Dear Leader, We have seen it too often. A fraud case breaks out. Panic. Headlines. Then… silence. Why? Because the so-called investigation team was built on fear, not skill. They showed up with titles, not tools. Everyone thought the presence of a police officer, a lawyer, and the “IT guy” would solve the mystery. But it did not. The case collapsed. The money vanished. And everyone moved on. Let us get this straight investigation is not drama. It is a method. It is not magic, it is about evidence. Facts. Facts and more facts. And in Africa today, where corruption wears a clean shirt and drives a government car, your ability to investigate defines your survival. Let me take you behind the scenes. A staff loan gone rogue Last year, in a government agency not far from Nairobi, a routine payroll review raised a subtle flag. A staff member had taken a loan of KES 3.4 million from the staff SACCO. All fine. Except, the deductions quietly stopped after month three. No one noticed. No one asked. HR kept processing payroll. Accounts kept remitting salaries. And the SACCO kept bleeding. Until one day, a sharp internal auditor asked a simple question: “Why did loan recovery stop?” That question cracked the case. She discovered the staff member had colluded with the payroll officer to halt deductions. They edited the CSV file manually before uploading it to the bank portal. The bank simply paid what it was told. The SACCO was not on the instruction list. Case closed at least for them. How the auditor cracked it She did not shout. She traced. She enlisted the help of a fraud examiner with digital forensic skills. And together, the case was cracked. Leading from the front, the Internal Auditor matched HR records with payroll files. She requested system logs showing changes to the CSV uploads. She interviewed the staff member off-site where he was more relaxed and arrogant. She dug through SACCO receipts. And then she followed the money. It had gone to a betting account and was later withdrawn in cash. Total recovery? KES 1.4 million. Total loss? KES 2 million. But the real win? The method. Her report did not speculate. It proved. So, what does it take to crack a case? a) If you are in a hurry, you will miss the details. Most fraudsters mess up in the fine print. b) Curiosity. Ask the awkward questions. If it makes people uncomfortable, you are probably getting close to the truth. c) Documentation. What you do not document does not exist. No matter how obvious it is in your head. d) Emotional control. Do not accuse. Observe. Do not confront. Confirm. The minute you make it personal, you lose objectivity. e) Follow the trail. In Uganda, money does not go far. It lands in school fees, land purchases, or mobile money. Trace it. If you want to master investigation, stop thinking like a cop. Think like a strategist. Ask what does not make sense. Cross-check everything. And when you find a discrepancy do not celebrate. Trace it backward until you can write a report so tight no suspect can wriggle out of it. Because in this game, suspicion makes noise. But evidence makes arrests. Stay sharp. Unlock your investigative skills and become a reporting pro: Sign up today for our Investigation and Report Writing Course and start making an impact Copyright Institute of Forensics & ICT Security 2025. All rights reserved.
From suspicion to evidence — mastering the investigation process
Although this is a real case drawn from field experience, the names and locations have been altered to protect confidentiality. Any similarities to actual persons or offices are purely coincidental. What matters is the method of how a young, determined internal auditor turned suspicion into evidence, and unearthed a ghost scheme that cost taxpayers millions. It began with a subtle red flag. During her quarterly review at a district health office in eastern Uganda, the internal auditor noticed an odd pattern. One supplier Green Mango Supplies Ltd had been paid UGX 76 million over just three months. Oddly, she had never seen any trucks offloading goods from them. No one in the store’s department had signed a delivery report. Yet, the payment had sailed through. Her instincts kicked in. Suspicion is not enough. Most fraud investigations fail not because the suspects are smart, but because the investigators are sloppy. Suspicion is loud. The evidence is quiet. Many internal auditors shout about fraud, but when asked for proof, they mumble. And that is how cases die. The curious payment at a district health office In 2010, a young lady in her mid-20s came to our office with a case involving ghost suppliers. She was an internal auditor at a district in eastern Uganda. During her routine review of quarterly releases, she noticed that a company called “Green Mango Supplies Ltd” had been paid UGX 76 million for supplying non-pharmaceutical items. Her suspicion? She had never seen a delivery from them. Following the money — how it was done (i) The company was registered in the name of a cousin to the district procurement officer. (ii) Payments were processed using fake Local Purchase Orders (LPOs) generated during system downtimes. These were approved manually with forged signatures. (iii) The delivery notes bore stamps from the store’s department. Upon scrutiny, the stamps were traced back to a stolen pad from the sub-county headquarters. (iv) Once payment was wired, the money was withdrawn in cash across four transactions, each just under the threshold requiring second approval UGX 19 million, 18.5 million, 20 million, and 18.5 million. How the auditor nailed it (i) She retrieved the original LPOs and noted inconsistent fonts and date formats. (ii) She visited the supplier’s address. It led to a kiosk selling sugar. (iii) She requested CCTV footage from the bank. The man withdrawing the funds was the cousin, not a company representative. (iv) She flagged the audit report with these findings and submitted it to her seniors. The suspects were arrested. But here is the sad twist only UGX 4 million was recovered. The rest was long gone. Lessons in investigation Do not chase ghosts. Chase transactions. The red flags are always altered documents, unusual approvals, cash withdrawals, or too-quick payments. Always start from the system, then trace backward. Evidence is found in contradictions. If the paperwork says goods were delivered, but there is no space in the store or acknowledgment from users, that’s your first breadcrumb. From suspicion to evidence, the journey requires discipline, not drama. Investigations fail not due to a lack of leads, but because many lack the patience to follow the money. In this case, UGX 76 million vanished, but the real loss was public trust. Investigate with precision. Document everything. And never assume anything. As I always say, strategy is in the details. Unlock your investigative skills and become a reporting pro: Sign up today for our Investigation and Report Writing Course and start making an impact! Copyright IFIS 2025. All rights reserved.
