Years ago, I sat across a jittery CEO of a large logistics company in Zambia. His eyes told the story before his lips did. “We almost lost $1.5 million last month,” he confessed. How? One fake email. One “urgent” request. One careless click. And therein lies today’s lesson. Old wisdom says, “The hyena does not need a big hole; it only looks for one loose plank in the kraal.” That is precisely how the fake CEO scam works. How the scam unfolds It starts simple. Cybercriminals spend weeks quietly studying your company. They learn your reporting structure, who approves payments, and even how the CEO writes emails. Then boom they strike. A finance officer receives an email seemingly from the CEO or MD, urgently requesting a wire transfer to a new supplier. The email domain is almost identical, maybe one letter off, but who is checking under pressure? The finance team, trained to obey hierarchy, processes the payment. Hours later, the money is gone, sitting comfortably in a shell account overseas. During a board risk review at a client in the hospitality sector, I saw the same trick used. Attackers spoofed the GM’s email, approving a $250,000 invoice to a “vendor” who did not exist. Nobody questioned it because the chain of command was clear you obey. It works because of leadership weakness. Do you think your cyber threat is purely technical? Think again. This scam thrives not because your firewall failed, but because of weak governance and zero verification culture. The logistics company I advised had one glaring issue: no dual control on large payments. Finance trusted emails at face value, assuming no one could impersonate their CEO. They lacked an “always verify, never assume” protocol. This is the classic case of ‘trust over verify’. Cultural complacency, mixed with poor controls, is a disaster cocktail. In the Zambia case, they were lucky. The transaction was flagged late, but before completion, thanks to a sharp-eyed junior accountant who noticed the slight domain mismatch. In another manufacturing firm in Kenya, they weren’t so fortunate. $800,000 wired. No recovery. The key lesson here is kill the blind obedience What can you, as a leader, do today? a) Enforce dual authorization policies. No large payment gets processed on email instruction alone, regardless of the sender’s title. b) Implement mandatory voice verification. Always call back to confirm high-risk requests, using known numbers, not ones provided in emails. c) Train staff to question. Yes, even when the email says ‘from the CEO’. Remove fear culture. Encourage them to double-check. d) Audit email domain controls. Your IT should monitor look-alike domain registrations and flag them. This week, gather your finance, IT, and operations heads. Ask them a simple question: “If someone impersonated me right now and ordered a payment, what checks exist to stop it?” If they hesitate, your system is broken. The leadership tool we recommend at IFIS is the zero-trust wire transfer protocol Draft a one-page policy today. No payment above a set threshold is actioned without: Dual sign-off (preferably across departments), Voice verification with at least one signatory, Domain and sender authenticity check by IT before approval. Print it. Circulate it. Enforce it. In my village, the cattle owner who sleeps without locking the kraal cries first in the morning. Don’t be that leader. Tighten the kraal. Institute of Forensics & ICT Security, is a training Institute of Summit Consulting Ltd
Increasing entry points: Have you empowered your staff?
Human error has been highlighted as a major contributing element to cybersecurity vulnerabilities for years. It is a long-standing concern in cybersecurity breaches, thus requiring all enterprises to remain watchful and train their personnel on how to alleviate this risk. According to The Verizon Business 2021 Data Breach Investigations Report, 85 percent of breaches involved a human element, while over 80 percent of breaches were discovered by external parties. With an unprecedented number of people working remotely, phishing and ransomware attacks increased by 11 percent and 6 percent respectively, with instances of misrepresentation increasing by 15 times compared to the year 2020. Additionally, breach data showed that 61 percent of breaches involved credential data (95 percent of organizations suffering credential stuffing attacks had between 637 and 3.3 billion malicious login attempts through the year). As further noted by Tami Erwin, CEO of Verizon Business, the COVID-19 pandemic has had a profound impact on many of the security challenges organizations are currently facing. As the number of companies switching business-critical functions to the cloud increases, the potential threat to their operations may become more pronounced, as malicious actors look to exploit human vulnerabilities and leverage an increased dependency on digital infrastructures. Employees and users’ unintended acts – or lack of action – that originate or propagate a security breach cover a wide variety of behaviours, from downloading a malware-infected attachment to failing to use a strong password. End-users often make mistakes because they don’t know what the appropriate course of action is in the first place. Users who are unaware of the risk of phishing are significantly more likely to fall prey to phishing efforts, and those who are unaware of the risks of public Wi-Fi networks will have their credentials harvested rapidly. Businesses must recognize that compromised credentials linked to privileged accounts are frequently the initial step in a ransomware attack. “Threat actors are chasing larger paydays and finding new vulnerabilities in a wide variety of targets, while many organisations are struggling to bring their cybersecurity up to standard for hybrid work,” said John Donovan, managing director ANZ, Sophos. How should businesses address this challenge? To reduce the possibilities for such errors, organizations need to understand why human errors occur and educate