In a country where billions vanish silently into forged invoices and ghost accounts, the real superheroes don’t wear capes. They carry audit trails, forensic reports, and courtroom-ready evidence. They are Certified Fraud Examiners (CFEs). And the battlefield is real. Why it matters: The fraud is already happening Every week, a district accountant approves payments to a supplier that doesn’t exist. A school headteacher lists “ghost pupils” to pocket capitation grants. A procurement officer inflates prices on desks by 300%. By the time the Auditor General flags it, the money is long gone. But what if you could catch it before it spreads? What if you were the person they feared in the room? What CFEs do is expose the schemes no one talks about As a CFE, you don’t wait for whistleblowers. You build systems that reveal fraud patterns before they explode. You: a) Trace the money: even when it moves through mobile money and cousins’ accounts b) Decode fake documents: from doctored receipts to manipulated contract minutes c) Interview suspects: and break their stories wide open d) Write forensic reports: that land in courts, not drawers You don’t accuse. You prove. And that changes everything. Why now: The space is wide open Uganda has fewer than 150 active CFEs, yet the fraud is multiplying. Ministries, NGOs, banks, SACCOs, and district offices are losing money. They don’t need talkers. They need trained warriors. With tools. With credentials. With confidence. How to start: Get certified. Join the movement. Summit Consulting’s Fraud Risk Management Masterclass is your first step. It’s local. Practical. Delivered by experts who’ve cracked real cases from fake medical procurement deals to parish development fraud. You’ll learn to: (i) Detect fraud early using red flags (ii) Conduct investigations with digital evidence (iii) Report fraud in formats that regulators and prosecutors can act on Then you’ll sit the CFE exam. And earn global credibility. You can rant. Or you can rise. Uganda doesn’t need more observers. It needs doers. Professionals trained to say: “Not on my watch.” So if you’re serious about becoming a fraud-fighting superhero Get certified. Join the Institute of Forensics & ICT Security. Change the game. Because silence is not neutral. It’s complicity.
From red flags to real cases how CFEs uncover hidden crimes
The quiet theft that bled a district dry In March 2024, the Chief Administrative Officer of a western Uganda district noticed an odd spike in “fuel and maintenance” expenses for sub-county motorcycles. What raised eyebrows was simple: most motorcycles hadn’t moved an inch for months, yet the ledgers showed full tanks and frequent repairs. By April, the CAO escalated the matter to the Internal Auditor, who pulled receipts from the sub-counties. That’s when the case started to stink. The fuel vouchers bore forged signatures. Some mechanics listed had died years ago. The audit report highlighted “possible fraud,” but no further action was taken. That’s when we were brought in. Our job? Move beyond suspicion. Expose the architecture of theft. And find the culprits. Everyone was in on it This was not an isolated fraud. It was a cartel. The scheme (i) Ghost motorcycles were listed in the asset register (ii) Drivers claimed fuel and repair advances (iii) Funds were disbursed through mobile money accounts of relatives posing as suppliers The red flags (i) Fuel logs had identical mileage for weeks (ii) Mechanics issued repairs on non-existent chassis numbers (iii) Receipts were printed on the same template from a shop in Rukungiri The District Engineer approved everything. So did the Internal Auditor—until the scandal broke and he went silent. The investigation: Following the money and the lies We began by mapping the money flows. a) Disbursement trail We traced UGX 186 million over 13 months, siphoned via mobile money in tranches of UGX 480,000 to UGX 1.2 million. Most went to one number registered to “Mugabe Estates Ltd”—a fake entity linked to a cousin of the sub-county chief. b) Document forensics and analysis We ran a document analysis. The receipts had identical font kerning and were printed using the same Epson dot-matrix. The Uganda National Supplier Registration System had no record of the vendors. c) Interview trap We set up a quiet sting and called the listed “mechanic” as a potential partner. He arrived in a taxi and admitted he’d been paid UGX 50,000 per signature. We got it on tape with his permission. The system failed, and we showed how In total, the district lost UGX 186 million in 13 months. But worse, it exposed a culture of silence and cover-ups. Procurement, audit, accounts, engineering—everyone signed off. And they all blamed “the system.” We filed a detailed forensic report with the CID, Anti-Corruption Unit, and the IGG. Three arrests have been made so far. The CAO is under pressure to explain the delayed action. A case in point: the Kyotera Diaries This is not unique. In Kyotera in 2023, a parish chief claimed 60 boda-boda repairs for motorcycles impounded two years earlier. That case alone cost UGX 43 million. Again, forged invoices. Again, mobile money trails. Again, the internal auditor slept on the job. The lesson: Red flags are not conclusions. They are starting points. Most fraud is not hidden. It is ignored. It thrives in silence. Certified Fraud Examiners are not magicians. We just do what others don’t—follow up, verify, ask who benefits, connect the dots, and then put it in a report so sharp no one can pretend not to see it. That’s how you turn red flags into arrests. That’s how you break the culture of impunity. That’s how you protect public funds from disappearing in plain sight. And if you don’t, who will? Become a CFE now The iShield 360
Our pentest approach. Why most risk management teams are NOT future ready
You have a penetration testing process. You have a risk management department. You have an internal audit team. Yet you are still vulnerable. Why? Because most teams are not evolving as fast as the threat landscape. At Summit Consulting, our VAPT approach is simple and brutal: Inception meeting: Define timelines, expectations, and failure points up front. Blackbox penetration testing: Simulate a real-world external attack without insider knowledge. Vulnerability assessment: Identify cracks before the enemy does. Whitebox penetration testing: Simulate insider threats with full access. Internal vulnerabilities assessment: Your weakest links are always inside. Final report compilation: No sugar-coating. Just the truth. Presentation of findings: Executive-level intelligence, not geek talk. Here’s the real question Are your internal audit and risk teams evolving to meet today’s threats? Or are they still stuck writing yesterday’s audit checklists? Cyber risk is not a compliance exercise anymore. It is a survival strategy. Why most risk management teams are not future-ready In 2024, a mid-sized Ugandan financial institution asked us for a routine vulnerability assessment. They had just passed a regulatory audit with flying colours. Their internal audit team had ticked all the boxes. We applied our summit iShield 7-step VAPT approach. Inception meeting: Their IT head assured us, “We’re clean. Just do a quick scan.” Blackbox testing: Within 4 hours, we breached their email gateway and sat silently inside their network. Vulnerability assessment: Found 47 high-risk exposures, including default admin credentials on core switches. Whitebox testing: Gained domain admin privileges in less than a day, with full access to their backup systems. Internal vulnerability check: Discovered weak passwords like “Welcome@123” and unpatched ERP servers. Final report: We drafted a 54-page red alert report with proof-of-exploit screenshots. Board presentation: Their CEO nearly fell out of his chair. His exact words were: “But our IT team said we were safe?” Here’s the reality Their internal audit team had never tested controls, only reviewed paperwork. Their risk team didn’t even understand what a lateral movement attack was. That is the problem. Too many organizations are blind, not because they lack talent, But because they confuse compliance with security. They are auditing locks, not testing doors. Our VAPT approach is not just a scan, it’s a war game. If your internal experts can’t handle simulated attacks, how will they survive real ones? Now is the time to partner with experts who can support them to add value. Future-ready internal audit and risk management team, outsource the cybersecurity assurance services to an external firm, so that they do not move blindly. Leadership takeaway Compliance passed. Pen test failed. Only one of those outcomes protects your business. Wake up. Test. Transform. Contact us today to be your partner. Visit www.summitcl.com. #RiskManagement #InternalAudit #CyberSecurity #VAPT #BeTransformed #MrStrategy