The deal that nearly bought my soul – when a gunman confronted me
Every entrepreneur talks about success. But no one tells you the price tags attached. Before I pivoted to strategy, risk, and leadership, I was a fraud investigator. Few professions offer the same mix of fulfillment and adrenaline as investigations. The thrill of responding to a crime scene. Taking notes. Preserving evidence. Recording statements. Analysing facts. Developing a fraud hypothesis. Gathering proof. Interviewing suspects. And ultimately, confronting the prime suspect. It is captivating. Addictive, even. You find yourself chasing the truth relentlessly. Who did it? How? Why? The process of connecting the dots becomes an obsession. You do not rest until the whole puzzle fits together. I remember one investigation that changed everything. It was late, around 7:30 PM. I was stuck in Jinja Road traffic. Out of nowhere, a man approached my car and signalled me to lower the window. I complied, unsuspectingly. He made sure I saw the gun tucked inside his oversized jacket. “You are Mustapha? Mugisa?” he asked. “Yes,” I replied, a bit startled. “I have decided to give you a second chance,” he said coldly. “That case you are investigating the one involving fictitious SIM cards drop it. This is the last time I will warn you.” I had received many threats over the years. It comes with the territory. But this one was different. Chilling. Personal. As traffic finally began to move, the song Coward of the County echoed in my head. I laughed softly at myself in the mirror half in disbelief, half in reflection. I could not help but wonder. Did the traffic officer deliberately hold us up so that this guy could reach me? I never got the answer. I just drove off, never looking back. That night marked a turning point. I decided to lose interest in that case. I informed the client that I would no longer proceed. And over time, I began reducing my fieldwork in forensic investigations. Instead, I shifted focus to empowering companies to conduct their internal investigations and offering back-end support from our forensic lab, where clients bring in their digital devices for deep analysis. This transition opened new doors. As part of our “kitchen” work in support of investigations, Summit Consulting got the opportunity to supply and set up digital forensic labs for several government and private institutions. We built systems—trained teams. Strengthened capacity. In 2021, an East African agency advertised an international open bid to set up a modern forensic laboratory. We knew this space. We had already designed and built a top-tier, state-of-the-art forensic lab for a leading government agency in Uganda. That experience was not just solid, it was exceptional. We were ready. Hungry. And fully equipped for the next challenge. This was not just another tender. This was a career-defining opportunity. We reignited our international contacts, and together bought the bid documents, following every detail. My team was excited; you could feel it. We knew that if we nailed this, we would not just win one job. We would own the entire forensic consulting space in government, not only in Uganda but in the region. You know those ambitions of conquering the continent. The power of dreaming while awake is good. One thing caught our sharp eyes, the procuring entity had not included anti-static carpets in their plan. Anyone serious about forensic labs knows that without anti-static carpets, your sensitive lab digital forensics bulk evidence story and analyst workstations fail, or they keep failing, making the cost of ownership and lab operations very expensive. We flagged it. Offered to include it in our bid. Even showed the cost implications of the new additions, if they wanted. But we made it clear that no quality without that carpet. We submitted. Then my phone rang. Unknown number. “Is this Summit Consulting? Calling from your neighbouring country xx. Meet me. Next week. Café Javas. Will be in Kampala next week. Let us do lunch.” Now, if you are an entrepreneur, you know what that feels like. Heart racing. You think this is it. The nod. The handshake. The deal. I quickly processed an air ticket and was ready to fly out. On the day I walked in. He was already seated. Escort the car outside. Driver waiting. I could see a pistol in the jacket, casually in sight. He got straight to the point. “Your bid is good,” he said. “Boss liked it. Told us to give those guys the job. Ugandans are decent people.” My pulse shot up. Then came the real deal. “But…” he leaned closer. “Our budget is equivalent to KES 95 million. You quoted KES 35 million. Your profit?” “UGX 5 million,” I replied. He smirked. “Only that? Why not KES 25 million profit?” I played along: “Of course. Yes.” He nodded. “Good. Go revise your bid. Make it KES 93 million. You will do the work for KES 55 million. The rest KES 38 million you will give us. In cash.” Now, at that moment, my brain went into overdrive. There was no negotiation. There was no polite refusal. This man came with authority and backup. He travelled from Nairobi for this deal! I smiled. “This is excellent,” I said. “I will inform my Board Chairman and my partners in Nairobi. They have school fees to pay. I am sure they will approve.” He laughed. Patted my back. “Smart chap. We shall work well.” I walked out smiling. But inside? I was scared and disgusted. Two days later, I called him. Voice low. Disappointed. “My friend, I tried. Sat down with the Board. We voted. 3 to 2 against pursuing the deal. I fought for it. But… I’m sorry.” He replied coldly: “Your Board is not serious.” I said, “Yes. I know.” Hung up. That day, I learned something they never put in the tender documents. Ethics is not tested when it is easy. It is tested when millions are on offer. When no one is watching. And sometimes, the real profit is walking away broke, but free.
