When the fraud finally unravelled, it wasn’t through a sophisticated cyberattack or a shadowy hacker operating from a foreign server. It began, as many local fraud stories now do, with a six-digit code: 123456; typed casually into a phone.
It was like a usual Thursday morning at a hospital when “Suspect 1,” a man dressed in a faded telecom-branded jacket, approached a nurse outside the outpatient wing. He spoke softly, like someone used to fixing problems others didn’t understand. “Madam, your SIM card needs verification.
The system shows an update error. Please read me the code that just came to your phone.” She did. Within minutes, her WhatsApp was gone, her mobile money emptied, and her reputation compromised. No malware. No brute force. Just a human voice, a believable story, and six innocent digits.
The illusion of safety
Ugandans have come to see their phones as symbols of progress. Inside a single device lives the wallet, the ID, and the business ledger. Yet, in a country where over 30 million people rely on mobile money daily, the phone remains the least protected asset they own.
Telecom fraud has become more human than technical. It no longer happens in dark server rooms but in bright daylight, through cloned SIMs, insider approvals, and misplaced trust. In one recent case, Summit Consulting Ltd, the firm called in to investigate a suspected data breach at a leading telecom agent, discovered that the root cause wasn’t software failure. It was a supervisor’s compassion.
“Suspect 2,” a well-rated back-office employee, had approved a SIM swap for what she believed was a colleague’s sick mother. No verification, no ID scan, just empathy. The swap opened a gateway to over 200 million shillings in fraudulent withdrawals before anyone noticed.
“We like to believe fraud happens because systems are weak,” said one investigator at Summit Consulting. “In truth, it happens because people are predictable.”
The power of predictability
In cybersecurity circles, “123456” has become a global joke; the world’s most common password, used by millions who assume no one would bother guessing it. Yet here in Kampala, it’s more than a punchline. It’s a mindset.
Telecom engineers reuse it for testing accounts. Agents use it as a default PIN during customer registration. Bank tellers use it for their logins to emails. Even internal training systems default to it for convenience. The problem isn’t the number; it’s what it represents: human laziness disguised as efficiency.
Summit’s forensic team once traced a fraud ring that had compromised over 50 dormant SIM cards. The team expected an advanced exploit or a stolen master key. Instead, they found that every account used the same default password left unchanged since activation. “The password wasn’t hacked,” one analyst explained. “It was inherited.”
The cost of convenience, as it turned out, was 1.2 billion shillings in unauthorized airtime and mobile money transfers.
Inside the breach
In most telecom fraud investigations, the trail doesn’t lead to an outsider; it leads to the inside. Fraud, in its most modern form, has become a quiet partnership between colluding employees and external agents.
Take the case of “Suspect 3,” a retail agent operating from a dusty roadside kiosk in Mbarara. Every evening, he processed dozens of SIM swaps from “urgent corporate clients.” The data came from an insider, someone with system privileges, who sent him lists of numbers and ID details scraped from internal servers. The two shared profits through mobile money.
When the fraud was finally detected, the system logs told a quiet but damning story: identical terminal IDs, midnight approvals, and transactions moving in neat 10-minute intervals. It wasn’t hacking. It was routine.
The auditors had missed it for months because it looked too organized to be suspicious.
The data never lies
Telecom fraud, like all digital frauds, is never invisible. It always leaves digital fingerprints: timestamps, IP addresses, and login sequences that form patterns only data analytics can see.
In one Summit Consulting forensic case, investigators visualized six months of mobile money activity on a heat map. What emerged was chilling: a single geographic cluster processing transactions between 1:00 a.m. and 3:00 a.m. daily, all linked to the same back-end approval node.
The fraudsters weren’t hiding. They were working inside the system, confident no one was watching.
“What kills organizations is not lack of data,” Mr Strategy noted in his post-investigation briefing to a client’s Audit Committee members. “It’s the refusal to listen to what data is screaming.”
Even the simplest dashboard can flag fraud if someone pays attention. Yet, many institutions mistake dashboards for control, forgetting that detection without action is still negligence.
Culture: the invisible firewall
Every company –telecom or banks- boasts of firewalls, encryption, and biometric verification. Yet, the most effective control remains human behaviour, and that’s where Uganda’s telecom sector faces its greatest challenge.
Fraud thrives in cultures where silence is rewarded, and questioning authority is frowned upon. When employees fear raising red flags or believe that “reporting a colleague” is betrayal, controls crumble.
In one telecom case investigated by Summit Consulting, an internal audit officer admitted, off record, that he had noticed the irregular SIM swap pattern but didn’t escalate it because it involved a “high-performing staff member.” The loss? Nearly 181.4 million shillings.
As Mr Strategy often says, Cybersecurity is not a department; it’s a culture of disciplined doubt.
That means separating duties so no one can approve and verify the same transaction. It means training staff not to trust, but to verify. And most importantly, it means rewarding curiosity, not compliance.
Building immunity, not walls
As our digital economy deepens ahead of the 2026 elections, telecom networks will face their most complex tests yet. Disinformation, identity fraud, and insider manipulation will intersect in ways unseen before. Yet the solution is not more secrecy or blame. It’s transparency.
Organizations must build immunity, not walls. Immunity comes from openness, collaboration, and real-time monitoring. When fraud happens, the first question shouldn’t be “who leaked?” but “which control failed and why?”
Summit Consulting’s approach to telecom fraud now includes behavioural analytics; mapping not just what employees do, but why they do it. They call it the “pattern of intent.” By analysing approval timing, login habits, and even typing speed, investigators can predict who’s most likely to bypass controls long before an incident occurs.
“It’s no longer about catching thieves,” said one Summit analyst. “It’s about predicting behaviour.”
Uganda’s telecom sector is no longer just a service industry. It’s the nervous system of the nation’s economy, carrying salaries, medical bills, campaign funds, and national secrets. A single compromised line can paralyze thousands.
The next frontier of fraud won’t be fought with firewalls, but with awareness. Every Ugandan with a phone must understand that cybersecurity isn’t someone else’s job. It’s a shared civic duty. For this reason, the Institute of Forensics & ICT Security is proud to lead the cybersecurity awareness month in Uganda, where we have made presentations to several companies and organizations.
The nurse at that Kampala hospital now locks her phone with fingerprint ID. The telecom agent who once reused “123456” now teaches her customers to choose stronger PINs. Small shifts. But in a world where six digits can end a career, these habits are the new offense lines.
Because sometimes, the greatest danger isn’t what we don’t know. It’s what we think we already understand.
Copyright forensicsinstitute.org 2025. All rights reserved.
