The issue began with a strategy meeting that looked successful from a distance. A financial services company had approved a new digital growth plan. More customers would be onboarded through mobile channels. Loan approvals would be faster. Field officers would use tablets. Agents would collect client information in the field. Management would receive dashboards every morning. The board wanted growth, efficiency, and better customer reach. You know, in this era of generative AI, ideas are plentiful, and those who execute well win. The mobile app plan was great.
Nothing was wrong with that ambition. Security was treated as something to be added after the strategy had already been approved. In my experience as a cybersecurity practitioner, I know that is how risk enters the room politely.
The chief operations officer was a tall man with a calm voice and tired eyes. He was respected because he got things done. The finance manager was sharp, careful, and slightly impatient with paperwork that slowed business. The IT officer was young, technically strong, but not yet senior enough to challenge executives with confidence. The internal auditor was soft-spoken, observant, and dangerous in the best way because she noticed what others dismissed.
Three months after the digital rollout, a payment went out to a new technology support vendor. The invoice looked clean, the approval trail looked normal, and the email instruction appeared to come from the operations office. The payment was not large enough to shock the board, but it was large enough to matter. What raised suspicion was not the amount but the language.
The email said, “Kindly expedite as per our strategic priority and urgency”. The internal auditor paused. The operations officer never used that phrase. He normally wrote short instructions, usually with one line and one attachment. This email had three polished paragraphs, a bank account change, and pressure to move faster. That is where the case started.
The issue
Strategy creates movement while security controls the quality of that movement. In this case, the company had digitised approvals without redesigning authority, verification, evidence retention, and exception handling. Everyone believed the new system was efficient because approvals moved faster. The attacker saw something different. Faster approvals meant fewer questions, weaker pauses, and more room for impersonation.
The fraudster did not attack the firewall first; he attacked the operating rhythm. He studied who approved payments, who feared delaying strategy, who handled vendor onboarding, and who could be pressured with the language of growth. That is modern cyber risk. It does not always arrive as a noisy breach. Sometimes it arrives as a normal request wearing the clothes of strategy.
The Computer Misuse Act, 2011, recognises offences related to unauthorised access, unauthorised use, interception, obstruction, disclosure, and electronic fraud, while Uganda’s Electronic Transactions Act recognises electronic records and gives them evidentiary value when properly authenticated and preserved. That means an organisation must think like a business and like a future witness simultaneously. If the matter reaches court, the question will not be whether people felt deceived. The question will be whether the evidence proves what happened, who did it, how the data moved, and whether the record is reliable.
The first insight is that security is not the enemy of speed. Poorly designed security is the enemy of speed. Good security removes confusion before pressure arrives. Cyber risk follows strategy. When you launch a new channel, migrate to the cloud, automate approvals, onboard vendors, or expose APIs, you also create new doors. Attackers prefer business processes with authority and urgency. Procurement, finance, HR, legal, customer support, and executive offices are attractive because people there can move money, data, or decisions. Digital evidence must be protected from the first hour. A forwarded screenshot, a deleted email, or a casually handled laptop can weaken an otherwise strong matter.
The activity I would give the room is simple. Take your current strategy and circle every place where money, customer data, authority, or decisions move without face-to-face confirmation. Then ask one question for each point: “What must be true for this step to be trusted?” That answer is your security requirement.
How it happened
The attack began before the payment. The attacker had collected public information. Company brochures showed the digital transformation programme, social media showed the operations officer speaking at a stakeholder breakfast, a staff post showed the finance team celebrating a system launch, a procurement notice revealed the kind of vendors the company used, and a leaked email thread from an old supplier dispute gave the attacker the company’s writing style, approval language, and internal signature format.
That is the first lesson investigators must teach executives. Criminals do not need to know everything; they need enough truth to make the lie feel familiar.