Fraud happens in silence: Speak up, Save millions
On 11th February 2025, a procurement officer at a prominent government parastatal in Entebbe signed off an “emergency” UGX 360 million payment for the supply of solar panels. No panels arrived. No alarm was raised. No questions were asked. By June, after seven similar “emergency procurements,” over UGX 2.7 billion had quietly disappeared. Nobody saw. Nobody heard. Nobody dared to speak. Until one junior stores clerk, earning UGX 800,000 a month, finally blew the whistle anonymously. Summit Consulting Ltd was contracted to investigate, weeks after internal damage-control efforts failed spectacularly. By then, the silence had cost them dearly. Culture versus Compliance Most Ugandan organizations boast thick policies, glossy codes of conduct, and colorful posters urging integrity. But when fraud happens, real culture shows. At this parastatal, the culture was loud in meetings, but dead silent when it mattered. Staff had seen inflated invoices. They had noticed the rushed LPOs. But speaking up meant isolation. Transfers to Karamoja. Career death. So they shut up. Until it was too late. How the fraud was perpetrated a) Emergency procurement loophole i) “Emergency” procurements bypassed standard competitive bidding, based on fictitious justifications like “urgent rural electrification.” ii) Dummy suppliers, registered two months prior, were awarded contracts. iii) Payments were made before delivery, with fake site inspection reports signed off by internal colluders. b) Covering the tracks i) Manual alteration of bid committee minutes to reflect fake evaluation processes. ii) Destruction or loss of key procurement files under the guise of office “renovations.” iii) Coordination with rogue internal auditors to delay review cycles. Money movement details a) 65% of stolen funds were withdrawn in cash within 48 hours of payment disbursements from the institution’s account. b) 20% was layered through school fees payments, and land purchases in Wakiso and Mukono registered under third parties. c) 15% was used to pay off insiders and fund a political “war chest” in anticipation of the 2026 elections for a local MP. By the time we traced the money, a full recovery was nearly impossible. Red flags ignored a) Repeated emergency procurements from the same five “suppliers.” b) Payment schedules consistently just below the UGX 500 million threshold requiring higher level scrutiny. c) Frequent staff reshuffles of whistleblowers and critical thinkers. Our investigation methodology a) Deep dive procurement audit We requested original procurement files and compared them with system records, uncovering material inconsistencies. b) Lifestyle forensics We profiled suspected staff: unexplained new houses, fancy SUVs, and unexplained “business investments” by spouses. c) Anonymous tipline deployment We set up a confidential reporting platform, receiving over 37 insider tips within one month painting the full picture of the syndicate. Challenges faced a) Fear culture Even after formal whistleblower protection was assured, most staff still hesitated to testify without heavy anonymization. b) Legal bottlenecks Prosecution processes dragged due to weak evidence preservation and political interference. c) Record tampering Several key files and emails mysteriously “disappeared” during the early days of the investigation. Confirmed loss: UGX 2,720,450,000. Projected indirect loss: Another UGX 4 billion in opportunity costs, reputation damage, and donor sanctions. Fraud thrives in silence. Fraud lives because honest people fear. Fraud wins because organizations punish candor more than they punish theft. If your staff fear HR more than they fear a court of law, your institution is one tender document away from collapse. If you truly want to save millions, build a culture where speaking up is rewarded not buried. Uganda’s biggest frauds are not committed by masterminds. They are committed by mediocres shielded by fear, enabled by silence. Fraud is not a financial risk. It is a cultural cancer. Kill the silence, or the silence will kill your organization.
