It started quietly as a finance officer at a local organisation logged into the accounting system late in the evening, long after the rest of the office had gone home. The payment looked ordinary, a supplier invoice, the amount was not unusual, and the approval trail existed. The transaction went through mobile money first, then a bank transfer, and finally disappeared into a chain of wallets that investigators would later spend months tracing.
By the time the organisation noticed the loss, the money was gone. The story is not unusual anymore. It is becoming the new pattern of fraud across Uganda’s companies, quiet, digital, and painfully precise. The criminals no longer break doors or forge signatures, they log in.
What happened
The incident began with a simple weakness: access. One employee had system privileges that were never reviewed after a promotion. Another could approve payments remotely because the organisation wanted flexibility during travel. A third person handled vendor onboarding with no independent verification. Three small gaps, nothing alarming, together they created a corridor, and the fraud scheme unfolded in stages.
First came information gathering. The perpetrators watched internal email patterns and accounting workflows for several weeks, learned how invoices were processed, who approved payments, and when finance staff were busiest. Digital criminals rarely rush, they study.
Then came identity imitation. A fake vendor account appeared in the procurement system. It looked legitimate because the supporting documents were copied from a real supplier whose website had public documents available. The bank account, however, belonged to a different entity controlled by the fraud ring.
The invoice was uploaded, and the approval happened quickly because the amount fell below the escalation threshold. That detail is common in many fraud cases. Criminals prefer transactions small enough to pass unnoticed, but large enough to matter.
The payment left the system. At this stage, the fraudsters moved with speed. The funds were split across multiple mobile money wallets and digital accounts within hours. Each transfer created another layer between the stolen money and the perpetrators. By the next morning, the trail was already complex.
Under Uganda’s legal framework, this activity qualifies as electronic fraud and unauthorised computer access, offences recognised under the Computer Misuse Act. The law treats the use of computers to obtain unlawful gain as a criminal offence with significant penalties upon conviction. But law alone does not prevent fraud; controls do.
How the fraud was noticed
Fraud is rarely discovered through heroics, but irritation. In this case, the irritation came from a junior accountant who noticed a small mismatch during monthly reconciliation. The supplier’s name on one payment did not appear in the procurement register used in the previous quarter. It was a small detail that most people ignore.
This accountant asked a question, where did this vendor come from? That question triggered the investigation. The accountant, against protocol, called one of the officers in Internal Audit and gave them the red flag. Internal auditors reviewed the vendor onboarding documents and noticed the bank account verification form lacked an independent confirmation from the supplier. The system log then revealed something more troubling. The vendor profile had been created from the login credentials of an employee who was officially on leave that day.
That discovery changed everything. Then digital evidence began to tell the story.
What the investigation revealed
Investigators reconstructed the sequence using system logs, email metadata, and mobile transaction records. This is where modern fraud investigations differ from the past. The evidence is not hidden in drawers; it is buried in data.
Every login leaves a trace, every transfer records a timestamp, and every system modification creates a digital footprint. The forensic review revealed that the employee’s account had been accessed from an external IP address late at night. The password had been compromised weeks earlier through a phishing email disguised as a system upgrade request.
Once inside the system, the attacker moved slowly, created the vendor profile, uploaded the invoice, submitted the payment request, and waited. When approval came through, the payment moved instantly. The entire fraud operation, from initial access to final transfer, took less than fifteen minutes.
This pattern is increasingly visible in cyber-enabled fraud cases reviewed by Ugandan courts, where electronic records and digital trails have become central evidence in determining liability and proving unlawful computer access. Technology creates crime, and technology exposes it.
The legal reality organisations ignore
Many organisations misunderstand their legal position after a cyber fraud. They believe the loss ends with the stolen money, but it does not. When investigators begin reviewing events, the focus shifts to governance.
- Who controlled access?
- Who approved payments?
- Who verified vendors?
Courts increasingly examine whether reasonable controls existed before the fraud occurred. Electronic evidence must also be properly authenticated and preserved if it is to be relied upon during legal proceedings.
This creates a difficult reality for organisations. If your systems cannot produce reliable logs, you may struggle to prove what actually happened. I usually recommend that all network logs, db logs, system logs, etc., be backed up off-site to a location that even your IT has no access to. This provides a second layer of security. That way, forensics can help unravel what happened. Cybercriminals know how to hide their tracks. However, remote backup of all logs with limited access helps make it tougher for them. When digital evidence is weak, accountability becomes complicated. Fraud investigations, therefore, begin long before a crime occurs and in system design.
The technology behind modern fraud
Fraud today operates like a small technology company. The attackers use phishing tools to steal passwords, deploy automated scripts to test system access, and rely on mobile wallets and digital banking channels to move funds quickly.
The objective is always the same speed. Digital fraud thrives on the time gap between a transaction and the moment someone notices something unusual. That window may be hours or days, depending on the organisation’s controls.
Once the money enters a network of accounts, tracing it becomes difficult. Mobile money transfers, cryptocurrency exchanges, and digital payment platforms create complex chains that investigators must reconstruct step by step. Whereas the fraudster’s advantage is distance, the investigator’s advantage is data.
Why organisations keep losing money
Most fraud cases follow the same pattern. Too much trust, too little verification, and systems designed for convenience rather than security. Executives often focus on strategy, markets, and growth, while Internal systems receive attention only after something breaks. Therefore, fraud exploits that gap.
A payment approval limit was set years ago, shared passwords in small departments, and vendor verification was done through email attachments rather than independent confirmation. Each weakness looks harmless, but together they form the architecture of fraud.
How to fraudproof your organisation, the solution is not complicated, but it requires discipline.
- First, control system access. Every user account must have clearly defined permissions and multi-factor authentication. No employee should retain privileges they no longer require.
- Second, separate responsibilities. The person who creates a vendor must never be the same person who approves the payment.
- Third, monitor transactions in real time. Technology now allows systems to flag unusual activity immediately, such as payments outside normal hours, sudden vendor changes, or transfers to new accounts.
- Fourth, protect digital evidence. Logs must be preserved automatically. If a breach occurs, investigators need reliable data to reconstruct events.
- Finally, train people.
Technology detects fraud, curious employees stop it. Most fraud cases collapse when someone notices something that does not make sense and refuses to ignore it.
Fraud rarely begins with criminals but rather with weak systems.
The real question every organisation should ask is simple. If someone inside your network decided to steal money tonight, how long would it take you to notice? Hours? Days? Months?
The answer to that question tells you whether your organisation is prepared for the world we now live in.
Copyright Institute of Forensics & ICT Security, 2026. All rights reserved.