How AI can save your bank from being the next fraud headline
Dear Managers, Let me start with a simple, real-life scenario A mid-sized financial institution I will call “Bank X” approved a USD 2.1 million loan backed by “verified” land titles. Six months later, repayments stopped. The investigation revealed: fake titles, inflated land values, and a forged valuation report. All crafted by a well-connected ring of insiders and outsiders. The kicker? Everything looked legitimate. By the time Bank X woke up, the fraudsters vanished, and auditors were scrambling. Classic case of human oversight, greed, and failure to connect the dots fast enough. Now, here is the uncomfortable truth. Your institution is probably just as vulnerable. Traditional fraud detection systems depend heavily on rule-based checks, human approval, and post-incident audits. Too slow. Too predictable. Fraudsters learn the rules, bypass them, and exploit insider weaknesses. Enter Artificial Intelligence. Not hype. Not theory. Real use cases. The AI Advantage Anomaly detection in real-time AI models does not rely on static rules. They monitor thousands of transactions, account behaviours, login patterns, and more spotting subtle deviations no human eye catches. Unusual login from a new device? Large loan approval after dormant account activity? AI flags it instantly. Document forgery detection Machine learning algorithms can scan collateral document titles, valuation reports, and IDs and detect signs of tampering. Fake stamps, manipulated metadata, inconsistent fonts, signatures. AI forensic tools outperform even seasoned fraud examiners. Employee behaviour analytics Ever think to check if a loan officer is consistently approving high-risk loans? AI systems track employee patterns unusual approvals, repeated overrides, and late-hour logins alerting you to possible insider collusion. Third-party vendor risk monitoring Your fintech partners and third-party providers are weak links. AI-powered vendor risk platforms scrape data feeds, and monitor dark web chatter, regulatory actions, and financial health of partners, giving early warning signs of compromise. The fix Stop relying on audits done quarterly. Start deploying AI models that continuously learn, adapt, and flag suspicious patterns daily. Integrate AI fraud tools into every touchpoint: loan processing, mobile banking, payments, and KYC updates. Invest in AI-driven document verification systems to kill fake collateral before it gets to the loan desk. Make AI a watchdog for both customers and employees. No exceptions. Ignore this at your peril. Bank X’s US$2.1 million mistake was the price of sticking to outdated systems and assuming fraud looks obvious. It does not. Next steps: Pull your fraud risk team, IT, and senior management together. Audit every single fraud detection tool in place. Where are the gaps? Where is AI missing? Do not wait until you are the next headline. Here is how to set up AI-driven fraud detection that delivers results Buying AI tools off the shelf will not save you. It is not plug-and-play magic. For AI to deliver, it needs to be embedded deep into your institution’s workflows, with clear accountability and zero bureaucratic nonsense. Step 1: Assign ownership – make someone accountable The biggest mistake? Leaving AI to the IT department alone. Fraud prevention is a business-critical, cross-functional responsibility. Assign a Chief Fraud & Risk Officer (CFRO) or designate a Head of AI Fraud Systems, reporting directly to senior leadership. This person’s sole job integrate AI tools across every department, continuously refine models, and stay ahead of evolving fraud techniques. Step 2: Build the fraud data lake AI is only as good as the data you feed it. Start by setting up a central fraud data hub that aggregates: Transaction records Loan applications & approvals KYC documents Employee activities (logins, approvals, overrides) Vendor interactions External data (credit bureau scores, court records, blacklist databases) No silos. Break down barriers between credit, compliance, operations, and IT teams. All data flows to one source. Step 3: Deploy AI engines in specific areas You do not need to start big. Focus on high-risk, high-return areas first: Loan approval process. Train AI models to analyze past fraudulent loan patterns. Flag suspicious collateral documents, inconsistent borrower information, or unusual valuation reports in real time before approvals. Mobile & online banking. Use AI to monitor login behaviour, device fingerprints, location anomalies, and unusual fund transfers. Immediate alerts, and instant freezes on suspicious accounts. Employee behaviour analytics. Deploy AI to track patterns in which officers approve risky loans too fast. Which back-office staff consistently override controls? AI sends risk reports to CFRO weekly. No one is untouchable. Vendor monitoring. Integrate third-party AI platforms that scan your vendors’ financial stability, regulatory compliance, cyber vulnerabilities, and news feeds. Flag at-risk service providers early. Step 4: Human-in-the-loop – define clear roles AI does not replace people. It empowers them. Define sharp, no-fluff