Trust but verify: your best defence against fraud
Everyone loves to preach about “trust.” It is easy. It feels good. It looks good on glossy company brochures and leadership seminars. Trust without verification is negligence wearing a suit. Trust but verify means giving people freedom to act, but building systems to independently confirm that what they promised is what they delivered. It is about combining optimism with brutal realism. What it does It empowers leaders to stop playing the victim when fraud happens. It creates a culture where honesty is respected and inspected. It turns risk management from a prayer into a process. The best, most practical application? In retail banking. One fast-growing bank in East Africa implemented a smart trust but verify system: daily surprise cash counts, random transaction audits, independent reconciliation reviews, and mandatory staff rotations. Meanwhile, competitors who only “trusted” woke up one morning to discover billions gone siphoned quietly by insiders they thought were “loyal.” How to apply it step-by-step Map critical trust points; Identify where you heavily rely on people’s honesty: cash handling, procurement, approvals. Design independent verification; Add random checks, dual sign-offs, audit trails, and surveillance. Not because you suspect. Because you are responsible. Automate and anonymize checks; Use tech tools like reconciliation bots or data analytics to cross-verify transactions without bias or boredom. Reward honesty exposed by verification; Praise people who are verified clean, not just assumed clean. Make truth-telling a celebrated behavior. Act decisively on breaches; When verification exposes fraud, do not drag your feet. Fire fast. Prosecute. Publicize internally. The benefits for leaders are many. You sleep better. You stop guessing. You move from reactive firefighting to proactive risk control. And you send a clear message: “We trust you, but we respect our duty to protect everyone, including you, from human weakness.” At the fast-growing bank, a branch manager once thanked HQ for a surprise audit that caught a teller skimming early. Instead of embarrassment, it saved the branch’s reputation. Trust but verify worked. Not just for the numbers, but for the people.
Why becoming a Certified Fraud Examiner (CFE) changed my life, and why it might not change yours
When I sat for my CFE exams years ago, I was not looking for another paper to hang on my office wall. I was hunting for something much deeper: an unfair advantage. You see, fraud is the invisible hand that quietly destroys organizations. It rarely screams. It rarely marches through the front door. It oozes through cracks, weak controls, lazy oversight, and naive trust. Before I became a Certified Fraud Examiner, I thought catching fraud was about numbers. Balance sheets. Ledgers. Receipts. After CFE training, I realized that fraud is about human behavior. It is about fear, greed, ego, and opportunity. CFE rewired my brain, just like CPA had done. I stopped asking: “Is this invoice legitimate?” I started asking: “What would I do if I were the fraudster sitting in this chair?” That shift made me dangerous. It made me indispensable. 1) What CFE really teaches you a) Think like a criminal ethically I stopped seeing employees as “good” or “bad.” I saw systems. I saw gaps. I saw temptations. And I learned how to close them before they turned into scandals. b) See patterns faster than others While others saw random mistakes, I saw footprints. Patterns. Red flags are buried in normalcy. Why would someone who holds a senior role deliberately drive a run-down car? What could they be hiding? Why would someone earning a good salary, has been working for long, has stable bank balances, finance new investments with a bank loan? I started seeing everyone as a suspect until evidence showed otherwise. I could connect a missing petty cash voucher in Lira to a ghost worker scandal in Gulu because I understood the psychology of concealment. c) Navigate organizational politics Fraud detection is never about facts alone. It is about courage. CFE gave me the frameworks to handle internal resistance, management pushback, and even CEO level coverups without losing my professional head. 2) The painful truth Becoming a CFE will not make you rich. It will make you valuable, but lonely. You will become the person who sees problems before others even feel the tremors. And trust me: people hate truth-tellers until disaster forces them to listen. If you crave applause, easy promotions, or being “liked” then CFE is not for you. If you want to become a necessary, respected, and feared guardian of organizational value, CFE is your path. 3) My lived experience After I became a CFE: I was invited into closed-door boardrooms to brief directors on fraud risks they did not even know existed. I was flown across Uganda and East Africa to fix billion-shilling fraud messes. I consultancy commanded fees that made my old salary feel like pocket change. I was trusted to investigate cases involving ministers, CEOs, and parastatals because fraudsters fear competence more than they fear audits. I stepped on so many people’s toes, and the pressure on my life became unbearable. I founded the Institute of Forensics & ICT Security But I also lost fake friends. I faced threats, sabotage, and smear campaigns from people who preferred the old ways of sweeping things under the carpet. I survived because CFE gave me not just knowledge, but a backbone. If you are serious about building a career that matters, one that saves companies from collapse, protects public funds, and builds a legacy of trust, become a CFE. But do it with eyes wide open. Prepare for war, not a wedding. Fraud is evolving. The only question is: Are you evolving faster? Sign up now
Uganda’s cyber laws: Are they strong enough?
