Uncertainty is at the heart of risk. You may be unsure if an event is likely to occur or not. Also, you may be uncertain what its consequences would be if it did occur. Likelihood, which is the probability of an event occurring, and consequence, that is, the impact or outcome of an event, are the two components that characterize the magnitude of the risk.

All risk management processes follow the same basic steps, although sometimes different jargon is used to describe these steps. Together, these 5 risk management process steps combine to deliver a simple and effective risk management process.

• Identify the Risk. You and your team uncover, recognize, and describe risks that might affect your project or its outcomes. There are a number of techniques you can use to find project risks. During this step, you start to prepare your Project Risk Register.
• Analyze the risk. Once risks are identified, you determine the likelihood and consequences of each risk. You develop an understanding of the nature of the risk and its potential to affect project goals and objectives. This information is also input to your Project Risk Register.
• Evaluate or Rank the Risk. You evaluate or rank the risk by determining the risk magnitude, which is the combination of likelihood and consequence. You make decisions about whether the risk is acceptable or whether it is serious enough to warrant treatment. These risk rankings are also added to your Project Risk Register.
• Treat the Risk. This is also referred to as Risk Response Planning. During this step, you assess your highest-ranked risks and set out a plan to treat or modify these risks to achieve acceptable risk levels. How can you minimize the probability of the negative risks while enhancing the opportunities? You create risk mitigation strategies, preventive plans, and contingency plans in this step. And you add the risk treatment measures for the highest ranking or most serious risks to your Project Risk Register.
• Monitor and review the risk. This is the step where you take your Project Risk Register and use it to monitor, track, and review risks.

Risk is about uncertainty. If you put a framework around that uncertainty, then you effectively de-risk your project. And that means you can move much more confidently to achieve your project goals. By identifying and managing a comprehensive list of project risks, unpleasant surprises and barriers can be reduced and golden opportunities discovered. The risk management process also helps to resolve problems when they occur, because those problems have been envisaged, and plans to treat them have already been developed and agreed upon. You avoid impulsive reactions and going into “fire-fighting” mode to rectify problems that could have been anticipated. This makes for happier, less-stressed project teams and stakeholders. The result is that you minimize the impacts of project threats and capture the opportunities that occur.

For busy professionals who need to meet continuing professional development requirements and boost their career opportunities, our online courses provide a flexible and cost-effective way to achieve this by providing anywhere, anytime access and a supportive online community. Continuing Professional Development offers a series of online project management courses to advance your project management skills and your career. The Institute of Forensics and ICT Security will give you the practical skills to develop a comprehensive risk management process. You can find us at Ntinda complex, opposite St. Luke’s church, Ntinda.

On Tuesday, 13th February 2024, at exactly 9:18 a.m., a finance officer at a local SME clicked on an email link that looked routine, a “payment confirmation” from a well-known shipping partner. The email address matched the supplier’s almost perfectly, except for one barely noticeable swapped character.

When the officer clicked the link, nothing seemed to happen. The email closed. She carried on with her morning.

By 11:47 a.m., the attackers were inside the company’s enterprise resource planning (ERP) system. By 1:15 p.m., three supplier payment instructions had been altered, directing UGX 890 million to accounts that did not belong to any supplier the company had ever dealt with.

It took less than four hours for the company to lose what amounted to almost two months of operating profit, and not a single firewall alert or antivirus pop-up warned them.

The internal blame game

When the loss was discovered two days later, the board was called for an emergency session. The meeting quickly descended into an accusatory free-for-all.

The Chief Information Officer insisted this was a “sophisticated, targeted attack”, something no reasonable security system could have stopped. The Finance Director countered that the breach was possible only because IT had failed to disable old vendor portals and user accounts.

The CEO looked visibly shaken. The company had spent UGX 420 million the previous year on “cybersecurity upgrades,” complete with glossy board reports and vendor presentations about “world-class defenses.” Now, they were staring at a catastrophic failure.

Summit Consulting Ltd was called in with one directive: establish exactly how this happened, identify the internal and external actors, and advise how to ensure it never happens again.

How the scheme was engineered

1. a) The inside knowledge

Suspect 1, a former procurement officer, had been laid off in a cost-cutting exercise the previous year. He left bitter and broke, but with an intimate knowledge of the company’s supplier payment cycles, approval hierarchies, and cyber hygiene weaknesses.

Suspect 2, a small-time tech “consultant” with connections to cybercrime syndicates in Nairobi, became Suspect 1’s partner. Together, they designed a social engineering attack that would look completely legitimate to anyone inside the company.

1. b) The phishing bait

They registered a domain name one letter off from the shipping partner’s actual domain, then sent an email to the finance officer who handled most high-value transfers. The email referenced real shipment numbers, cargo descriptions, and delivery dates, information stolen months earlier when Suspect 1 downloaded supplier correspondence before leaving.

The link in the email wasn’t a document. It was a malicious script that installed a remote access tool (RAT) on the officer’s computer, giving the attackers full visibility of her emails and the ERP interface.

1. c) Altering the payment trail

Over the next week, the attackers observed the finance officer’s daily activity, noting the time she logged in, when payment batches were prepared, and which managers approved them.

On 13th February, just after she prepared a payment batch for three overseas suppliers, the attackers logged in remotely, intercepted the batch before final approval, and replaced the bank account numbers with accounts under their control.

These accounts were registered in the names of shell companies created barely a month earlier, using forged incorporation papers and fake national IDs.

1. d) Cashing out

Once the payments landed, the attackers moved quickly. Funds were withdrawn in UGX 19.5 million tranches, just under the daily reporting threshold, from bank branches in Jinja, Mbale, and Masaka.

From there, large portions were moved to mobile money wallets registered to boda boda riders, market vendors, and even a retired primary school teacher in Soroti who later told investigators he “was only keeping the money for a friend.”