The attacker created a lookalike email domain with one letter changed. He sent a vendor onboarding request to a junior staff member, copying what appeared to be a senior manager. The junior officer did not notice the domain difference because the name displayed correctly. The request came at 5:46 p.m., when people were closing the day and preparing to leave. The attached documents included a certificate, a tax identification reference, a bank letter, and a quotation. They were not perfect documents, but they were good enough for a tired organisation that had confused urgency with performance.
The finance manager approved the payment because the invoice matched the strategic project line. The operations officer later denied sending the instruction. At that point, the room did what many organisations do badly. People started arguing before preserving evidence, which nearly damaged the case.
A good investigator slows the room down, procedurally, not emotionally.
The mailbox must be preserved, and the laptop must be isolated. The payment trail must be requested, email headers must be extracted, domain registration must be checked, and vendor documents must be compared against independent sources. The approval workflow logs must be exported, and user access logs must be retained. The mobile messages must be captured properly, and witness accounts must be taken before people start influencing one another.
A case is like a crime scene after rain. Every careless footstep spreads mud across the truth. Impersonation succeeds when the fake instruction lands inside a real business pressure. “We need speed” becomes the attacker’s weapon. Lookalike domains are simple but effective because staff read names, not infrastructure. A clean document is not proof of a clean transaction. Many fraudulent documents are designed to look boring because boring documents pass through organisations quietly. Timing matters. Late afternoon, month-end, board reporting week, public holidays, and executive travel periods are common pressure windows.
If you are an assurance professional, ask every participant to open a harmless old email and inspect the sender details, not the display name. Then ask them to identify the real domain, reply-to address, and any difference between the visible name and the actual email route. Most people will realise they have been trusting labels, not evidence.
How it got noticed
The internal auditor noticed three things: the wording was wrong, the vendor had no prior engagement record, and the approval moved faster than similar payments. Average investigators look for the big confession, but good investigators look for broken patterns.
She compared the suspicious instruction with five previous instructions from the operations officer. His genuine messages had short sentences, no exaggerated confidentiality language, and consistent attachment naming. The suspicious email had polished urgency, a different attachment style, and a bank account in the name of a business that sounded related but was not the vendor name used in the documentation.
Then she checked the payment workflow. The approval happened within twelve minutes. Similar technology vendor payments usually took two days because procurement verified the scope, IT confirmed service delivery, and finance checked tax documentation. Here, the transaction jumped from request to payment because everyone assumed it was strategic.
That word, strategic, became the disguise. A junior IT officer then pulled the mail header and found the message did not originate from the company’s legitimate mail server. The display name was correct, but the sending path was external. The reply-to address also differed from the visible sender. That was the turning point.
The Data Protection and Privacy Act, 2019, regulates the collection and processing of personal data and creates obligations for data controllers and processors. In this case, that matters because the investigation must avoid becoming a second breach. You cannot investigate a cyber incident by recklessly copying staff emails, exporting personal data without control, or circulating evidence on WhatsApp.
Anomaly detection does not require expensive tools only; it requires people who know normal behaviour. Language analysis is evidence in support, not final proof. It helps direct inquiry, but it must be backed by technical records. Workflow speed can be suspicious when it departs from the normal control rhythm.
Investigators must separate suspicion from proof. Suspicion starts the inquiry while proof survives challenge. Try this: give teams three sample payment instructions. One genuine, another fraudulent, and another careless but legitimate. Ask them to mark language, authority, attachment style, domain, banking details, and process gaps. The lesson is immediate. Fraud rarely looks like fraud; it looks like work.
The investigation
The investigation team built the case in layers. They began with the business process. Who requested the vendor? Who approved onboarding? Who confirmed service delivery? Who approved payment? Who changed banking details? Who had system rights? Who was copied? Who should have been copied but was absent?
Then they moved to technical evidence. Email headers showed routing inconsistencies. Login logs showed no evidence that the real operations officer had sent the email from his corporate account. The vendor file metadata suggested the documents had been edited shortly before submission. The bank confirmation letter had formatting inconsistencies, including mismatched spacing and a logo that had been compressed from another document. The procurement reference number did not follow the company’s sequence.