A padlock on a chicken coop means nothing if the fox has the keys. In a recent cybersecurity audit, we discovered that sensitive data; employee emails, client info, and even board minutes were being stored on unencrypted USB drives carried in handbags. One manager proudly said, “But we have complied with the Data Protection Act.” My colleague asked him, Have you complied with common sense? Here is the hard truth: Uganda has cyber laws. What we lack is cyber muscle. a) Laws on paper, chaos in practice Uganda has made strides. The Computer Misuse Act (2011), the Data Protection and Privacy Act (2019), and the Electronic Transactions Act, among others. But here is the challenge: laws do not enforce themselves. In 9 out of 10 cases I have handled, organizations did not even know they were in breach. b) Enforcement agencies lack teeth CERT. NITA-U. Police Cybercrime Unit. Now the ACF. Government forensics lab. They exist. But do they have the capacity? Budget? Independence? In a world of anonymous VPNs, AI-generated scams, and cross-border fraud, enforcement must be smarter than the criminal. c) The judiciary is overwhelmed and undertrained Cybercrime cases are delayed, misclassified, or thrown out due to technicalities. Some judges still do not know the difference between a DDoS and a USB stick. That’s not justice. That is a circus. Think about this Would you fight a drone with a panga? That is what Uganda is doing. We are fighting 21st-century crime with 1990s capacity. The hackers are not in Uganda. They are on Telegram, on dark forums, in North Korea, or next door in Nairobi. Your systems are exposed 24/7. But your legal protection clocks out at 5 pm. At one of our trainings, a CEO asked: “Can a hacker be sued under Ugandan law?” Yes, I said. But only if you can catch them, prove it, and hope the court understands how malware works. Good luck with that. So, are Uganda’s cyber laws strong enough? No. They are well-written, but practically toothless. This is not just about legislation. It is about the entire cybersecurity ecosystem; legal, technical, institutional, and cultural. Here is what needs to change: Make breach reporting mandatory. Right now, companies quietly pay ransoms and cover up leaks. That is how systemic vulnerabilities grow. Bring sunlight into the room. Fund the cybercrime units with tech, not tea. Give them digital forensics labs, AI threat detectors, and 24/7 monitoring centres, not just Toyota Prados for PR. Train judges and prosecutors. They must understand digital evidence, chain of custody, and cross-jurisdiction cyber threats. Otherwise, justice will always lag behind innovation. Make company directors legally liable. If you sit on a board and allow cyber negligence, you should face personal consequences. That is how we wake up boards. Create a real-time cyber task force with private sector linkages. Not a talk shop. A real unit with engineers, analysts, and incident responders that work with banks, telcos, ISPs, and major corporates. In the village, they say: “A hyena does not ask permission to enter.” Cybercriminals are not waiting for our laws to catch up. They are exploiting our delays. Uganda needs not just cyber laws. We need cyber deterrence. Action against cybercrime. We need to strike back hard, fast, and legally. Create cyber weaponry and cyber warfare for both offensive and defensive capabilities. Because the next war will not be fought with guns. It will be fought with code. IFIS Team.