A smaller chunk was converted to USD through informal forex traders in Kikuubo, with some of it later traced to Dubai-based electronics suppliers.

The red flags that were missed

The company had procedures that could have caught the breach, but they were ignored in practice:

• Supplier account changes were supposed to require direct phone verification with the supplier. No one made the call.
• Multi-factor authentication was configured but disabled for “convenience” for staff logging in from home.
• Vendor portal clean-up had not been done for over 18 months, meaning dormant accounts were still active.

The catch

The fraud might have gone unnoticed for weeks if not for the external auditor conducting a quarterly payment review. While sampling transactions, the auditor noticed that three suppliers who had been paid in February had no corresponding goods received entries in the warehouse management system.

He phoned one of the suppliers directly. They confirmed they had not received any payment in February and were still awaiting settlement for January invoices.

That call triggered an emergency escalation to the audit committee, which contacted Summit Consulting for an urgent forensic investigation.

Our forensic team started by isolating the finance officer’s computer. The RAT was still active, connecting to a command-and-control server in Mombasa. Tracing the server’s activity logs revealed multiple login sessions from IP addresses in Kampala, Jinja, and Nairobi.

Next, we reviewed the ERP logs. The altered payment details were entered using the finance officer’s credentials, but at times when she was physically logged out, confirmed by building access records.

The real breakthrough came from bank withdrawal CCTV footage. The same individual, later identified as Suspect 2, was captured making multiple withdrawals across different branches, often wearing different caps and jackets to avoid detection.

Cross-referencing mobile money records revealed a web of linked numbers, all ultimately tied to SIM cards purchased in bulk by an agent in Mukono who knew Suspect 1 personally.

The failed controls

This case was not about the absence of controls; it was about a culture that treated them as optional:

• Process discipline was poor. Controls that looked robust on paper were routinely bypassed for speed.
• Board oversight treated cybersecurity as an IT cost centre, not a core business risk.
• Access rights for ex-staff were not revoked promptly, allowing insiders to retain system visibility.
• Incident detection was reactive, dependent on external audits, not continuous monitoring.

The confirmed loss was UGX 890 million. The company’s cyber insurance claim was rejected because the breach resulted from policy violations, specifically, disabling MFA and failing to verify supplier account changes.

Summit Consulting’s post-mortem recommendations included:

• Enforcing MFA for all financial systems without exception
• Immediate deactivation of all access rights upon staff exit
• Quarterly supplier account verification by an independent team
• Continuous phishing simulations to harden staff against social engineering attacks
• Real-time payment anomaly detection integrated with ERP and bank platforms

The boardroom reality check

The most dangerous misconception we encounter in Ugandan boardrooms is the belief that cyber risk is a “technology problem.” It is not. It is a business continuity risk. It can erase profit margins, destroy customer trust, and invite regulatory penalties in a single morning.

This company’s loss was not due to advanced hacking techniques. It was due to human complacency, weak process discipline, and leadership’s failure to see cyber resilience as strategic.

The next time you approve your IT budget without asking for a direct mapping to business risk mitigation, remember: it only takes one unverified click to write off your quarterly earnings.

The loan committee barely glanced at the due diligence report. The risk appetite for such lending was generous; in fact, the board often praised management for “trusting our partners” instead of “wasting time with too many checks and balances.”

By December, the partner had defaulted. Attempts to trace the funds revealed something chilling: the money hadn’t gone into expanding distribution capacity. It had vanished into a coordinated fraud scheme that had been set up months before.

What looked like an act of business generosity was, in reality, a textbook case of risk blindness, the point where an organization’s tolerance for risk turns into an inability to see it at all.

Summit Consulting Ltd was brought in after a junior accountant, frustrated by the lack of progress in recovering the debt, sent an anonymous tip to the board chair: “You need to look inside, not outside.”

The boardroom split

When we arrived, the leadership was sharply divided. The CEO and a few directors insisted this was just a “business risk gone wrong”, a bad loan, nothing more. Others, particularly the audit committee, suspected internal collusion.

The tension was almost physical in that boardroom. On one side, senior executives are defending their decision-making; on the other, internal audit and compliance officers are insisting the loss was avoidable.

The phrase “risk appetite” was being thrown around like a shield. But as we dug deeper, it became clear this wasn’t about appetite; it was about blindness.

How the scheme was engineered

1. a) The perfect storm of trust and process gaps

Suspect 1, the cooperative’s head of credit, had been with the organization for over a decade. Known for his “relationship management skills,” he often skipped formal vetting for long-time partners, arguing it was a waste of resources.

Suspect 2, the director of the distribution partner, had deep personal ties to Suspect 1. Their families had attended weddings together, and they were co-investors in a small real estate venture in Mukono.

When Suspect 2 proposed the UGX 280 million “expansion loan,” Suspect 1 bypassed several standard steps: no updated credit risk assessment, no collateral verification, and no cash flow projections. Instead, he prepared a glowing internal memo recommending immediate approval.

1. b) The paper trail illusion

The loan documentation was immaculate, contracts signed, disbursement schedules approved, and even bank guarantees attached. But the guarantees were forged. The “issuing bank” stamp was a near-perfect imitation, created by a contact of Suspect 2 in Kampala’s backstreet printing trade.

1. c) Moving the money

Once disbursed, the UGX 280 million moved fast. Within 24 hours, UGX 50 million was withdrawn in cash at a bank branch in Jinja. The withdrawals were made in tranches of UGX 9.9 million to stay under reporting thresholds.

From there, the cash was split into three channels:

• UGX 120 million was converted into USD through forex dealers in Kikuubo and sent to a Dubai-based electronics supplier, payment for high-end gadgets that would later be sold locally for cash.
• UGX 80 million was sent via mobile money to 14 different numbers registered under various names, then withdrawn in rural districts in Busoga to avoid detection.
• UGX 30 million went directly into Suspect 1’s real estate project account in Mukono, disguised as “investor contributions.”

