Phishing in the dark: Can you spot the scam?

It started like any other Monday. Overcast skies. Heavy traffic on Jinja Road. At 9:13 AM, the IT manager of a prominent NGO based in Ntinda received an email with the subject: “Updated COVID-19 compliance form – Action Required”. It was urgent, signed off with the name of their country director, complete with signature and internal branding.

He clicked.

By 10:06 AM, every server on their network was encrypted. A ransom note blinked on the screen:

“Your files have been locked. Send $8,000 in Bitcoin to this address within 72 hours or lose everything.”

Welcome to phishing in the dark, Uganda’s new silent epidemic. It is so brutal, it comes like a rape. Victims are too afraid to speak up.

What makes this scam so dangerous?

Unlike the crude email scams of old (“Dear Sir, I have $10 million for you…”), This new wave of cyberattacks is intelligent. It’s patient. It sits in the dark and studies you.

This particular attack used a technique called “spear phishing.”

Here’s how it unfolded:

1. Reconnaissance phase. The attackers followed the NGO’s social media posts. They identified staff members, read job titles, and even noted recent travels and project updates.
2. Email spoofing. Using a domain name like @ngougandà.org (instead of the real @ngouganda.org), they crafted a fake internal policy memo. The language matched past memos, thanks to ChatGPT. The logo was identical. No typos. No red flags.
3. Payload delivery. A harmless-looking Word document came attached. Once opened, it prompted the user to “Enable Content.” That single click executed malicious code, giving attackers remote access.
4. Lateral movement. From the IT manager’s laptop, they quietly moved through the network, harvested credentials, and deployed ransomware. The entire operation took less than an hour.

The red flags, missed in the dark

• The email domain was subtly different.
• The tone was overly urgent, pressure to act “before COB.”
• The attachment required macros to view, which is rarely necessary for internal docs.
• The sender’s actual email address, on close inspection, had no domain keys identified mail (DKIM) or sender policy framework (SPF) authentication, basic email security standards.

But here’s the problem: most organizations in Uganda don’t even know what DKIM or SPF is. And that ignorance is costing them.

The real cost

Summit Consulting Ltd, Uganda’s leading cybersecurity and fraud investigation firm, has seen a sharp rise in phishing-related breaches since Q4 2024. In the last 6 months alone, their team has responded to over 47 ransomware cases linked directly to phishing emails. Total estimated losses? Over UGX 3.1 billion.

One SACCO in Mbarara lost UGX 117 million when their treasurer’s email was compromised and fake instructions were sent to the bank. A church in Kampala unknowingly paid UGX 26 million for fake construction invoices. A government agency lost project funds after an impersonated UN partner requested a payment “to avoid withdrawal of support.”

This isn’t just a tech problem. It’s a trust problem. And it’s growing.

Can you spot the scam?

Here’s a real example used in a phishing simulation by Summit Consulting:

From: hr@ministrylàbour.go.ug

Subject: Update on salary arrears – Staff Action Needed

Dear Staff,

Kindly download and complete the attached arrears claim form as discussed in the recent briefing. Deadline is 5PM today.

Regards,

Mary N.

Director, HR

Attachment: Salary_Claim_Form.xlsm

Would you click?

Looks legit, doesn’t it? But:

• Real government domains use .go.ug, but ministry-labour.go.ug was a newly registered fake domain.
• The real HR director’s name is public on the ministry website, easily faked.
• XLSM files with macros are a major red flag.
• No prior notice or internal memo referenced this form.
• The word labour uses a special character, à, which is odd! Be mindful when you see domains with dashes or special characters.

What must you do?

1. Verify internally. Never trust, always confirm.
2. Hover before you click. Links lie. The URL beneath might take you to bit.ly/2XyHR45 or a phishing clone site.
3. Use two-factor authentication, even if your password is stolen, it blocks access.
4. Train your staff. Quarterly phishing simulations save millions.
5. Have an incident response plan. When disaster hits, your survival depends on speed, not perfection.

Final word

Phishing isn’t just a tech problem. It’s psychological warfare, exploiting trust, urgency, fear, and routine. It lurks in the shadows of your inbox. And unless you train your team to see in the dark, you won’t know you’re under attack until it’s too late.

The next email you click could be the one that locks your files, drains your accounts, or ruins your reputation.

So, before you click,

Breathe. Hover. Think. Verify.

In the digital jungle, it’s not the strongest that survive.

It’s the most aware.

We remain the IFIS team.