The data privacy debate: Freedom vs security
A monkey tied to a tree still thinks it is free. That is the modern internet user clicking “I Agree” a hundred times a day without reading anything. Giving away their location, contacts, voiceprints, and heartbeats in exchange for emojis and free Wi-Fi. The illusion of control in a world engineered for surveillance. One afternoon, the Summit Consulting team was consulting for a large bank that wanted to roll out a facial recognition login system “for convenience.” During our break, the IT head proudly demonstrated it scanning faces faster than a matatu conductor spots a fare-dodger. Everyone applauded. Except for my team. “Who owns this data?” my colleague asked. Silence. “Where is it stored? Who else has access to it? What happens if a disgruntled admin leaks this?” More silence. The kind that says, we did not think that far. That is when we realized: we were building digital prisons and calling them fortresses. Here is the real issue a) Security has become the Trojan horse. Governments, corporations, and even schools are justifying unprecedented surveillance “for your protection.” Yet, history whispers a warning, every authoritarian regime started by promising order in exchange for liberty. b) Privacy is seen as paranoia You are labeled difficult if you ask where your data goes. But as an executive, if you do not care about your organization’s data lineage, you are not managing risk; you are sleepwalking into regulatory chaos. c) Convenience is the new currency We give away rights in return for speed. Faster apps. Shorter queues. Personalized ads. But each trade strips another layer of our autonomy. The same tools built to “understand us better” are profiling us for manipulation. A Ugandan proverb says: “When the roots of a tree begin to decay, it spreads death to the branches.” The root here is this: we never defined a boundary. We rushed to digitize before we governed. We let tech companies set the rules, and now we are catching up with Data Protection Acts like children sweeping after elephants. In one of my assignments at a major telco, we discovered that over 3,000 third-party apps had API access to customer data unmonitored, undocumented, and ungoverned. “We trusted the developers,” they said. I said you do not build trust. You enforce it. That system was a time bomb. We defused it in 60 days. But most companies do not even know the timer is ticking. So what should bold leaders do? Adopt zero-trust like you breathe oxygen. Stop assuming your systems, staff, or partners are safe. Verify everything. Trust no one; not even yourself. Turn your privacy policy into a governance engine. Make it a living document. Tie it to your internal audits, procurement processes, and third-party onboarding. Educate your board and staff. Most breaches come from ignorance, not malice. Train people not just in cybersecurity, but in ethical tech use. Push for citizen-first regulation. Don’t wait for NITA-U to force your hand. Design systems that protect the least tech-savvy user. If your grandma can not opt out easily, your system is broken. Set the standard. Do not just comply; lead. Compliance is the floor. Leadership is the roof. Be the company that earns trust, not just accepts consent. My final word Security without privacy is surveillance. Privacy without security is fiction. We need both. And as a leader, you must stop delegating this to IT. Data is not just a technical issue. It is a strategic, ethical, and existential one. If you are not in the room where your data protection decisions are made, then you are the one being served; not the one being protected. Wake up. Build fortresses, not cages. Institute of Forensics & ICT Security
The first 48 hours after fraud: What top investigators never miss
The issue is: Time is not money, it is evidence On 26th February 2025, the CEO of a prominent government agency in Mbale made a panicked call at 8:14 am. Their revenue accountant had failed to show up for work. UGX 1.8 billion in land fees had disappeared from the suspense account. Worse still, the audit trail was unclear. IT had already formatted the accountant’s computer “to prepare for a new hire.” We arrived within six hours. But the damage was done. Log files were gone. Devices tampered with. Colleagues in ‘defensive mode’. The first 48 hours are not about panic. They are about preservation. The best investigators do not look for culprits first. They look for what cannot be replaced: digital footprints, physical evidence, and staff memory. Miss that window, and you bury your case. Management reacts emotionally, not forensically. When fraud is discovered, most leaders focus on reputation management: public statements, damage control, and “dealing with the person.” That is why they suspend the suspect without collecting their devices or reassign access before imaging logins. It is understandable but wrong. Fraud response is not an HR event. It is a crime scene protocol. One wrong move and the trail evaporates. You do not discipline a suspect before investigating. You secure the evidence first. The first 48 hours: What we always do a) Secure digital assets before anything else (i) Confiscate all devices; phones, laptops, and USBs immediately. Not for punishment, but preservation. They’re evidence. (ii) Image the drives; we create forensically sound copies (bit-by-bit) before any internal IT “cleans