users on the consequences of their mistakes. Below are the measures we recommend. Businesses must adjust their cybersecurity mindset and embrace a new paradigm that assumes they will be hacked. As a result, it’s critical that leaders invest in the right end-point technology for a firm cybersecurity posture, as well as focus on resilience and recovery. Staff cybersecurity education must be prioritised by businesses in order to foster a cyber-aware culture. Educating and training staff on what security actions should be implemented before and during an attack is critical to lowering the number and severity of future security breaches. This entails ensuring that staff have secure online habits and practices in addition to the technology that has been introduced to successfully prevent cybercrime. While the specifics of how the systems and software in most reported breaches go unknown, the common means for attackers to get access include exploiting security vulnerabilities in code and security misconfiguration, both of which can be prevented by security-aware developers. Organisations must offer thorough training in secure code development and have every developer take responsibility for security. Threat actors have turned to social engineering, usually using email and compromised credentials, to gain access as perimeter defences have become more robust. The concepts of least privilege and segmentation are very effective in limiting the effects of a breach. Businesses must understand that compromised credentials are frequently the initial step in a ransomware attack. They should invest in multi-factor authentication, as well as password management systems that assist identify, manage, audit, monitor, and safeguard the credentials of privileged accounts. To help thwart malicious cyber incidents and reduce their impact, businesses should adopt next-generation data management capabilities that enable them to use immutable backup snapshots, encrypt data in transit and at rest, enable multi-factor authentication, detect potential anomalies using AI/ML, implement zero trust principles, and reduce their overall data footprint caused by mass data fragmentation.
Cybercrime is a constant business: Three business areas to watch out for!
Due to the ever-growing threat landscape in the digital ecosystem, your business must embrace cybersecurity irrespective of the size of the company. The statistics regarding data breaches on all business sizes show that the aftermaths of the data breaches are even becoming worse. According to IBM’s recent security survey, the average cost of a data breach rose from $3.86 million as was in the previous normal years to $4.24 million in 2021. This marks the highest average total cost of a data breach ever reported in history. Revenue loss impacts are significantly lower for organizations with a more mature cybersecurity posture. And higher for organizations that have not prioritized some areas such as cybersecurity. IBM’s report elaborates that it takes organizations an average of 287 days to identify and contain a data breach. This is seven days longer than in the previous reports. This means that once an organization was hit on February 1, it took 287 days on average to identify and contain. The breach wouldn’t be contained until November 14. The continuation of teleworking, the isolation of employees and the current vaccination situation have increased the playing field for attackers to practice successful social engineering schemes on staff that are not educated and well prepared to respond to such schemes. “Malicious attackers take advantage of the health crisis to craft targeted emails in order to divulge sensitive information from key staff at different levels of information access. With such carefully-tailored strategies, cyber-attackers are becoming more agile and sophisticated and increase the effectiveness of their actions,” There have been reported cases of email compromises, malware infestation, accidental information leakages, supply-chain and or third-party breaches, insider breaches. These are some of the common issues that organizations are facing today. Given the weary security landscape which involves intellectual property risks and client or staff data. Cybersecurity should be embraced as a must to one and all. It is a necessity in today’s time because a major chunk of business activities has gone online. Remote working has made the lives of staff easier and in some ways boosted productivity. It has widened the digital ecosystem hence extending risks from controlled environments to uncontrolled personal environments. Large organizations may have the budgets and capacity to manage endpoints but the SMEs may even go bankrupt trying to pay for incident response against a cyber-attack and or penalties of non-compliance. There can be a huge loss of revenue resulting in business disruption. What you need to know? Given the times, leaders need to take action now to prevent cyber-attacks from occurring. Leaders should structure policies, procedures and guidelines in place and be prepared for future incidences. As a leader, you need to evaluate the current security posture with a risk assessment. Check for holes where attacks can creep in. And develop an effective incident response plan to mitigate the far-reaching effects of a cyber-attack. Three areas that need urgent attention after data breaches. Any data breach towards an organization will target three different areas of the business. That is to say; the revenue of the organization, customers and the Organization’s reputation. The impact of the data breach may differ based on the organization. The impact on Revenue and finances: The ever-growing cybercrime in organizations has overburdened businesses with huge costs and greatly impacted the revenue of businesses. IBM reported in its Data breach report of 2021 where the study was conducted on 537 real breaches across 17 countries, regions and 17 different industries. It was concluded that on average, a