roles: Branch Managers. Get real-time fraud risk dashboards daily. Every branch’s suspicious activities are flagged, along with accountability to act immediately. Loan Officers. Cannot override AI alerts without escalation to CFRO. All overrides are logged and reviewed quarterly. Compliance & Internal Audit. Get AI-generated anomaly reports weekly. Their job: audit flagged cases, investigate, close or escalate. Senior Executives. Receive monthly AI fraud trend reports. Decisions around policy adjustments, product redesign, or process reengineering are based on actual AI findings, not intuition. Step 5: Continuous model training and feedback loop Fraud evolves. AI models must evolve too. Set up a dedicated AI Feedback Taskforce a mix of data scientists, fraud analysts, IT, and business unit reps. Every confirmed fraud incident is fed back into the model. Models retrain monthly, improving detection rates. Step 6: Don’t forget explainability Regulators will come knocking. Make sure your AI systems provide clear, traceable reasons why a transaction or document was flagged. AI shouldn’t be a black box. If you are still relying on post-event audits, you are dead in the water. AI done right is proactive, predictive, and unforgiving to fraudsters. But you need leadership commitment, clear roles, data visibility, and ruthless follow-through. Who in your bank is responsible for embedding AI fraud detection in every process? If no name comes to mind immediately, that is your first weakness. Fix it before the fraudsters find it. Yours, Institute of Forensics & ICT Security
The fake CEO scam – how one email almost killed a logistics empire
Years ago, I sat across a jittery CEO of a large logistics company in Zambia. His eyes told the story before his lips did. “We almost lost $1.5 million last month,” he confessed. How? One fake email. One “urgent” request. One careless click. And therein lies today’s lesson. Old wisdom says, “The hyena does not need a big hole; it only looks for one loose plank in the kraal.” That is precisely how the fake CEO scam works. How the scam unfolds It starts simple. Cybercriminals spend weeks quietly studying your company. They learn your reporting structure, who approves payments, and even how the CEO writes emails. Then boom they strike. A finance officer receives an email seemingly from the CEO or MD, urgently requesting a wire transfer to a new supplier. The email domain is almost identical, maybe one letter off, but who is checking under pressure? The finance team, trained to obey hierarchy, processes the payment. Hours later, the money is gone, sitting comfortably in a shell account overseas. During a board risk review at a client in the hospitality sector, I saw the same trick used. Attackers spoofed the GM’s email, approving a $250,000 invoice to a “vendor” who did not exist. Nobody questioned it because the chain of command was clear you obey. It works because of leadership weakness. Do you think your cyber threat is purely technical? Think again. This scam thrives not because your firewall failed, but because of weak governance and zero verification culture. The logistics company I advised had one glaring issue: no dual control on large payments. Finance trusted emails at face value, assuming no one could impersonate their CEO. They lacked an “always verify, never assume” protocol. This is the classic case of ‘trust over verify’. Cultural complacency, mixed with poor controls, is a disaster cocktail. In the Zambia case, they were lucky. The transaction was flagged late, but before completion, thanks to a sharp-eyed junior accountant who noticed the slight domain mismatch. In another manufacturing firm in Kenya, they weren’t so fortunate. $800,000 wired. No recovery. The key lesson here is kill the blind obedience What can you, as a leader, do today? a) Enforce dual authorization policies. No large payment gets processed on email instruction alone, regardless of the sender’s title. b) Implement mandatory voice verification. Always call back to confirm high-risk requests, using known numbers, not ones provided in emails. c) Train staff to question. Yes, even when the email says ‘from the CEO’. Remove fear culture. Encourage them to double-check. d) Audit email domain controls. Your IT should monitor look-alike domain registrations and flag them. This week, gather your finance, IT, and operations heads. Ask them a simple question: “If someone impersonated me right now and ordered a payment, what checks exist to stop it?” If they hesitate, your system is broken. The leadership tool we recommend at IFIS is the zero-trust wire transfer protocol Draft a one-page policy today. No payment above a set threshold is actioned without: Dual sign-off (preferably across departments), Voice verification with at least one signatory, Domain and sender authenticity check by IT before approval. Print it. Circulate it. Enforce it. In my village, the cattle owner who sleeps without locking the kraal cries first in the morning. Don’t be that leader. Tighten the kraal. Institute of Forensics & ICT Security, is a training Institute of Summit Consulting Ltd
Increasing entry points: Have you empowered your staff?