The red flags that should have sounded the alarm

A basic risk review would have caught several glaring anomalies:

• The borrower’s financial statements were six months out of date.
• The collateral offered, a warehouse in Iganga, was already mortgaged to another lender.
• The bank guarantee was printed on paper stock not used by the alleged issuing bank.

But in a culture of “we know our partners,” these red flags never made it to the decision table.

How the auditor spotted the cracks

Ironically, the fraud wasn’t discovered by the risk team. It was uncovered by an external auditor reviewing year-end loan classifications. The auditor noticed that the loan had been disbursed without any updated credit scoring, contrary to the cooperative’s lending policy.

Digging further, the auditor found that the loan approval memo came exclusively from Suspect 1, with no evidence of independent review. This triggered a direct report to the board’s audit committee, which in turn called in Summit Consulting.

Our first step was to follow the money. We obtained court orders for bank statements, mobile money transaction histories, and forex dealer records.

The forex trail led us to a warehouse in Nakulabye, where electronics worth an estimated UGX 140 million were stored, goods imported from Dubai using the diverted funds.

The mobile money trail was more complex. The SIM cards used were registered in the names of boda boda riders, market vendors, and even deceased individuals, classic “layering” to make tracing harder. But cross-referencing withdrawal points with CCTV footage revealed that the same two individuals collected most of the cash: Suspect 2’s younger brother and a former cooperative cashier who had resigned two years earlier.

The smoking gun was the UGX 30 million “investment” into Suspect 1’s property project. Bank records showed the money entering his account just days after the loan disbursement.

The internal controls that failed

This wasn’t just a case of a bad actor. It was a failure of governance and risk oversight:

• Risk appetite misunderstood: The board allowed high-trust relationships to bypass established due diligence.
• Segregation of duties ignored: Suspect 1 could recommend, approve, and oversee disbursement without independent checks.
• Collateral verification absent: No site visits or title searches were conducted.
• No post-disbursement monitoring: The cooperative never tracked whether funds were used for their stated purpose.

The total confirmed loss was UGX 280 million. Recovery efforts through asset seizures are ongoing, but early indications suggest that less than 40% will be recovered.

The cooperative has since suspended Suspect 1, terminated the partner relationship, and overhauled its credit policies. Summit Consulting has implemented new risk controls, including:

• Independent verification of all collateral
• Dual approval for all loans above UGX 50 million
• Quarterly partner reviews, even for long-standing clients
• Mandatory risk training for all loan officers

Risk appetite is about knowing how much risk you are willing to take, with eyes wide open. Risk blindness is when you walk into danger convinced it can’t harm you because you’ve been safe before.

In this case, years of trouble-free dealings created a dangerous complacency. Internal controls were seen as optional for “trusted” partners. That misplaced trust cost the cooperative nearly a third of its annual profit.

In Uganda’s fast-growing but trust-heavy business culture, this is not an isolated case. It’s a warning: your biggest losses will not come from risks you accept knowingly, but from the ones you never bother to see.

It looked legitimate, company logo, polite language, even the signature of a contact he had dealt with before. He clicked the PDF attachment. Nothing opened. He shrugged and moved on with his day.

What he didn’t know was that in that single click, he had just given a group of cybercriminals full access to his company’s internal systems.

By 3:00 p.m., their accounts payable ledger was being silently altered. Payment instructions for three major suppliers had been replaced with bank details controlled by the attackers. By 6:00 p.m., UGX 640 million had been approved for payment to accounts that had nothing to do with their suppliers.

This wasn’t a case of a “clever hacker in a hoodie” somewhere abroad. This was a calculated cyber-enabled fraud with local fingerprints all over it.

When the breach was discovered two days later, the boardroom turned into a war zone. The IT manager insisted this was an unavoidable “zero-day” cyberattack, a once-in-a-lifetime breach that no one could have prevented. The finance director wasn’t buying it. She believed the problem was weak internal processes and careless staff, not sophisticated hackers.

Tensions rose because the company had spent over UGX 500 million in the past two years on “cybersecurity upgrades.” Now, they were facing a multimillion-shilling loss and public embarrassment.

Summit Consulting Ltd’s iShield360 Cybersecurity was called in with one instruction: find out exactly how the breach happened, who was involved, and whether it could have been prevented.

How the scheme was engineered

a) Reconnaissance

Suspect 1, a disgruntled former IT officer, had left the company the previous year after a bitter dispute over unpaid overtime. He knew exactly which systems were vulnerable, who approved payments, and how poorly the staff were trained on phishing threats.

Suspect 2, an outsider posing as a “cyber consultant”, was the connector. He had relationships in both the hacking underground and Uganda’s informal financial channels. He set up a fake email domain almost identical to the company’s insurance partner and created an email thread that looked like an ongoing conversation.

b) The phishing hook

The email to the operations manager was crafted with details only an insider could know, supplier names, past invoice numbers, and even the exact insurance renewal date. All this came from internal documents that Suspect 1 had downloaded before leaving.

The PDF wasn’t a PDF at all; it was a malicious file that installed a remote access tool (RAT) on the operations manager’s computer, giving the attackers control over his email and access to the accounts payable system.

c) The payment diversion

Once inside, the attackers didn’t rush. They monitored email traffic for weeks, studying the payment cycles. On the third Friday of January, they struck.

They replaced bank details in three high-value supplier payment instructions. These new accounts were opened in the names of shell companies, registered in Kampala just weeks earlier, with directors who were paid by street vendors, people who would never be questioned if they disappeared.