data breach occurrence cost USD 4.24 million. Once hit by a data breach, there is always a financial implication for the organization. This depends on the nature of the data breach. Organizations hit with a data breach struggle with costs from containing the breach, compensating affected customers, comprehending a decreased share value and heightened security costs. Financial losses resulting from security breaches have been significant in past. Yet business leaders cannot forecast how or if financials will be affected in the event of a breach. Studies have proved that 29% of businesses that face a data breach end up losing revenue. Out of which 38% of organizations experience a loss of 20% or more and are unable to sustain the situation. The impact on Customers For customers to confide in what services an organization offers and their willingness to purchase the services will depend on the way an organization prioritizes its customer’s ‘information security. Thus, if an organization does not consider the security of customers’ data, a customer can vote with their feet and take their business elsewhere. Back in the days when customers lacked awareness of cyber security, they could not form any perception on the basis of the security plan of an organization. But now, with increased awareness and increasing cyber-attacks, customers are more conscious about where they are providing their information and how safe it will be in future. The scale of data breaches is what continues to shift the attitude of a customer. To say, Data breaches on giant firms like Marriot, Facebook, attract the attention of the public to data security concerns. Previously, data privacy was difficult to internalize, it was difficult to care about because it hadn’t directly affected people. Over 533 million users accounts including personal emails and contacts were found on hacker websites after the Facebook recent hack. And over 5.3 million guests records were stolen in the Marriot data breach scandal between mid-January 2020. Over a decade, Data breaches have been impacting customers at a large scale. But the interconnected nature of systems now makes news spread so fast. Hence impacting the trust of customers and hindering the reputation of organizations. Impact on Business Reputation: In the world of a rapidly scaling digital ecosystem with close networks and super-fast news, any information regarding data breaches spreads so fast over the internet or media. At times an organization makes news headlines not for its best performance in the industry but for its security being compromised due
Business email compromise – the silent corporate killer
In January 2023, we received a phone call from the CEO of a well-known logistics company. His voice carried the weight of urgency and frustration. “Mr. Strategy, I think we’ve been scammed, but I can’t understand how. We wired about seventy-one thousand United States dollars to what we believed was our supplier’s account, only to find out it never reached them. The finance team insists they followed the right process, but the supplier says they never changed their banking details. I need answers. Fast.” It was a classic case of Business Email Compromise (BEC), but as we would soon uncover, the attackers had executed their scheme with surgical precision. The fraudster’s playbook you it all happened By the time we stepped into the company’s headquarters, panic was evident. The finance director, the IT manager, and the CEO were all waiting. They needed an explanation. Here’s what we found out: Initial compromise After analysis of their systems, we found out that the company’s finance officer, Subject 1, had unknowingly clicked on a phishing email a few weeks earlier. The email, disguised as a routine Microsoft 365 security update, asked her to verify her credentials. The attackers, operating as Subject 2, captured her email login details in real time and immediately accessed her inbox. Email monitoring and reconnaissance The criminals did not act immediately. Instead, they watched. Sophisticated cybercriminals are very patient people. They take their time. For three weeks, they studied email conversations between the finance team and key suppliers. They identified the payment patterns, the tone of the emails, and the key players in financial transactions. They examined the approval limits, and emmergency instances when finance is allowed to process the payment quickly. The deception begins Once the attackers had a full picture, they acted. They created a lookalike email domain, changing just one letter in the supplier’s email address—something barely noticeable to the human eye. Using this fraudulent email address, Subject 2 posed as the supplier’s accounts manager, informing the company of a “recent banking update” due to an “ongoing audit.” Social engineering at its best To further authenticate their claim, the fraudsters compromised the supplier’s actual email account and forwarded previous legitimate invoices. They even used the supplier’s real email signature, adding credibility to the deception. Execution of the fraud With all the pieces in place, Subject 1 received a final email instructing payment to the “new” bank account. The finance team, trusting the familiar conversation thread, wired $71,240 without hesitation. The aftermath Two days later, the real supplier followed up for payment, completely unaware of the fraud. By then, the money had already been withdrawn from an offshore account. What went wrong? The investigations Once we pieced together the fraud, the next step was to determine how the company let this happen. Weak email security. The finance officer’s email was compromised because the company did not enforce multi-factor authentication (MFA) on their accounts. Lack of financial verification protocols. The finance department had no internal process for verifying bank detail changes. A simple phone call to the supplier’s known contact number would have stopped the fraud. Poor cyber awareness. Employees were last trained two years ago to identify phishing emails, making them easy prey for attackers. Lessons learned Enforce email security. Implement multi-factor authentication (MFA) for all corporate email accounts. Tighten financial processes. No banking details should ever be changed based on email instructions alone. Always verify via phone calls to known contacts. Train employees. Conduct phishing awareness training and test employees regularly with simulated attacks. The cost of negligence