up” the mess. This protects the integrity of files, timestamps, and logins. (iii) Lock down email and network access; not just to block the suspect, but to freeze the activity. All logs are time-sensitive. Every second counts. b) Establish a digital chain of custody (i) Who handled what? When? Where? This includes security guards, IT staff, and line managers. (ii) Every file moved must be logged. Every conversation recorded. One misplaced flash drive can discredit an entire prosecution. c) Interview the environment, not just the suspect (i) The best information comes from those around the fraud; assistants, peers, and cleaners. Their memory is sharpest within the first 24 hours. After that, fear sets in. Stories change. (ii) We run anonymous digital surveys using mobile USSD tools for sensitive staff. No app. No trace. d) Conduct a shadow cashflow audit (i) We map financial movement from 60 days prior and identify unusual patterns. (ii) We extract parallel logs from the bank or mobile money aggregator to correlate transactions. Even if devices are wiped, money always leaves clues. The land registry theft in a not-far-distant land In August 2023, UGX 920 million was siphoned through a series of false plot entries and manipulated arrears payments. We were called 72 hours after discovery. IT had already “reset” passwords, believing they were helping. But the real loss was not the money. It was the metadata. Login IP addresses, session IDs, and edit timestamps were all gone. With no forensic imaging, we could not attribute actions to individuals. No prosecution. No recovery. 5) Forensic checklist: What smart investigators never miss (i) First login after fraud is discovered; who accessed the system, and did they alter logs? (ii) Print logs and edits; especially in procurement or HR systems. Many frauds involve fake deletions. (iii) Unstructured files; fraudsters often hide data in Excel files, drafts, or email attachments, not the main system. (iv) USB registry keys; when did the last external device plug into the machine? (v) Live memory dump; from any active suspect computer. RAM holds session keys, passwords, and temporary logs. Evidence before emotion At Summit Consulting, our iShield360™ Forensic Response Unit is trained for zero-hour deployment. We treat every incident like a crime scene: gloves, logs, isolation, and preservation. We move before files disappear, and we secure the story before it becomes fiction. You do not get a second first 48 The biggest mistake you can make after fraud is thinking you have time. You do not. The fraudster is deleting. Staff are whispering. It is overwriting. Every moment you delay, the truth fades, and lies take its place. That is why you call Mr Strategy first. Not to find the thief. But to preserve the truth.
Think like a hacker: The psychology behind cybercrime
Most people think hackers wear hoodies and speak in code. That’s Hollywood nonsense. Real hackers don’t need to break your firewall. They just need to break you. Cybercrime isn’t technical. It’s psychological. And the best hackers? They’re not IT geniuses. They’re master manipulators. a) The mindset: It’s not theft, it’s sport Hackers don’t see what they do as crime. They see it as a challenge. A game. A puzzle. i) The thrill isn’t in stealing your data it’s in proving they can. ii) The target isn’t your firewall it’s your behaviour. iii) The reward? Status in the dark web community. Bragging rights. Bitcoin. To them, your business is not sacred. It’s a test. b) The tools: Not software, but psychology i) Hackers exploit cognitive biases. Urgency. Curiosity. Fear. ii) That “your package is delayed” SMS? That’s your limbic brain reacting before logic kicks in. iii) That “invoice due today” email? It’s not about the invoice. It’s about creating panic. They don’t hack machines. They hack humans. c) The methods: Predictable humans make perfect targets i) You always log in at 9:04am. You click the first link. You never change passwords. ii) You’re too busy to double-check sender emails. Too trusting to verify calls. iii) That’s what they count on. In 2022, we traced a breach at a law firm in Kampala to a senior partner who opened an email during court recess. It read: “High Court Ruling – Urgent Copy.” He clicked. It downloaded a keylogger. For three weeks, every client instruction was monitored in real time. d) The motive: Control, not cash Money is a consequence. The real motive is power. i) The power to lock your systems. ii) The power to watch your panic. iii) The power to demand what they want because they know you’ll pay. e) Case in point In 2017, a top executive at an NGO in Entebbe received an email that appeared to be from her board chair. It asked her to urgently wire UGX 450 million to a “consultant.” She didn’t question it the tone was familiar. The address was almost identical. But the ‘i’ in the domain was a Turkish character. That one detail cost the organisation their annual programme funds. The hacker never touched their servers. He studied their emails. Their tone. Their habits. That’s social engineering. f) The defence: Become unpredictable i) Train your staff to verify before they trust. ii) Test your systems, and test your people. iii) Make cybersecurity a culture, not an IT function. Hackers don’t need to break in. They wait for you to open the door. That’s why cybersecurity begins in the mind, not the machine.