The bank accounts were in three different banks to avoid triggering automated fraud detection. Once the money hit, it was withdrawn in cash in amounts just under UGX 20 million per transaction, spread across multiple branches and ATMs.

Mobile money then came into play. The cash was deposited into dozens of SIM cards registered to boda boda riders and market vendors in Kisekka Market. From there, it was either withdrawn in rural districts or converted into USD on Kampala’s informal forex circuit.

The red flags that were missed

The finance team failed to notice that the supplier bank details had changed, a classic red flag. The payment approval system didn’t require a callback to the supplier to confirm new account numbers.

The IT department never disabled the ex-employee accounts in all systems. Even worse, password policies were so weak that some accounts still used variations of “CompanyName@2022” as their login credentials.

Staff had undergone a “cybersecurity awareness” training the year before, but it was a two-hour PowerPoint session with no simulations or follow-up.

How the auditor connected the dots

The breach only came to light because the company’s external auditor spotted an anomaly during their quarterly review. They noticed that three supplier accounts showed zero activity since the payments were made, no goods received, no follow-up invoices, nothing.

They called one of the suppliers directly. The supplier confirmed they had not received payment for the January invoices and were on the verge of halting deliveries. That phone call triggered the emergency board meeting and our investigation.

Summit Consulting’s forensic team began by isolating the infected workstation. We found the RAT still active, connecting to a command-and-control server in Nairobi. That server, when traced, led to an IP address linked to a small cybercafé, one that had been closed for months. It was a relay.

We then analyzed email metadata. The phishing email had been sent from a domain differing from the genuine supplier’s by just one character. Cross-referencing registration details with company records revealed that the domain was purchased using an email address previously used by Suspect 1.

The real breakthrough came from following the money. While most withdrawals were in cash, one shell company account made a UGX 9.8 million mobile money transfer to a number registered to Suspect 2’s cousin. That cousin claimed he “was just asked to keep the money for a friend.”

From there, the mobile money transaction history gave us a spider web of payments, all leading back to Suspect 1’s known associates.

Which controls lapsed?

This case was not just about a clever cyberattack. It was about leadership failing to treat cyber risk as a business risk.

• Access controls were weak. Former employees could still log into critical systems.
• Supplier payment verification was nonexistent.
• Cyber awareness was box-ticking, not culture-changing.
• Incident detection relied entirely on external auditors, not real-time monitoring.

The confirmed loss stood at UGX 640 million. Insurance coverage was denied because the company had failed to follow its IT security policy, a clause buried in the fine print.

The board has since overhauled its cybersecurity governance, with Summit Consulting leading the redesign of controls. Measures now include multi-factor authentication for all systems, mandatory supplier callback verification, quarterly phishing simulations, and automated account deactivation for staff exits.

But the scars remain. One senior manager told me privately, “We thought cybersecurity was an IT cost. Now we know it’s a survival cost.”

Cyber risk is not about firewalls, software, or clever jargon. It’s about understanding that your data, payment systems, and operational continuity are now as critical as your physical assets.

The attackers in this case didn’t break into the company’s servers by force; they walked in through a single click, armed with insider knowledge, and exploited processes that were never designed for today’s threats.

In Uganda’s corporate landscape, this is not an outlier. This is the new normal. If your board still treats cyber risk as a quarterly “IT update” instead of a standing agenda item, you’re already one breach away from your own January morning disaster.

Two weeks later, the company’s finance manager noticed something odd: the same supplier had invoiced for an unusually high quantity of industrial bearings, all marked as “urgent replacements” for a breakdown that never happened. The amount? UGX 480 million. The finance manager raised a cautious eyebrow but signed off. After all, the procurement team vouched for it.

What the company didn’t know was that this “routine” transaction was the final stage of a meticulously orchestrated fraud scheme that had been unfolding for months, not by outsiders, but with the willing hands of insiders.

Summit Consulting Ltd was brought in after the company’s board received an anonymous whistleblower email. The subject line was only three words: “Check your suppliers.”

The invisible war inside the company

By the time our investigation team arrived, the company’s leadership was split into two camps. One believed this was a supplier’s deception, a classic case of overbilling. The other suspected something darker: internal collusion.

This tension was palpable in the boardroom when I first met them. You could tell who was on which side by their body language. Procurement heads leaned forward aggressively, defending their processes. Finance people sat stiff, arms crossed, as if they’d been forced to attend a court hearing.

As a fraud investigator, I’ve learned that fraud thrives where relationships blur the line between professional and personal trust. And here, that line was so faint it was practically invisible.

How the scheme was engineered

1. a) The entry point

Suspect 1, a mid-level procurement officer, had been employed by the company for eight years. A quiet man, often described by colleagues as “the guy who never talks in meetings,” he was the perfect camouflage. His link to the supplier went beyond work. He grew up in the same village as the supplier’s operations manager, Suspect 2. Their families had shared meals, funerals, and even loan guarantees.

In late 2023, Suspect 2 approached Suspect 1 with an idea: create “ghost orders” for spare parts, mark them as urgent, and get them paid before anyone could question the need. In return, Suspect 1 would get a cut, discreetly handed over in cash after payment cleared.

1. b) The paperwork game

The fraud relied on manipulating the company’s procurement system. Every purchase request had to be justified with a “Breakdown Report” signed by maintenance. Suspect 1 convinced a junior maintenance supervisor, Suspect 3, to sign off on fake reports in exchange for a smaller payout. These reports listed machinery breakdowns in jargon so technical that most finance staff wouldn’t dare challenge them.

1. c) Moving the money

Once invoices were approved, payments were made directly to the supplier’s bank account. This was the legitimate part, but the supplier’s accounts officer would then withdraw large sums in cash over several days, breaking them into amounts under UGX 20 million to avoid triggering bank reporting thresholds.