Human error has been highlighted as a major contributing element to cybersecurity vulnerabilities for years. It is a long-standing concern in cybersecurity breaches, thus requiring all enterprises to remain watchful and train their personnel on how to alleviate this risk. According to The Verizon Business 2021 Data Breach Investigations Report, 85 percent of breaches involved a human element, while over 80 percent of breaches were discovered by external parties. With an unprecedented number of people working remotely, phishing and ransomware attacks increased by 11 percent and 6 percent respectively, with instances of misrepresentation increasing by 15 times compared to the year 2020. Additionally, breach data showed that 61 percent of breaches involved credential data (95 percent of organizations suffering credential stuffing attacks had between 637 and 3.3 billion malicious login attempts through the year). As further noted by Tami Erwin, CEO of Verizon Business, the COVID-19 pandemic has had a profound impact on many of the security challenges organizations are currently facing. As the number of companies switching business-critical functions to the cloud increases, the potential threat to their operations may become more pronounced, as malicious actors look to exploit human vulnerabilities and leverage an increased dependency on digital infrastructures. Employees and users’ unintended acts – or lack of action – that originate or propagate a security breach cover a wide variety of behaviours, from downloading a malware-infected attachment to failing to use a strong password. End-users often make mistakes because they don’t know what the appropriate course of action is in the first place. Users who are unaware of the risk of phishing are significantly more likely to fall prey to phishing efforts, and those who are unaware of the risks of public Wi-Fi networks will have their credentials harvested rapidly. Businesses must recognize that compromised credentials linked to privileged accounts are frequently the initial step in a ransomware attack. “Threat actors are chasing larger paydays and finding new vulnerabilities in a wide variety of targets, while many organisations are struggling to bring their cybersecurity up to standard for hybrid work,” said John Donovan, managing director ANZ, Sophos. How should businesses address this challenge? To reduce the possibilities for such errors, organizations need to understand why human errors occur and educate users on the consequences of their mistakes. Below are the measures we recommend. Businesses must adjust their cybersecurity mindset and embrace a new paradigm that assumes they will be hacked. As a result, it’s critical that leaders invest in the right end-point technology for a firm cybersecurity posture, as well as focus on resilience and recovery. Staff cybersecurity education must be prioritised by businesses in order to foster a cyber-aware culture. Educating and training staff on what security actions should be implemented before and during an attack is critical to lowering the number and severity of future security breaches. This entails ensuring that staff have secure online habits and practices in addition to the technology that has been introduced to successfully prevent cybercrime. While the specifics of how the systems and software in most reported breaches go unknown, the common means for attackers to get access include exploiting security vulnerabilities in code and security misconfiguration, both of which can be prevented by security-aware developers. Organisations must offer thorough training in secure code development and have every developer take responsibility for security. Threat actors have turned to social engineering, usually using email and compromised credentials, to gain access as perimeter defences have become more robust. The concepts of least privilege and segmentation are very effective in limiting the effects of a breach. Businesses must understand that compromised credentials are frequently the initial step in a ransomware attack. They should invest in multi-factor authentication, as well as password management systems that assist identify, manage, audit, monitor, and safeguard the credentials of privileged accounts. To help thwart malicious cyber incidents and reduce their impact, businesses should adopt next-generation data management capabilities that enable them to use immutable backup snapshots, encrypt data in transit and at rest, enable multi-factor authentication, detect potential anomalies using AI/ML, implement zero trust principles, and reduce their overall data footprint caused by mass data fragmentation.
Cybercrime is a constant business: Three business areas to watch out for!
Due to the ever-growing threat landscape in the digital ecosystem, your business must embrace cybersecurity irrespective of the size of the company. The statistics regarding data breaches on all business sizes show that the aftermaths of the data breaches are even becoming worse. According to IBM’s recent security survey, the average cost of a data breach rose from $3.86 million as was in the previous normal years to $4.24 million in 2021. This marks the highest average total cost of a data breach ever reported in history. Revenue loss impacts are significantly lower for organizations with a more mature cybersecurity posture. And higher for organizations that have not prioritized some areas such as cybersecurity. IBM’s report elaborates that it takes organizations an average of 287 days to identify and contain a data breach. This is seven days longer than in the previous reports. This means that once an organization was hit on February 1, it took 287 days on average to identify and contain. The breach wouldn’t be contained until November 14. The continuation of teleworking, the isolation of employees and the current vaccination situation have increased the playing field for attackers to practice successful social engineering schemes on staff that are not educated and well prepared to respond to such schemes. “Malicious attackers take advantage of the health crisis to craft targeted emails in order to divulge sensitive information from key staff at different levels of information access. With such carefully-tailored strategies, cyber-attackers are becoming more agile and sophisticated and increase the effectiveness of their actions,” There have been reported cases of email compromises, malware infestation, accidental information leakages, supply-chain and or third-party breaches, insider breaches. These are some of the common issues that organizations are facing today. Given the weary security landscape which involves intellectual property risks and client or staff data. Cybersecurity should be embraced as a must to one and all. It is a necessity in today’s time because a major chunk of