How Omundo stole money using ATM cards that were not his
How Omundo stole money using ATM cards that were not his This case is about a man who tricked the banking system and stole Kshs. 732,033 (USD 5,700) from Kenya government cash transfer accounts. The money was meant for elderly and vulnerable people under the Inua Jamii program, a financial aid initiative in Kenya. Between 2018 and 2022, Omundo illegally obtained multiple ATM cards that did not belong to him. Instead of using the real owners’ fingerprints, he registered his fingerprint on these accounts and withdrew the money over time. His scheme was exposed when a banking agent noticed suspicious withdrawals and reported him. When the police investigated, they found he had 10 ATM cards from different beneficiaries. How he executed the fraud Getting ATM cards that were not his The suspect somehow gained access to multiple Inua Jamii ATM cards. He may have worked with insiders at the bank or the registration offices to get these cards. The real ownrs of the cards were unaware that someone else was withdrawing their money. Using his fingerprint to access accounts The banking system required only an ATM card and a fingerprint to withdraw money. Instead of using the real beneficiaries’ fingerprints, he registered his fingerprint on their accounts. This allowed him to withdraw money as if he were the real owner of the account. Making multiple withdrawals at banking agents He visited different KCB agent banking shops to withdraw money. On May 10, 2022, he withdrew money from three different ATM cards at the same shop. The banking agent became suspicious because the system allowed only one card per person in the Inua Jamii Returning the next day and getting caught On May 11, 2022, he returned to the same banking agent with seven more ATM cards. The agent had already reported the suspicious transactions to the police. As soon as he tried to withdraw money, the police arrested him on the spot. The investigation –how he was caught Checking his bag and finding ATM cards The police searched his bag and found 10 ATM cards that belonged to different people. None of the cards were in his name. Reviewing bank records The bank provided transaction statements that showed money had been withdrawn from these cards between 2018 and 2022. The withdrawals happened across different locations, meaning he moved around frequently to avoid suspicion. Testimony from a victim One of the victims went to withdraw money but found that someone else had already taken it using his card and ID. He reported the case, saying he had never shared his ATM card or PIN with anyone. Suspect’s weak defense The accused claimed that a bank official named Julius had asked him to help register elderly people for the cash transfer program. He said the official would then use his fingerprint to approve transactions. The court dismissed this as an excuse to cover up his fraud. The punishment – what the court decided The suspect was charged with three crimes under the Computer Misuse and Cyber Crimes Act. Identity theft and impersonation. He fraudulently used other people’s ATM cards and identities to steal money. Unauthorized access to computer systems. He accessed bank systems without permission using his fingerprint on stolen ATM cards. Accessing systems with intent to commit a crime. He withdrew money knowing that he was not the rightful owner of the accounts. The sentence The court found him guilty on all counts and sentenced him to: 2 years in prison for identity theft and impersonation. 2 years in prison for unauthorized access. 5 years in prison for accessing systems to commit fraud. A fine of Kshs. 200,000 (USD 1,560) for identity theft. A fine of Kshs. 3,000,000 (USD 23,400) for fraud-related crimes. At first, the court said the sentences should run one after the other (consecutively), meaning he would serve a total of 9 years. However, on appeal, the judge ruled that the sentences should run at the same time (concurrently), reducing his total prison time to 5 years. Lessons – how to prevent such fraud Stronger verification methods Banks should use multi-factor authentication (MFA) instead of relying only on fingerprints. Adding PINs or ID verification would have stopped the fraud. Better monitoring of transactions If the bank had been checking withdrawal patterns, they would have noticed one person using many different cards. Real-time fraud detection systems should flag suspicious activity. Training for banking agents The banking agent in this case noticed something was wrong and reported it. All banking agents should be trained to detect fraud and report it early. Public awareness for vulnerable people Elderly and vulnerable people must be educated about financial fraud. They should be encouraged to check their account balances regularly and rep0rt missing funds. Tighter laws and enforcement Cybercrime laws should not only punish fraudsters but also protect victims. Banks should be required to refund stolen funds if fraud happens due to system weaknesses. This case proves that fraud is not always about hacking into systems. Sometimes, criminals find loopholes and exploit them. If banks and government programs do not strengthen security, fraudsters will keep stealing from the most vulnerable people in society. It is time for banks, government agencies, and individuals to work together and stop identity theft before it happens. Case reference: Omundo v Republic (Criminal Appeal 94 of 2023) [2024] KEHC 4579 (KLR) I remain Mr Strategy.