From there, the cash moved through Uganda’s informal transport network. Motorbike couriers (“boda riders”) collected envelopes from the supplier’s office and delivered them to Suspect 1 in parking lots near supermarkets in Kyaliwajjala. Suspect 1 would then meet Suspect 3 and pass on their share.

Occasionally, to speed things up, mobile money was used, but never in amounts over UGX 5 million per transaction, and always sent through numbers registered in other people’s names.

The red flags the auditor caught

The scheme might have continued indefinitely if not for one anomaly spotted by the external auditor. While reviewing supplier payments, the auditor noticed that the “urgent” spare parts orders for bearings all fell on Fridays, and often in the last week of the month.

Digging deeper, they found that the quantities ordered were inconsistent with the plant’s production volume. Bearings of that size typically lasted 12 months, yet some were being “replaced” every two months.

The auditor quietly flagged this to the board chair, who immediately engaged Summit Consulting Ltd for a discreet investigation.

Our team began with supplier payment data from the past three years. Within days, patterns emerged. The suspicious invoices all originated from a narrow set of purchase request numbers, and all bore the digital signature of Suspect 1.

Next, we visited the supplier under the guise of conducting a “vendor performance review.” Their delivery records were sloppy, deliberately so. But we found GPS data from their delivery trucks showing no actual trips to the plant on the dates of the alleged urgent deliveries.

We then traced the cash withdrawals from the supplier’s bank. The timing matched exactly with payments from the manufacturing company. CCTV footage from the bank branch in Mukono captured the supplier’s accounts officer withdrawing the money, often accompanied by Suspect 2.

The final piece came from mobile money transaction logs. One phone number, registered in a woman’s name from Mbale, repeatedly received UGX 4.9 million in the days following these withdrawals. That number, we discovered, belonged to Suspect 1’s live-in girlfriend.

The internal controls that failed

The company’s internal controls were not just weak; they were actively bypassed through collusion.

• Segregation of duties was compromised. Suspect 1 could both initiate purchase requests and approve them when the supervisor was “away.”
• Supplier vetting was cosmetic. Long-standing relationships were never re-evaluated, creating a comfort zone ripe for exploitation.
• Maintenance reporting relied on a single signature with no technical verification.
• Payment verification assumed that approved purchase orders were genuine; no one cross-checked with actual delivery records.

By the time the dust settled, the total confirmed loss was UGX 1.28 billion. Recovery efforts are ongoing, but as in many Ugandan fraud cases, much of the money has likely been spent on plots of land in rural districts, luxury goods, and debt repayments.

The board has since suspended all three suspects, terminated the supplier contract, and introduced new controls, including GPS-verified delivery logs, mandatory dual approvals for urgent purchases, and quarterly supplier audits.

What we learn from this is that your weakest link is often not a hacker in a foreign country, but the supplier you’ve trusted for years, and the employees who guard that trust.

Scene: Ntinda, Kampala. March 2025.

A junior accountant receives a WhatsApp message:

“Hello, Finance, this is the CEO. Urgent supplier payment needed before COB. Here’s the account. Process now.”

The logo on the profile photo was legit. The tone? Perfectly matched. Even the CEO’s usual “Thanks, team” signature was there.

It was fake.

Generated by AI.

And within 2 hours, UGX 46 million was gone.

Welcome to the era of AI vs AI, where the same algorithms used to defraud you are now being weaponized to protect you.

But here’s the kicker: most Ugandan firms are defenseless.

From Deepfakes to Deep Fraud

Fraud is no longer about forged signatures and disappearing vendors. It’s about machine-powered deception.

We’re facing fraudsters who use:

• Voice cloning – 20 seconds of your CEO’s voice can create a believable request for payment.
• ChatGPT-like phishing bots – Auto-generate personalized scam emails that sound like they’re from your HR or IT team.
• Synthetic identity fraud – AI combines real and fake data to create “legit” employees or suppliers in your system.

It’s no longer “catch the thief.”

It’s “outsmart the algorithm.”

And here’s the twist: AI can also fight back.

But only if you let it.

The NGO that fought fire with fire

In late 2024, a prominent donor-funded NGO in Gulu noticed strange activity:

Staff travel claims were submitted for trips that had no supporting evidence.

Fuel claims had GPS coordinates in Kenya instead of Uganda.

Something was off.

Summit Consulting Ltd was called in.

We deployed SummitAI Forensics, a machine-learning model trained on prior fraud cases, and cross-referenced travel claims against:

• Mobile money geolocation patterns
• WhatsApp call logs metadata
• GPS engine data from staff vehicle trackers

Within 36 hours, the system flagged five red alerts.

One staff member claimed to be in Mbale while their phone had connected to a tower in Bunga.

Another had two overlapping claims filed within 12 minutes of each other, across districts.

AI didn’t just detect anomalies.

It exposed behavior patterns humans had missed for months.

Fraud caught. Losses contained.

What traditional systems miss

Excel can’t fight AI.

Your finance team’s internal controls can’t match the speed of a script that generates 100 fake invoices in under 2 minutes.

Here’s what you’re up against:

The enemy is using automation.

And you’re still using approvals on WhatsApp.

Fighting back–How to deploy AI defensively

1. Behavioural analytics over approvals

AI doesn’t need an approval form, it watches for deviations. Who paid what, when, from where, and how often. If it’s not normal, it alerts. Instantly.

2. Voice verification firewalls

Implement voice signature match tech. If your CEO’s voice is cloned, it won’t match the signature stored. That’s AI detecting AI.

3. AI-augmented internal audit

Train your internal audit team on AI-powered risk models. Feed your past frauds into a model and let it flag future patterns automatically.

4. Smart vendor onboarding

Use AI to check for red flags like duplicate TINs, shell companies, fake physical addresses, and recycled phone numbers.