business activities has gone online. Remote working has made the lives of staff easier and in some ways boosted productivity. It has widened the digital ecosystem hence extending risks from controlled environments to uncontrolled personal environments. Large organizations may have the budgets and capacity to manage endpoints but the SMEs may even go bankrupt trying to pay for incident response against a cyber-attack and or penalties of non-compliance. There can be a huge loss of revenue resulting in business disruption. What you need to know? Given the times, leaders need to take action now to prevent cyber-attacks from occurring. Leaders should structure policies, procedures and guidelines in place and be prepared for future incidences. As a leader, you need to evaluate the current security posture with a risk assessment. Check for holes where attacks can creep in. And develop an effective incident response plan to mitigate the far-reaching effects of a cyber-attack. Three areas that need urgent attention after data breaches. Any data breach towards an organization will target three different areas of the business. That is to say; the revenue of the organization, customers and the Organization’s reputation. The impact of the data breach may differ based on the organization. The impact on Revenue and finances: The ever-growing cybercrime in organizations has overburdened businesses with huge costs and greatly impacted the revenue of businesses. IBM reported in its Data breach report of 2021 where the study was conducted on 537 real breaches across 17 countries, regions and 17 different industries. It was concluded that on average, a data breach occurrence cost USD 4.24 million. Once hit by a data breach, there is always a financial implication for the organization. This depends on the nature of the data breach. Organizations hit with a data breach struggle with costs from containing the breach, compensating affected customers, comprehending a decreased share value and heightened security costs. Financial losses resulting from security breaches have been significant in past. Yet business leaders cannot forecast how or if financials will be affected in the event of a breach. Studies have proved that 29% of businesses that face a data breach end up losing revenue. Out of which 38% of organizations experience a loss of 20% or more and are unable to sustain the situation. The impact on Customers For customers to confide in what services an organization offers and their willingness to purchase the services will depend on the way an organization prioritizes its customer’s ‘information security. Thus, if an organization does not consider the security of customers’ data, a customer can vote with their feet and take their business elsewhere. Back in the days when customers lacked awareness of cyber security, they could not form any perception on the basis of the security plan of an organization. But now, with increased awareness and increasing cyber-attacks, customers are more conscious about where they are providing their information and how safe it will be in future. The scale of data breaches is what continues to shift the attitude of a customer. To say, Data breaches on giant firms like Marriot, Facebook, attract the attention of the public to data security concerns. Previously, data privacy was difficult to internalize, it was difficult to care about because it hadn’t directly affected people. Over 533 million users accounts including personal emails and contacts were found on hacker websites after the Facebook recent hack. And over 5.3 million guests records were stolen in the Marriot data breach scandal between mid-January 2020. Over a decade, Data breaches have been impacting customers at a large scale. But the interconnected nature of systems now makes news spread so fast. Hence impacting the trust of customers and hindering the reputation of organizations. Impact on Business Reputation: In the world of a rapidly scaling digital ecosystem with close networks and super-fast news, any information regarding data breaches spreads so fast over the internet or media. At times an organization makes news headlines not for its best performance in the industry but for its security being compromised due
Business email compromise – the silent corporate killer
In January 2023, we received a phone call from the CEO of a well-known logistics company. His voice carried the weight of urgency and frustration. “Mr. Strategy, I think we’ve been scammed, but I can’t understand how. We wired about seventy-one thousand United States dollars to what we believed was our supplier’s account, only to find out it never reached them. The finance team insists they followed the right process, but the supplier says they never changed their banking details. I need answers. Fast.” It was a classic case of Business Email Compromise (BEC), but as we would soon uncover, the attackers had executed their scheme with surgical precision. The fraudster’s playbook you it all happened By the time we stepped into the company’s headquarters, panic was evident. The finance director, the IT manager, and the CEO were all waiting. They needed an explanation. Here’s what we found out: Initial compromise After analysis of their systems, we found out that the company’s finance officer, Subject 1, had unknowingly clicked on a phishing email a few weeks earlier. The email, disguised as a routine Microsoft 365 security update, asked her to verify her credentials. The attackers, operating as Subject 2, captured her email login details in real time and immediately accessed her inbox. Email monitoring and reconnaissance The criminals did not act immediately. Instead, they watched. Sophisticated cybercriminals are very patient people. They take their time. For three weeks, they studied email conversations between the finance team and key suppliers. They identified the payment patterns, the tone of the emails, and the key players in financial transactions. They examined the approval limits, and emmergency instances when finance is allowed to process the payment quickly. The deception begins Once the attackers had a full picture, they acted. They created a lookalike email domain, changing just one letter in the supplier’s email address—something barely noticeable to the human eye. Using this fraudulent email address, Subject 2 posed as the supplier’s accounts manager, informing the company of a “recent banking update” due to an “ongoing audit.” Social engineering at its best To further authenticate their claim, the fraudsters compromised the supplier’s actual email account and forwarded previous legitimate invoices. They even used the supplier’s real email signature, adding credibility to the deception. Execution of the fraud With all the pieces in place, Subject 1 received a final email instructing payment to