Case 3: The dark business of cyber pornography
Pornography is a silent pandemic. It claims one victim at a time. Thanks to the Internet, the problem is very big. The internet was meant to be a tool of progress. A gateway to knowledge, resources, and progress. A means of connection. But like any tool, it has been hijacked by criminals who have turned it into a marketplace for exploitation. Cyber pornography is one of the largest underground businesses online. It is a billion-shilling industry, fueled by demand, secrecy, and technology. The worst part? Much of it operates undetected, and when authorities catch on, the damage has already been done. In Uganda, it has taken new dimensions. It is growing and thriving. This is not just about adult content. It is about abuse, blackmail, and the destruction of lives and families. The bait and trap In 2016, a young lady in her mid-20s walked into my office with her mother, shaking. She had a problem she didn’t know how to solve. She had met a man online. At first, it was harmless casual conversations, a little flirting. Then he asked for photos. She sent a few. Nothing explicit, just innocent pictures. A few days later, the man turned a web camera and chatted. He asked the lady to also turn on her web camera and show him her body shape. Innocently, she did. Three days later, she received an email with screenshots of fake explicit images mixed perfectly with genuine ones. The man had morphed her photos into pornographic content. He gave her two options: i) Pay him Ugx 5 million and he would delete everything. ii) Refuse to pay, and he would send the images to her family, employer, and friends. She hesitated. He followed through with his threats. By the time she came to us, the images were circulating in WhatsApp groups. Her boss had seen them. Her church elders were whispering. She was contemplating leaving town. She was the victim of sextortion, a rising cybercrime where criminals use fake or stolen explicit content to blackmail victims. The dark web and the underground economy The dark web is the underworld of the internet an unindexed part of the web where criminals trade illegal content, sell data, and conduct illicit transactions in total secrecy. (i) Cyber pornography has a massive market here. Hidden behind encrypted browsers like Tor, criminals upload, sell, and distribute explicit content without fear of getting caught. (ii) Many of these platforms operate as private marketplaces, requiring cryptocurrency payments for access. Users buy pre-recorded videos, stolen images, and live streams of abuse. (iii) Some dark web forums even offer bounty programs, where members pay for explicit material of specific individuals often ex-lovers, celebrities, or even random victims. (iv) Payment is almost always in Bitcoin or Monero, ensuring complete anonymity for buyers and sellers. This is not pornography as most people understand it. It is organized exploitation, and it makes criminals millions. The case that exposed the network In 2019, police arrested a university student for running a revenge porn site. He had built a platform where people uploaded explicit images of their exes, classmates, and even strangers. Users were encouraged to submit photos with names, phone numbers, and social media accounts. The victims would wake up to hundreds of calls from strangers, asking for sexual favors. The site was earning money through advertising and premium memberships. Users who paid could access hidden folders with more graphic content. The student running the site had never touched a victim or recorded a single video. He was making millions of stolen content. How the case cracked open (i) The first complaint came from a young lawyer who found her images on the site. She had no idea how they got there. (ii) An undercover officer infiltrated one of the Telegram groups linked to the website. He posed as a buyer and gained access to the admin’s contacts. (iii) The forensic team traced mobile money transactions linked to premium memberships. The suspect was cashing out through multiple SIM cards and bank accounts to avoid detection. (iv) Police raided his hostel room, seized his laptop, and uncovered over 12,000 images of victims. How criminals monetize cyber pornography Cyber pornography is a business first, a crime second. Criminals have refined ways to turn explicit content into a steady stream of income. (i) Subscription models. Many sites operate like Netflix, offering tiered memberships for access to exclusive content. The higher the tier, the more explicit the content. (ii) Live streaming and pay-per-view. Users can request private live shows, where victims—often coerced or unaware are recorded and broadcasted in real-time. (iii) Ransom schemes (sextortion) Victims are blackmailed into paying to remove their images. Some even pay multiple times, only to find the content remains online. (iv) Content resale and trading. Stolen videos and images are sold repeatedly across different sites. A single image can be resold thousands of times across different platforms. (v) Dark web bidding. Some groups allow members to place bids on exclusive or high-profile explicit material. This is common for leaked celebrity content or “revenge” content requested by buyers. The money from these schemes flows through crypto wallets, digital gift cards, and offshore bank accounts, making it nearly impossible to trace. The roadblocks to justice Cyber pornography is difficult to fight because the law is slow, but technology moves fast. (i) Anonymous platforms make it hard to track criminals. They use fake names, VPNs, and encrypted messaging services to hide their identities. (ii) Many victims don’t report. They fear stigma, job loss, and social rejection. Some are forced to pay quietly, hoping the problem will go away. (iii) Digital evidence disappears quickly. By the time authorities get a warrant, the content has moved to a new site or the criminals have deleted their accounts. Add the fact that the websites are hosted in different countries, which makes investigations very difficult. (iv) Laws are outdated. Many cyber laws were written before the rise of encrypted messaging, AI-generated content, and the