Then they moved to human evidence. The junior officer admitted she had felt pressure because the email was copied to a senior manager. The finance manager said the phrase “strategic urgency” made him assume the matter had board attention. The operations officer confirmed he had been travelling that week, which made remote instructions feel plausible. That is how deception works. It feeds on context.
The team also checked internal collusion carefully but fairly. No one was accused casually. Access rights were reviewed, and communication patterns were examined. Personal devices were not seized without proper authority and legal guidance, and the investigation avoided the common mistake of humiliating staff before facts matured.
A top investigator knows that dignity protects evidence. When people feel attacked, they become defensive. When they feel the process is fair, they give cleaner accounts. The legal angle matters. Defence counsel will ask whether the evidence was original, whether the person extracting it was competent, whether the device was secure, whether screenshots were altered, whether the accused person had access, whether another person could have used the account, whether timestamps were reliable, whether the organisation preserved logs before contamination, and whether the investigation confused weak controls with criminal conduct.
Those questions are not irritations; they are the courtroom’s way of testing truth. Every investigation must connect business evidence, technical evidence, and human evidence. Chain of custody is not paperwork for lawyers. It is the bridge between what happened and what can be proved. Internal collusion must be considered without turning the workplace into a theatre of suspicion.
Investigators must document what they did not find. Absence of compromise in one account, absence of service delivery, absence of valid vendor history, and absence of normal approvals can all matter.
Here is what I use during an investigation. Draw five columns: instruction, approval, system record, money movement, and witness account. Place every fact under one column. If a fact cannot be placed, label it as an assumption. That simple discipline saves many investigations from becoming stories.
The company recovered part of the money because the escalation to the bank happened quickly. Not all of it was recovered, which is common. Money moves faster than meetings.
The closure meeting was more important than the disciplinary meeting. Management had to accept a balanced truth. The staff member who processed the request had made mistakes, but the organisation had designed a process where those mistakes were likely to occur under pressure. The finance manager should have verified the account change through a trusted channel. Procurement should not have allowed a new vendor file to move without independent validation. IT should have had stronger domain monitoring. Strategy owners should have built security controls into the rollout before go-live.
Nobody needed public shaming. The system needed maturity. The company introduced independent callback verification for all new vendors and banking changes. It restricted payment approvals based on risk levels, introduced a rule that no strategic project payment could bypass procurement, IT confirmation, and finance validation unless a documented emergency exception was approved by two named officers. It trained staff to challenge urgency without fear, set log retention periods, created an incident response playbook, and added board reporting on cyber-enabled fraud, not just IT incidents. That is closure, not a report on a shelf.
What else leaders should know
Strategy expands the attack surface. When an organisation digitises customer onboarding, the risk is not only whether the app works. It is whether fake identities can enter. When it connects to third-party vendors, the risk is not only service uptime. It is whether the vendor becomes the side door. When it uses AI, the risk is not only about productivity. It is whether sensitive data is exposed, decisions become opaque, or staff trust machine output too easily. When executives approve through mobile channels, the risk is not only convenience. It is whether identity can be impersonated.
The future-ready organisation does not slow strategy with fear. It strengthens the strategy with verification. Top leadership should ask management five questions.
- Where does the strategy depend on digital trust?
- Which processes can move money, data, or authority?
- Which controls create evidence if challenged?
- Which cyber incidents could damage customers within one hour?
- Which executive decisions can be impersonated?
In court, truth enters through a narrow door. It does not matter how loudly the organisation complains outside that door. The evidence must be properly collected, properly preserved, properly explained, and properly connected to the person, system, transaction, and loss. A weak investigation turns a strong suspicion into an expensive opinion. That is why security belongs inside the strategy, not after strategy. This is because when strategy runs ahead of security, risk does not remain behind.
It follows quietly, learns the route, studies the people, waits for pressure, and enters through the door everyone forgot to lock.
Copyright IFIS 2026. All rights reserved.