the “new” bank account. The finance team, trusting the familiar conversation thread, wired $71,240 without hesitation. The aftermath Two days later, the real supplier followed up for payment, completely unaware of the fraud. By then, the money had already been withdrawn from an offshore account. What went wrong? The investigations Once we pieced together the fraud, the next step was to determine how the company let this happen. Weak email security. The finance officer’s email was compromised because the company did not enforce multi-factor authentication (MFA) on their accounts. Lack of financial verification protocols. The finance department had no internal process for verifying bank detail changes. A simple phone call to the supplier’s known contact number would have stopped the fraud. Poor cyber awareness. Employees were last trained two years ago to identify phishing emails, making them easy prey for attackers. Lessons learned Enforce email security. Implement multi-factor authentication (MFA) for all corporate email accounts. Tighten financial processes. No banking details should ever be changed based on email instructions alone. Always verify via phone calls to known contacts. Train employees. Conduct phishing awareness training and test employees regularly with simulated attacks. The cost of negligence
How Omundo stole money using ATM cards that were not his
How Omundo stole money using ATM cards that were not his This case is about a man who tricked the banking system and stole Kshs. 732,033 (USD 5,700) from Kenya government cash transfer accounts. The money was meant for elderly and vulnerable people under the Inua Jamii program, a financial aid initiative in Kenya. Between 2018 and 2022, Omundo illegally obtained multiple ATM cards that did not belong to him. Instead of using the real owners’ fingerprints, he registered his fingerprint on these accounts and withdrew the money over time. His scheme was exposed when a banking agent noticed suspicious withdrawals and reported him. When the police investigated, they found he had 10 ATM cards from different beneficiaries. How he executed the fraud Getting ATM cards that were not his The suspect somehow gained access to multiple Inua Jamii ATM cards. He may have worked with insiders at the bank or the registration offices to get these cards. The real ownrs of the cards were unaware that someone else was withdrawing their money. Using his fingerprint to access accounts The banking system required only an ATM card and a fingerprint to withdraw money. Instead of using the real beneficiaries’ fingerprints, he registered his fingerprint on their accounts. This allowed him to withdraw money as if he were the real owner of the account. Making multiple withdrawals at banking agents He visited different KCB agent banking shops to withdraw money. On May 10, 2022, he withdrew money from three different ATM cards at the same shop. The banking agent became suspicious because the system allowed only one card per person in the Inua Jamii Returning the next day and getting caught On May 11, 2022, he returned to the same banking agent with seven more ATM cards. The agent had already reported the suspicious transactions to the police. As soon as he tried to withdraw money, the police arrested him on the spot. The investigation –how he was caught Checking his bag and finding ATM cards The police searched his bag and found 10 ATM cards that belonged to different people. None of the cards were in his name. Reviewing bank records The bank provided transaction statements that showed money had been withdrawn from these cards between 2018 and 2022. The withdrawals happened across different locations, meaning he moved around frequently to avoid suspicion. Testimony from a victim One of the victims went to withdraw money but found that someone else had already taken it using his card and ID. He reported the case, saying he had never shared his ATM card or PIN with anyone. Suspect’s weak defense The accused claimed that a bank official named Julius had asked him to help register elderly people for the cash transfer program. He said the official would then use his fingerprint to approve transactions. The court dismissed this as an excuse to cover up his fraud. The punishment – what the court decided The suspect was charged with three crimes under the Computer Misuse and Cyber Crimes Act. Identity theft and impersonation. He fraudulently used other people’s ATM cards and identities to steal money. Unauthorized access to computer systems. He accessed bank systems without permission using his fingerprint on stolen ATM cards. Accessing systems with intent to commit a crime. He withdrew money knowing that he was not the rightful owner of the accounts. The sentence The court found him guilty on all counts and sentenced him to: 2 years in prison for identity theft and impersonation. 2 years in prison for unauthorized access. 5 years in prison for accessing systems to commit fraud. A fine of Kshs. 200,000 (USD 1,560) for identity theft. A fine of Kshs. 3,000,000 (USD 23,400) for fraud-related crimes. At first, the court said the sentences should run one after the other (consecutively), meaning he would serve a total of 9 years. However, on appeal, the judge ruled that the sentences should run at the same time (concurrently), reducing his total prison time to 5 years. Lessons – how to prevent such fraud Stronger verification methods Banks should use multi-factor authentication (MFA) instead of relying only on fingerprints. Adding PINs or ID verification would have stopped the fraud. Better monitoring of transactions If the bank had been checking withdrawal patterns, they would have noticed one person using many different cards. Real-time fraud detection systems should flag suspicious activity. Training for banking agents The banking agent in this case noticed something was wrong and reported it. All banking agents should be trained to detect fraud and report it early. Public awareness for vulnerable people Elderly and vulnerable people must be educated about financial fraud. They should be encouraged to check their account balances regularly and rep0rt missing funds. Tighter laws and enforcement Cybercrime laws should not only punish fraudsters but also protect victims. Banks should be required to refund stolen funds if fraud happens due to system weaknesses. This case proves that fraud is not always about hacking into systems. Sometimes, criminals find loopholes and exploit them. If banks and government programs do not strengthen security, fraudsters will keep stealing from the most vulnerable people in society. It is time for banks, government agencies, and individuals to work together and stop identity theft before it happens. Case reference: Omundo v Republic (Criminal Appeal 94 of 2023) [2024] KEHC 4579 (KLR) I remain Mr Strategy.