Case 2: The perfect crime that wasn’t
The first thing they stole was time. For nearly two years, a group of insiders siphoned money from the bank, moving it in plain sight. It was a slow, calculated bleed so precise that no one noticed. Not the managers. Not the compliance officers. Not the regulators. When an overworked auditor stumbled upon the first red flag, it was already too late. Ugx. 6.31 billion had vanished. This wasn’t a cyberattack. It wasn’t some hacker typing away on a keyboard in a dark room. The real criminals were inside the building. a) The illusion of money It started with a simple observation: banks move money in bulk, but they verify in detail. That was the weakness. The mastermind a senior IT consultant knew how the bank processed transactions. He understood the batching system used to settle payments. It was designed for efficiency, but it had a flaw: (i) Small adjustments in individual transactions were rarely flagged. (ii) Internal approvals for bulk transfers relied on pre-set automation rules, not manual oversight. (iii) Reconciliation happened at the end of each business day, meaning any temporary gaps in the books would correct themselves overnight. He didn’t have direct access to the funds. But he had access to the system that controlled them. b) The inside men He needed someone on the inside. Someone with banking privileges. That’s where his accomplice came in a trusted mid-level officer in the transaction approval department. Together, they designed the scheme. (i) Identify dormant accounts that had minor balances but were still active. (ii) Modify internal routing instructions to skim money from legitimate transfers. (iii) Move stolen amounts into temporary holding accounts, disguised as vendor payments or refunds. (iv) Use multiple smaller withdrawals instead of large, obvious transactions. (v) Convert the money into crypto and offshore accounts before the system auto-corrected the missing funds. Every day, the bank processed thousands of transactions. The amounts they took were so small that no one noticed. At first. c) The movement of money The fraud depended on speed. The stolen money never sat in one place for long. (i) Stage One The Source Each week, they selected real client transactions moving between corporate accounts. Using internal access, they altered the batch approvals, diverting small amounts typically between Ugx. 500,000 and Ugx. 2 million into a network of shell accounts. (ii) Stage Two The Cleansing The stolen amounts were then moved to temporary internal accounts, labeled as refunds, fee reversals, or system adjustments. From there, the funds were transferred in chunks of Ugx. 10 million to Ugx. 50 million to accounts registered under fake suppliers. (iii) Stage Three The Disappearance The final step was laundering the money through crypto transactions and foreign remittances. They purchased USDT (Tether) a cryptocurrency that mirrored the dollar before converting it back to cash through private money dealers. Once the money reached these accounts, it was gone. Untraceable. For nearly twenty-one months, they repeated this cycle. Stealing. Cleaning. Disappearing. d) The red flag The scam should have worked forever. It almost did. But then, an auditor noticed something unusual. It wasn’t a missing payment. It wasn’t a huge deficit. It was just a pattern something that shouldn’t have been there. (i) Some refund transactions were too consistent always rounding off at Ugx. 10 million or Ugx. 15 million. (ii) The account numbers used for internal adjustments kept appearing in different reports linked to unrelated transactions. (iii) A bulk transfer batch showed the same approval ID across multiple payments an anomaly that should have been impossible. That’s when she pulled the records. And what she saw didn’t make sense. e) Following the money Once the first inconsistency was flagged, the fraud team moved fast. (i) They cross-checked every transaction involving the flagged accounts. What should have been a one-time refund process was recurring, structured, and systematic. (ii) They ran timestamp comparisons on the internal approvals. The same login credentials had been used in multiple locations at the same time an obvious sign of credential sharing. (iii) They tracked the crypto transactions. The moment they saw repeated purchases of USDT through peer-to-peer markets, they knew. This wasn’t an error. This was a fraud. f) The collapse
Case 2: The perfect crime that wasn’t