5. Employee lifestyle AI tracker

When salaries don’t match iPhone purchases or weekend travel patterns, the system flags a risk. Not for judgment, for investigation.

Uganda’s advantage – We leap when we lag

Paradoxically, Uganda’s late adoption of traditional tech gives us a leapfrog chance.

While Europe is bogged down by GDPR compliance delays, we can implement lean, smart AI-driven controls fast, if leadership permits.

This is not about replacing people.

It’s about arming your people with a smarter co-pilot.

What SummitAI is doing

Summit Consulting Ltd has developed an AI-driven fraud detection tool trained on real Ugandan fraud cases from over 100 institutions.

It understands local fraud behavior:

• The “Monday–Friday” financial fraud schemes
• The boda-boda travel reimbursement fraud
• The “we bought but didn’t receive” procurement hustle
• The mobile money laundering loop via school fees or airtime purchases

We don’t rely on foreign data models. We use Uganda’s financial crime history to fight tomorrow’s attacks.

AI isn’t just coming.

It’s already inside your finance department, your HR, your procurement, just not on your side yet.

You have two choices:

Let AI attack you. Or deploy AI to defend you.

There is no neutral ground.

Because in the next board meeting, when you ask “How did we lose UGX 1.2 billion?”, the answer will be:

“We didn’t lose it. We were outsmarted by a machine we never saw.”

Act now. Let the Institute of Forensics & ICT Security assess your fraud AI readiness.  Contact us, we’ll help you fight code with code. Because in this era, strategy isn’t human vs machine. It’s the right machine vs the wrong one.

We remain, Institute of Forensics & ICT Security, 2025. All rights reserved.

Let’s break it down.

What happened?

In April 2024, a high-ranking officer at a government parastatal in Uganda wired UGX 870 million to a company claiming to offer digitization advisory services. The only digitization that happened was converting public funds into personal pleasure. The company? A freshly registered firm run by Suspect 2, whose only experience with “digitization” was editing PDFs. Summit Consulting Ltd was called in after a whistleblower reported that “consultants” were being paid without ever stepping foot in the organization.

The fraud was already in motion. But the audit trail had cracks, cracks that eventually became confession points.

It starts with greed

Greed is the gateway drug of corruption. It always begins with justification.

Suspect 1, let’s call him “The Fixer”, had a nice salary, a government car, and a per diem habit. But that wasn’t enough. One evening, he told a friend at Panamera, “Okuyiya kwekuggawaza si musaala,” loosely meaning, “it is dealing, not a salary, that makes a man rich.”

So when a dormant procurement budget line showed UGX 920 million unutilized by Q2, he saw opportunity, not mandate. He engineered a fake urgency, “We need digital strategy support”, then co-signed the paperwork to sole-source the work to a “known vendor.”

That vendor? A shell company. Just three weeks old. Owned by his cousin. Who also happened to be Suspect 2.

Then comes the guts

Fraud is not for the faint-hearted. It requires nerves. Precision. And the audacity to say, “Let’s beat the system.”

Here’s how they did it:

• Front company. Registered with URSB with a fake office at a building in Bukoto. Their “office” was a locked storeroom.
• Invoice engineering. They submitted three inflated invoices, UGX 290m each, under different phases of the so-called project. The descriptions were vague: “Digital Readiness Scan,” “Stakeholder Engagement Sessions,” “Cybersecurity Awareness Roadmap.” Not a single actual deliverable was submitted. But the language was seductive enough to lull the internal reviewers.
• Internal collusion. Suspect 3, a mid-level accounts officer, ensured payments were fast-tracked. In return? A crisp UGX 30 million Mobile Money transfer, disguised as “school fees support.” It was sent to his wife’s Airtel line.
• Cash-out strategy. Once funds hit the vendor’s account, they were immediately withdrawn in bits, UGX 50m at a time, using mobile money, cheques to cash, and over-the-counter transactions at a bank in Ntinda. The audit trail vanished under the cloak of informal cash culture.

And just like that… gone

When the procurement committee asked to review the final report, both Suspects 1 and 2 were “on study leave.” The company had de-registered. The bank account was emptied. The funds were gone. Forever.

And yet, it could’ve been caught earlier.

The red flags the auditor spotted

1. Vendor vetting was bypassed. The company had no prior contracts, physical inspection reports, or due diligence forms on file, so all were waived under “urgency.”
2. Duplicate language across invoices. Copy-paste errors appeared in all three invoices. Same spelling mistakes. Same format.
3. No deliverables attached. Payments were made without any accompanying reports. Only proforma invoices were filed.
4. Mobile money activity spikes. A suspicious surge in MM transfers by a junior accountant raised eyebrows. One number appeared repeatedly in transaction logs, a number linked to Suspect 2.
5. Unusual speed of payment. Most vendors waited weeks. This vendor was paid within 48 hours.

Enter the Summit Consulting Ltd investigation

When Summit Consulting Ltd was engaged, the forensic trail was thin. But we started with three things:

• Bank statements. These revealed transfer patterns and suspicious withdrawal behaviour.
• Mobile money analysis. We used telco data subpoenas to map all large transfers from the key suspects.
• Interview triangulation. Using a personality profiling tool and analysis of all staff statements, we flagged inconsistencies in answers between the procurement officer, finance officer, and line manager.

It took six working days to map the entire fraud ring.

Suspect 2 cracked under pressure. In exchange for immunity, he handed over WhatsApp chats, shared location pins of cash drop-offs, and even voice notes. One voice note from Suspect 1 was chilling:

“Make sure the last payment lands before the board meets. I don’t want questions.”

The total loss

UGX 870 million.

Gone into thin air. Money that could’ve upgraded district health centers, or digitized actual village SACCOs, ended up paying for beach plots and imported whiskey.

