The Tuesday morning breach
On Tuesday, 13th February 2024, at exactly 9:18 a.m., a finance officer at a local SME clicked on an email link that looked routine, a “payment confirmation” from a well-known shipping partner. The email address matched the supplier’s almost perfectly, except for one barely noticeable swapped character.
When the officer clicked the link, nothing seemed to happen. The email closed. She carried on with her morning.
By 11:47 a.m., the attackers were inside the company’s enterprise resource planning (ERP) system. By 1:15 p.m., three supplier payment instructions had been altered, directing UGX 890 million to accounts that did not belong to any supplier the company had ever dealt with.
It took less than four hours for the company to lose what amounted to almost two months of operating profit, and not a single firewall alert or antivirus pop-up warned them.
The internal blame game
When the loss was discovered two days later, the board was called for an emergency session. The meeting quickly descended into an accusatory free-for-all.
The Chief Information Officer insisted this was a “sophisticated, targeted attack”, something no reasonable security system could have stopped. The Finance Director countered that the breach was possible only because IT had failed to disable old vendor portals and user accounts.
The CEO looked visibly shaken. The company had spent UGX 420 million the previous year on “cybersecurity upgrades,” complete with glossy board reports and vendor presentations about “world-class defenses.” Now, they were staring at a catastrophic failure.
Summit Consulting Ltd was called in with one directive: establish exactly how this happened, identify the internal and external actors, and advise how to ensure it never happens again.
How the scheme was engineered
- a) The inside knowledge
Suspect 1, a former procurement officer, had been laid off in a cost-cutting exercise the previous year. He left bitter and broke, but with an intimate knowledge of the company’s supplier payment cycles, approval hierarchies, and cyber hygiene weaknesses.
Suspect 2, a small-time tech “consultant” with connections to cybercrime syndicates in Nairobi, became Suspect 1’s partner. Together, they designed a social engineering attack that would look completely legitimate to anyone inside the company.
- b) The phishing bait
They registered a domain name one letter off from the shipping partner’s actual domain, then sent an email to the finance officer who handled most high-value transfers. The email referenced real shipment numbers, cargo descriptions, and delivery dates, information stolen months earlier when Suspect 1 downloaded supplier correspondence before leaving.
The link in the email wasn’t a document. It was a malicious script that installed a remote access tool (RAT) on the officer’s computer, giving the attackers full visibility of her emails and the ERP interface.
- c) Altering the payment trail
Over the next week, the attackers observed the finance officer’s daily activity, noting the time she logged in, when payment batches were prepared, and which managers approved them.
On 13th February, just after she prepared a payment batch for three overseas suppliers, the attackers logged in remotely, intercepted the batch before final approval, and replaced the bank account numbers with accounts under their control.
These accounts were registered in the names of shell companies created barely a month earlier, using forged incorporation papers and fake national IDs.
- d) Cashing out
Once the payments landed, the attackers moved quickly. Funds were withdrawn in UGX 19.5 million tranches, just under the daily reporting threshold, from bank branches in Jinja, Mbale, and Masaka.
From there, large portions were moved to mobile money wallets registered to boda boda riders, market vendors, and even a retired primary school teacher in Soroti who later told investigators he “was only keeping the money for a friend.”
A smaller chunk was converted to USD through informal forex traders in Kikuubo, with some of it later traced to Dubai-based electronics suppliers.
The red flags that were missed
The company had procedures that could have caught the breach, but they were ignored in practice:
- Supplier account changes were supposed to require direct phone verification with the supplier. No one made the call.
- Multi-factor authentication was configured but disabled for “convenience” for staff logging in from home.
- Vendor portal clean-up had not been done for over 18 months, meaning dormant accounts were still active.
The catch
The fraud might have gone unnoticed for weeks if not for the external auditor conducting a quarterly payment review. While sampling transactions, the auditor noticed that three suppliers who had been paid in February had no corresponding goods received entries in the warehouse management system.
He phoned one of the suppliers directly. They confirmed they had not received any payment in February and were still awaiting settlement for January invoices.
That call triggered an emergency escalation to the audit committee, which contacted Summit Consulting for an urgent forensic investigation.
Our forensic team started by isolating the finance officer’s computer. The RAT was still active, connecting to a command-and-control server in Mombasa. Tracing the server’s activity logs revealed multiple login sessions from IP addresses in Kampala, Jinja, and Nairobi.
Next, we reviewed the ERP logs. The altered payment details were entered using the finance officer’s credentials, but at times when she was physically logged out, confirmed by building access records.
The real breakthrough came from bank withdrawal CCTV footage. The same individual, later identified as Suspect 2, was captured making multiple withdrawals across different branches, often wearing different caps and jackets to avoid detection.
Cross-referencing mobile money records revealed a web of linked numbers, all ultimately tied to SIM cards purchased in bulk by an agent in Mukono who knew Suspect 1 personally.
The failed controls
This case was not about the absence of controls; it was about a culture that treated them as optional:
- Process discipline was poor. Controls that looked robust on paper were routinely bypassed for speed.
- Board oversight treated cybersecurity as an IT cost centre, not a core business risk.
- Access rights for ex-staff were not revoked promptly, allowing insiders to retain system visibility.
- Incident detection was reactive, dependent on external audits, not continuous monitoring.
The confirmed loss was UGX 890 million. The company’s cyber insurance claim was rejected because the breach resulted from policy violations, specifically, disabling MFA and failing to verify supplier account changes.
Summit Consulting’s post-mortem recommendations included:
- Enforcing MFA for all financial systems without exception
- Immediate deactivation of all access rights upon staff exit
- Quarterly supplier account verification by an independent team
- Continuous phishing simulations to harden staff against social engineering attacks
- Real-time payment anomaly detection integrated with ERP and bank platforms
The boardroom reality check
The most dangerous misconception we encounter in Ugandan boardrooms is the belief that cyber risk is a “technology problem.” It is not. It is a business continuity risk. It can erase profit margins, destroy customer trust, and invite regulatory penalties in a single morning.
This company’s loss was not due to advanced hacking techniques. It was due to human complacency, weak process discipline, and leadership’s failure to see cyber resilience as strategic.
The next time you approve your IT budget without asking for a direct mapping to business risk mitigation, remember: it only takes one unverified click to write off your quarterly earnings.