The first thing they stole was time. For nearly two years, a group of insiders siphoned money from the bank, moving it in plain sight. It was a slow, calculated bleed so precise that no one noticed. Not the managers. Not the compliance officers. Not the regulators. When an overworked auditor stumbled upon the first red flag, it was already too late. Ugx. 6.31 billion had vanished. This wasn’t a cyberattack. It wasn’t some hacker typing away on a keyboard in a dark room. The real criminals were inside the building. a) The illusion of money It started with a simple observation: banks move money in bulk, but they verify in detail. That was the weakness. The mastermind a senior IT consultant knew how the bank processed transactions. He understood the batching system used to settle payments. It was designed for efficiency, but it had a flaw: (i) Small adjustments in individual transactions were rarely flagged. (ii) Internal approvals for bulk transfers relied on pre-set automation rules, not manual oversight. (iii) Reconciliation happened at the end of each business day, meaning any temporary gaps in the books would correct themselves overnight. He didn’t have direct access to the funds. But he had access to the system that controlled them. b) The inside men He needed someone on the inside. Someone with banking privileges. That’s where his accomplice came in a trusted mid-level officer in the transaction approval department. Together, they designed the scheme. (i) Identify dormant accounts that had minor balances but were still active. (ii) Modify internal routing instructions to skim money from legitimate transfers. (iii) Move stolen amounts into temporary holding accounts, disguised as vendor payments or refunds. (iv) Use multiple smaller withdrawals instead of large, obvious transactions. (v) Convert the money into crypto and offshore accounts before the system auto-corrected the missing funds. Every day, the bank processed thousands of transactions. The amounts they took were so small that no one noticed. At first. c) The movement of money The fraud depended on speed. The stolen money never sat in one place for long. (i) Stage One The Source Each week, they selected real client transactions moving between corporate accounts. Using internal access, they altered the batch approvals, diverting small amounts typically between Ugx. 500,000 and Ugx. 2 million into a network of shell accounts. (ii) Stage Two The Cleansing The stolen amounts were then moved to temporary internal accounts, labeled as refunds, fee reversals, or system adjustments. From there, the funds were transferred in chunks of Ugx. 10 million to Ugx. 50 million to accounts registered under fake suppliers. (iii) Stage Three The Disappearance The final step was laundering the money through crypto transactions and foreign remittances. They purchased USDT (Tether) a cryptocurrency that mirrored the dollar before converting it back to cash through private money dealers. Once the money reached these accounts, it was gone. Untraceable. For nearly twenty-one months, they repeated this cycle. Stealing. Cleaning. Disappearing. d) The red flag The scam should have worked forever. It almost did. But then, an auditor noticed something unusual. It wasn’t a missing payment. It wasn’t a huge deficit. It was just a pattern something that shouldn’t have been there. (i) Some refund transactions were too consistent always rounding off at Ugx. 10 million or Ugx. 15 million. (ii) The account numbers used for internal adjustments kept appearing in different reports linked to unrelated transactions. (iii) A bulk transfer batch showed the same approval ID across multiple payments an anomaly that should have been impossible. That’s when she pulled the records. And what she saw didn’t make sense. e) Following the money Once the first inconsistency was flagged, the fraud team moved fast. (i) They cross-checked every transaction involving the flagged accounts. What should have been a one-time refund process was recurring, structured, and systematic. (ii) They ran timestamp comparisons on the internal approvals. The same login credentials had been used in multiple locations at the same time an obvious sign of credential sharing. (iii) They tracked the crypto transactions. The moment they saw repeated purchases of USDT through peer-to-peer markets, they knew. This wasn’t an error. This was a fraud. f) The collapse Within 48 hours, the bank froze the flagged accounts. But the criminals had already sensed trouble. The IT consultant disappeared. Booked a flight out of the country before the investigation was made public. His inside man wasn’t so lucky. He was arrested at his desk. By the time the dust settled, Ugx. 6.3 billion was gone. g) Lessons from the breach (i) The most dangerous fraudsters are insiders. External hackers get the headlines, but internal access is the real threat. (ii) Small thefts add up. No one steals Ugx. 6.3 billion in one day. They steal Ugx. 1 million a thousand times. (iii) Reconciliation doesn’t mean security. Just because a bank balances its books at the end of the day doesn’t mean the money wasn’t stolen along the way. (iv) Crypto is the ultimate escape route. If fraud detection doesn’t happen fast, the stolen money is converted into digital assets and disappears forever. h) The final move The IT consultant made a mistake. He thought he had covered his tracks. Thought he had outsmarted the system. But he underestimated human intuition. It wasn’t a firewall that caught him. It was an auditor with a sharp eye. And in the end, that’s all it takes.
Your smart devices aren’t that smart—secure them!