Why it worked– internal controls were ignored

1. Segregation of duties was non-existent – The same officer initiated, approved, and followed up the payment.
2. No vendor onboarding framework – Any company could be selected under the pretext of “urgency.”
3. The procurement committee was a rubber stamp – None of the members even attended the so-called vendor pitch.
4. Finance never asked questions – They processed all payments without checking for deliverables.
5. Board oversight was blind – There was no project performance dashboard or progress reporting mechanism.

The human drivers – greed, guts, and gone

Every scam begins with greed, a want for more than earned. It escalates with guts, the courage to beat the system. And it ends with gone, vanished money, broken trust, and reputations in ruins.

But behind every ghost invoice is a living, breathing human being who looked at ethics and chose expediency. Fraud is not a system failure, it’s a human decision wrapped in paperwork.

Fraud doesn’t hide in spreadsheets. It hides in culture. In that silent nod of approval. In that “it’s just this once” excuse. In that handshake in the backroom.

Want to beat fraud? Don’t just automate. Investigate your people. Build controls around human behaviour. Reward integrity. Audit lifestyles, not just numbers.

Because in Uganda, and beyond, every scam is human.

And until you confront greed and guts, you’ll always end up gone.

To request a fraud investigation, whistleblower protection training, reach out to the Institute of Forensics & ICT Security, the training arm of Summit Consulting Ltd., because when fraud strikes, we don’t guess. We know. Click here

It wasn’t the usual kind, the quiet hum of people settling into routine, typing away, phones buzzing, printers hissing. No. This was different. It was the kind of silence that crawled up your neck and whispered, “Keep quiet. This is not your battle.”

But Stella had seen it. Clear as day.

A junior procurement officer had entered the records room and walked out with three LPO books under his shirt. She saw him tuck them into his gym bag. She told herself it was none of her business.

Until the fake supplier invoices started appearing. Names she’d never heard of. Firms no one had met. Payments made within hours of submission. And one morning, as she passed the corridor leading to the Finance Manager’s office, she overheard it:

“Just delete the last page. He’s already been paid.”

Her stomach turned.

The tipping point

Stella wasn’t new. She’d been at the NGO for six years. She knew things happened. But this was different. This wasn’t corner-cutting. It was theft. Systematic. And somehow, no one else was saying a word.

That evening, she stared at her laptop. Her cursor hovered over the whistleblower email address listed in the induction policy, an email no one had ever used. She thought of her kids. Her job. Her reputation. But then she thought of the health centres that never got the medicine. The boreholes that never got repaired. The communities that never stood a chance.

She clicked Send.

What happened next

Within 48 hours, the internal audit team contacted her using a secure channel. They brought in external investigators, our Summit Forensics team. Quietly. Discreetly. We set up a virtual mirror of the payment system. Traced the flows. Flagged the ghost vendors.

We followed the money.

Each fictitious invoice led to a shell account. Those accounts traced back to three staff members. Including the Finance Manager Stella had overheard.

The total fraud? UGX 492 million.

Why her courage mattered

Stella’s act didn’t just save money. It saved the organisation. Donors were on the verge of blacklisting it. The internal rot was already raising red flags during quarterly reviews. But the moment someone spoke, the chain broke.

We helped the organisation set up a real whistleblower program. Not just an email on paper. We trained staff. Created safe reporting lines. Quarterly fraud awareness sessions became mandatory. Every new hire had to sign a culture charter.

The culture shift

Today, that same office has a phrase painted on its wall in big bold blue:

“If you see something, say something. Silence is complicity.”

And beneath it, in smaller font:

“Because Stella did, we still exist.”

Fraud is never a one-man job. It thrives in shadows. In laughter-filled meetings where no one asks real questions. In management teams that value loyalty over integrity.

But it only takes one voice to stop it.

If you lead an organisation, don’t just train your people to detect fraud. Train them to report it. Build systems that protect the truth-tellers. Honour the ones who speak up.

Because fraud doesn’t destroy institutions.

Silence does.

IFIS Team.

Take the case of the water-for-kickbacks scandal

In June 2024, a whistleblower at a government water project in northern Uganda triggered a chain of revelations. What started as “missing pipes” ended with five staff suspended and UGX 1.2 billion unaccounted for. At the heart? A toxic culture. Supervisors approved ghost deliveries. Procurement teams handpicked contractors in exchange for kickbacks. Finance looked away because “everyone was eating.”

The anatomy of silence

a) Fear of retaliation

(i) New staff noticed the fraud but kept quiet, afraid to lose their contracts.

(ii) One who tried to speak up was threatened with transfer to a remote post.

b) Normalization of deviance

(i) Fake site visits were signed off as routine.

(ii) Audit logs were deleted. No one questioned the missing documentation.

c) Weak leadership tone

(i) The project manager never took leave — a classic red flag.

(ii) His replacement later confessed they “inherited a system they couldn’t clean up.”

What we found in our investigation

When we conducted a culture audit using our fraud vulnerability heatmap, the results were chilling. Over 78% of staff said they believed fraud would not be punished if “the person is well connected.” Even more worrying, 62% admitted they would not report fraud if it involved their supervisor.

How to disinfect your culture

a) Start with leadership discipline

(i) If your boss fears leave audits, they are the fraud risk.

(ii) Rotate duties. No single point of failure.

b) Empower the internal audit

(i) Train them in digital forensics. Not just policy checking.

(ii) Let them report directly to the Board, not management.

c) Reward whistleblowers

(i) Pay for tips. It works.

(ii) Anonymity is not enough. Protect careers.

d) Declare a fraud-free quarter and mean it

(i) Tie incentives to ethical performance.

(ii) Use data. Track red flags.

A fraud-resistant culture isn’t about speeches. It’s about systems. Stop tolerating the small thefts. Because what you permit, you promote. And what you promote becomes the new normal.

