecurity landscape. For deeper insights, case studies, and recommendations: Download the PDF here. If you are interested in a full report, please contact us
User Access concerns to systems security: Why authentication process needs a keen eye?
In today’s complex environment, employees have access to corporate networks and are authenticated to corporate systems, as well as servers, and devices. It is dire if a malicious attacker gets the same access either through brute force or by taking advantage of the staff that lack awareness to gain the same level of access privileges, this escalates their ability to move laterally throughout the enterprise. It is for this reason that organizations enforce policies over strong user credentials, multiple methods for authentication, password management tools, and a strong cybersecurity program. Notably, organizations have to acknowledge identity governance, assess all possible risks around user authentication and access controls, put in place Identity governance solutions carry out Business Impact Analysis to understand key critical systems in the organization’s inventory, analyse and understand access privileges granted to employees, contractors, and partners. Why Authentication process needs a keen eye? One of the most important aspects of a system or network authentication is the focus on the user and human-to-computer interactions. This makes user authentication crucial to understand when creating or improving your corporate systems’ login procedure. Whether you’re looking to amp up your internal security, increase security over system access, or simply provide a better user experience for employees and individuals exploring your corporate systems and internet-facing applications, it’s important to know how user authentication fits into the equation. What is Authentication? Authentication is a security process that began long before the age of computing. Only in our current parlance, does it seem linked to our digital security. It is a security process that covers all of the human-to-computer interactions that require the user to register and log in to verify their identity to the web application. That is to say, authentication asks each user that tries to access the system or corporate network, “who are you?” and verifies the response of the user. When employees or users register accounts, they create unique IDs and keys that allow them to access their accounts later on. Generally, a username and password are used as the ID and key, but the credentials can include other forms of keys as well (see our section on types of user authentication). The authentication process provides users with repeat access to their accounts while attempting to block unauthenticated and malicious users from gaining access. Factors of Authentication Three factors can provide a form of authentication: What You Know Factors the user must know to log in are considered knowledge factors. This can be anything from a username, password, or PIN. The challenge with these factors is that they can be weak in terms of security because they can be shared or guessed. What You Have Anything that the user must have or possess to log in. One-time password tokens such as smart cards, ID cards, and physical tokens are all considered as what a user possesses. What You Are This is tailored to a person’s biological characteristics. Any biometric authentication process, such as fingerprint scanning and facial recognition, would fall into this category. Multi-factor Authentication: Combining factors of authentication greatly reduces the chance of failure in the authentication process. Two and three-factor authentication are catching on in many areas outside of internet services. In many cases, three are required in the form of having an access card, combined with an authorized fingerprint, and finally one must know a lock combination to gain access to their computing equipment. Multi-factor authentication will continue to become more common for security procedures of various internet services. Many prominent internet services have already implemented them. Facebook, Twitter, and Google services already support two-factor authentication. Conclusion To this end that you understand how authentication works and how users authenticate their identities into various corporate systems. Organizations need to ensure the following to make their login process more secure, user-friendly, or a combination of both; Encourage Stronger Passwords to Improve Security. Passwords alone aren’t the best authentication method because of the various vulnerabilities they bring due to insecure user-generated credentials. However, organizations should improve the existing password-based authentication system. It should implement a password policy to encourage users to create better passwords. Some of the hints to follow to create stronger passwords are; Longer passwords are more secure. Security experts suggest that you create passwords with a minimum of 8 characters. But we recommend that you create passwords closer to 12 characters in length. Passwords should have a mix of characters. Passwords with a random combination of uppercase and lowercase letters, numbers, and symbols are harder to crack. Users should avoid using formulas when generating passwords. The patterns and formulas make it easy for hackers to guess passwords and offer users a false sense of security.