Smart devices are convenient, but they are also a hacker’s paradise. Your smart TV, speaker, and even refrigerator are potential entry points for cybercriminals. If you don’t secure them, you’re handing over your privacy on a silver platter. Most people assume cybersecurity is about protecting computers and phones. That’s outdated thinking. Smart devices security cameras, voice assistants, and fitness trackers are all connected to the internet, which means they can be hacked. The problem? Manufacturers prioritize ease of use over security. Most smart gadgets come with default passwords that people never bother to change. Worse still, many don’t receive regular updates, leaving vulnerabilities open for years. Hackers don’t need access to your laptop when they can infiltrate your smart home system. Once inside, they can eavesdrop on conversations, access personal files, or even control devices remotely. Case in point In 2022, a businessman in Ntinda, one of Kampala’s highest suburbs, installed a smart security camera system for his home. He felt safer knowing he could monitor everything from his phone. But one night, his wife heard strange noises from the TV, which switched itself on. At first, they thought it was a malfunction. Then, a chilling voice came through the speaker, laughing and whispering their child’s name. A hacker had breached the default credentials of their Wi-Fi-connected camera. The device was wide open to the internet because they never changed the settings from the factory default. Someone, possibly thousands of kilometers away, had access to their home. Evidence and application Cybersecurity firms report that smart home hacks are skyrocketing, especially in Africa, where cyber awareness is still growing. Many people set up devices and assume they are secure, yet most don’t even require advanced hacking skills to breach. To stay safe, always change the default passwords on any smart device. Keep your firmware updated. Disable unnecessary remote access and set up a separate Wi-Fi network for IoT gadgets. If you think your smart home is making your life easier, you’re right. But it’s also making a hacker’s job easier. Convenience should never come at the cost of security. If you won’t leave your front door unlocked, don’t leave your devices unprotected. Your smart gadgets aren’t as smart as you think. It’s time you outsmarted them. Copyright IFIS 2025.
The silent heist – mobile phone theft & money pin exploitation
“Your phone is your financial vault. Lose it carelessly, and you’re handing thieves an open door to your money.” Mobile phones have become financial lifelines. They hold mobile money accounts, banking apps, and access to sensitive transactions. But as convenience increases, so does risk. Criminals no longer need to hack into a bank’s system to steal money. All they need is to grab your phone. Within minutes, they can access your mobile money, reset your PIN, and wipe your account clean. This is not a futuristic cybercrime. It’s happening now. In taxis. In meeting rooms. On the streets. At restaurants. You could be next. How the scam works It starts with a simple theft. A thief spots an easy target someone using their phone in public, texting, or checking messages. In one swift move, the phone is gone. The phone can be snatched from you on a boda boda or car at a traffic jam hold. Once stolen, the criminal’s first goal is to unlock the device. If the owner has weak security, this is easy. Many victims leave their phones without passwords or use simple PINs like 1234. The next step is finding the mobile money PIN. Thieves know people save it in messages, contacts, or notes. If they find it, they access the money instantly. If the PIN isn’t stored on the phone, they try resetting it. Many telecom companies have weak security checks. Criminals call customer service pretending to be the owner, answer basic security questions, and get the PIN reset. Once they have access, they move fast. They withdraw all the money or transfer it to different accounts. Sometimes they convert it into airtime, which they later sell for cash. After emptying the account, they wipe the phone and sell it. It becomes another second-hand phone in a shop, ready for resale. Why this keeps happening Many people assume their phone is safe because they have a PIN or fingerprint lock. That’s a false sense of security. Criminals exploit weak security settings. Many users don’t enable encryption or strong passwords. Some even write their PINs in their phones. Telecom companies make it easy for criminals. Some allow PIN resets with minimal verification. A few basic personal details are often enough to take over an account. Victims react too late. Many people focus on finding the phone instead of blocking their mobile money access immediately. By the time they act, the money is gone. How to protect yourself Secure your phone like a bank vault. Use a strong password or PIN. Avoid common codes like birthdays or repeated numbers. If your phone allows it, enable fingerprint or face recognition. Never store your mobile money PIN on your phone. Do not save it in messages, contacts, or notes. If you must write it down, keep it somewhere safe, away from your phone. Lock your SIM card. Set a SIM lock PIN so criminals cannot remove it and use it on another device. Contact your mobile provider to check if they offer extra security features. Enable remote tracking and wipe features. If your phone is stolen, you should be able to locate it or erase all data. Google’s Find My Device and Apple’s Find My iPhone can help. Act fast when your phone is stolen. Call your bank and mobile provider immediately to block transactions. File a police report. Remotely lock or erase your phone before criminals gain access. Be careful of scam calls. Fraudsters may pretend to be customer service agents. They ask for PINs, passwords, or verification codes. Never share them. If unsure, hang up and call your bank directly. Final thought: your phone is a wallet guard it like one If someone tried to grab cash from your wallet, you wouldn’t ignore it. So why treat your phone differently? A stolen phone means lost money, stolen data, and a serious financial headache. The difference between being a victim and staying safe is how fast you act and how well you prepare. Don’t wait until it happens to you. Secure your phone today. Mr. Strategy