We are no longer chasing thugs in balaclavas or masks. Today’s fraudsters wear suits, manage bank accounts, and approve their payments. They don’t steal at night. They steal during working hours using the company Wi-Fi.

The problem? Many internal investigators are still using pens and notepads while the criminals are using AI, burner phones, mobile money layering, and VPNs. It’s like bringing a hoe to a drone war.

This is your forensic toolbox update. Catch Me If You Can is not just a taunt, it’s a test. And you better have the tools to pass it.

The new battleground, from files to firewalls

The fraudster’s playground has shifted. Yesterday, it was forged cheques. Today, it’s fake domain emails, insider ERP manipulation, and mobile money micro-thefts. The battlefield is digital. Your tools must be too.

At Summit Consulting Ltd, we equip our investigators with tools not just for documentation, but for digital confrontation.

Let me walk you through the must-haves.

The investigative arsenal. Tools that give you an unfair advantage

a) Device imaging kit

(i) Clone laptops and mobile phones without alerting the suspect.

(ii) Tools like FTK Imager, Autopsy, or Cellebrite UFED let you extract deleted emails, WhatsApp chats, browser histories, even from wiped phones.

b) Data analytics software

(i) Excel is for accountants. You need IDEA, R2, ACL Analytics, or Power BI to crunch suspicious payment patterns, round-figure transactions, and vendor duplications.

(ii) Load the full GL and run anomaly tests. One of our audits revealed a ghost vendor created by reversing and reissuing an invoice with only the last digit changed.

c) Metadata extractors

(i) A document’s fingerprint is in its metadata. Tools like ExifTool or DocParser tell you when a file was created, modified, or copied.

(ii) We once caught a “backdated” supplier contract that was created five days after the payment.

d) Open Source Intelligence (OSINT)

(i) Fraudsters leave digital footprints on Facebook, LinkedIn, and Twitter. Use Maltego, Recon-ng, or even basic Google dorking to link suspects to unregistered businesses, side gigs, or secret relationships.

(ii) We busted a procurement cartel by linking three supplier companies to one wedding photo on Instagram.

e) Mobile money forensic tracker

(i) Investigators must know how to trace cash through MTN MoMo and Airtel Money APIs.

(ii) Use IMEI and transaction logs to track layered transfers. One fraud we investigated involved UGX 10 million being split into 100 transactions of UGX 100,000 moved across agents and cashed out at fuel stations.

Essential non-digital tools: old school still rules

Fraud is personal. You still need tools that give you psychological and operational dominance.

a) Voice recorder and bodycam

(i) Always record interviews (discreetly, if your jurisdiction allows. In Uganda, this is not allowed unless you are a law enforcement officer with appropriate legal mandate). Liars forget their lies. Devices like the Spy Pen Recorder or hidden body cams are lifesavers.

b) Chain of custody logbook

(i) Evidence without custody is garbage. Every device, document, or digital copy must be logged with who accessed it, when, and for what purpose.

c) Investigator’s field notebook

(i) This is your Bible. Document every observation. Handwriting analysis, mood changes, and security patterns. One scribbled sentence can unlock a case.

d) Evidence bag kit

(i) Proper tamper-proof bags, labels, gloves, and evidence seals prevent contamination and maintain integrity.

Psychological warfare: tools that break suspects

A good investigator doesn’t just collect evidence. They extract the truth. That requires psychology.

a) DISC profiling and micro-expression training

(i) Learn to read people, blinking, fidgeting, and tone changes. We use DISC tools to profile personalities and tailor our interview style.

(ii) A Dominant suspect will push back. A Conscientious one will over-explain. Use their psychology against them.

b) Statement analysis software

(i) Tools like SCAN (Scientific Content Analysis) flag linguistic shifts, e.g., moving from “I” to “we” when describing responsibility.

(ii) In one case, a suspect shifted from “I paid” to “we paid” mid-interview. That’s how we knew he had a partner.

6) Investigation management tools: Organize or die

You’re not Sherlock Holmes. You can’t keep everything in your head. Use digital case management tools.

a) CaseHQ or CaseGuard

(i) These platforms let you manage files, link evidence, and tag suspects.

(ii) You create timelines, map networks, and log interview summaries, all in one place.

b) Digital chain of custody systems

(i) These log every file, image, or device collected. No more guesswork in court.

(ii) Timestamped, encrypted, tamper-proof.

The Summit edge tools we use to blow cases wide open

At Summit Consulting Ltd, our investigators use a unique triangulation framework:

Follow the money. Follow the behavior. Follow the device.

Let me show you a real case.

A client had UGX 320 million vanish from petty cash over 14 months. No one noticed. We used:

(i) Mobile money forensic analysis to trace staggered withdrawals.

(ii) Vendor network mapping to link five “independent” suppliers to the same PO Box.

(iii) Device imaging to recover an Excel file on the suspect’s desktop titled “Plan B Payroll”, a list of kickbacks by name and amount.

All this from just three tools. Case closed. Two arrests. Funds recovered.

Bonus tool: the fraud mindset

This cannot be bought. It must be cultivated.

The best investigators I’ve trained have one thing in common: they assume guilt and prove innocence. Not the other way around. They know that silence is a symptom, not a conclusion. They read between transactions, not just the transactions.

Fraud isn’t about the crime. It’s about the gap between what should have happened and what did.

You can’t fight fraud with hope

Hope is not an audit strategy. Faith is not an investigative tool. If your toolkit is older than your suspects’ Instagram filters, you’ve already lost.

Fraudsters evolve. So must you.

Equip your team with the full Fraud 360 toolkit. Invest in forensic tools, not just policy reviews. Train for behavioral detection, not just paper verification. If you don’t, you’ll spend more time writing reports than solving crimes.

This is the IFIS Team. And we just handed you the blueprint.

Now go. Catch them before they catch you.