Case 3: The dark business of cyber pornography
Pornography is a silent pandemic. It claims one victim at a time. Thanks to the Internet, the problem is very big. The internet was meant to be a tool of progress. A gateway to knowledge, resources, and progress. A means of connection. But like any tool, it has been hijacked by criminals who have turned it into a marketplace for exploitation. Cyber pornography is one of the largest underground businesses online. It is a billion-shilling industry, fueled by demand, secrecy, and technology. The worst part? Much of it operates undetected, and when authorities catch on, the damage has already been done. In Uganda, it has taken new dimensions. It is growing and thriving. This is not just about adult content. It is about abuse, blackmail, and the destruction of lives and families. The bait and trap In 2016, a young lady in her mid-20s walked into my office with her mother, shaking. She had a problem she didn’t know how to solve. She had met a man online. At first, it was harmless casual conversations, a little flirting. Then he asked for photos. She sent a few. Nothing explicit, just innocent pictures. A few days later, the man turned a web camera and chatted. He asked the lady to also turn on her web camera and show him her body shape. Innocently, she did. Three days later, she received an email with screenshots of fake explicit images mixed perfectly with genuine ones. The man had morphed her photos into pornographic content. He gave her two options: i) Pay him Ugx 5 million and he would delete everything. ii) Refuse to pay, and he would send the images to her family, employer, and friends. She hesitated. He followed through with his threats. By the time she came to us, the images were circulating in WhatsApp groups. Her boss had seen them. Her church elders were whispering. She was contemplating leaving town. She was the victim of sextortion, a rising cybercrime where criminals use fake or stolen explicit content to blackmail victims. The dark web and the underground economy The dark web is the underworld of the internet an unindexed part of the web where criminals trade illegal content, sell data, and conduct illicit transactions in total secrecy. (i) Cyber pornography has a massive market here. Hidden behind encrypted browsers like Tor, criminals upload, sell, and distribute explicit content without fear of getting caught. (ii) Many of these platforms operate as private marketplaces, requiring cryptocurrency payments for access. Users buy pre-recorded videos, stolen images, and live streams of abuse. (iii) Some dark web forums even offer bounty programs, where members pay for explicit material of specific individuals often ex-lovers, celebrities, or even random victims. (iv) Payment is almost always in Bitcoin or Monero, ensuring complete anonymity for buyers and sellers. This is not pornography as most people understand it. It is organized exploitation, and it makes criminals millions. The case that exposed the network In 2019, police arrested a university student for running a revenge porn site. He had built a platform where people uploaded explicit images of their exes, classmates, and even strangers. Users were encouraged to submit photos with names, phone numbers, and social media accounts. The victims would wake up to hundreds of calls from strangers, asking for sexual favors. The site was earning money through advertising and premium memberships. Users who paid could access hidden folders with more graphic content. The student running the site had never touched a victim or recorded a single video. He was making millions of stolen content. How the case cracked open (i) The first complaint came from a young lawyer who found her images on the site. She had no idea how they got there. (ii) An undercover officer infiltrated one of the Telegram groups linked to the website. He posed as a buyer and gained access to the admin’s contacts. (iii) The forensic team traced mobile money transactions linked to premium memberships. The suspect was cashing out through multiple SIM cards and bank accounts to avoid detection. (iv) Police raided his hostel room, seized his laptop, and uncovered over 12,000 images of victims. How criminals monetize cyber pornography Cyber pornography is a business first, a crime second. Criminals have refined ways to turn explicit content into a steady stream of income. (i) Subscription models. Many sites operate like Netflix, offering tiered memberships for access to exclusive content. The higher the tier, the more explicit the content. (ii) Live streaming and pay-per-view. Users can request private live shows, where victims—often coerced or unaware are recorded and broadcasted in real-time. (iii) Ransom schemes (sextortion) Victims are blackmailed into paying to remove their images. Some even pay multiple times, only to find the content remains online. (iv) Content resale and trading. Stolen videos and images are sold repeatedly across different sites. A single image can be resold thousands of times across different platforms. (v) Dark web bidding. Some groups allow members to place bids on exclusive or high-profile explicit material. This is common for leaked celebrity content or “revenge” content requested by buyers. The money from these schemes flows through crypto wallets, digital gift cards, and offshore bank accounts, making it nearly impossible to trace. The roadblocks to justice Cyber pornography is difficult to fight because the law is slow, but technology moves fast. (i) Anonymous platforms make it hard to track criminals. They use fake names, VPNs, and encrypted messaging services to hide their identities. (ii) Many victims don’t report. They fear stigma, job loss, and social rejection. Some are forced to pay quietly, hoping the problem will go away. (iii) Digital evidence disappears quickly. By the time authorities get a warrant, the content has moved to a new site or the criminals have deleted their accounts. Add the fact that the websites are hosted in different countries, which makes investigations very difficult. (iv) Laws are outdated. Many cyber laws were written before the rise of encrypted messaging, AI-generated content, and the
