It started with a link. One click. That’s all it took.
On a cool Friday morning in April 2025, a procurement officer at a leading Ugandan NGO, let’s call her Susan, received a WhatsApp message from an unknown number. The message read:
“Hi Susan, I saw this on Twitter about your organization. Thought you should see it.”
(link attached)
The link preview showed the NGO’s logo with the caption, “Shocking scandal involving NGO procurement manager leaks online.”
Her heart raced.
Susan clicked.
Nothing loaded. “Maybe it’s my MTN data,” she thought. She brushed it off. But unknown to her, that single click triggered a silent, malicious payload. A Remote Access Trojan (RAT) had installed itself quietly on her phone.
By Sunday, hackers were reading her emails, intercepting her WhatsApp messages, and capturing her keystrokes. By Monday, they were inside the NGO’s procurement system.
By Friday, UGX 235.3 million had been siphoned off through fake supplier payments, approved under Susan’s stolen credentials.
The psychology of the trap
Hackers don’t always rely on brute force. Most successful hacks exploit the weakest link in the security chain: you.
Their favourite weapon? Curiosity.
We’re hardwired to react to things that challenge our reputation, social standing, or safety. Hackers know this. That’s why they craft messages designed to bypass your rational brain and trigger raw emotion:
- “Is this your photo?”
- “Invoice overdue!”
- “Your account has been suspended.”
- “See who searched for you on LinkedIn.”
One tap on a poisoned link is all it takes.
Anatomy of Susan’s hack: The cyber kill chain
Step 1: Reconnaissance
Hackers scraped LinkedIn for NGO staff profiles. Susan’s profile listed “Procurement Lead.” Jackpot.
Step 2: Weaponization
They crafted a WhatsApp message using ChatGPT-powered social engineering scripts, complete with an NGO logo and scandal bait.
Step 3: Delivery
The link used a domain like bit-ug-ngo. site, mimicking a legitimate URL.
Step 4: Exploitation
Clicking the link installed a malware called Quasar RAT, built for Android devices.
Step 5: Installation & Command Control
The RAT gave hackers remote access, monitoring Susan’s phone 24/7, harvesting MFA codes, passwords, and procurement approvals.
Step 6: Action on Objective
They initiated fraudulent payments using valid credentials. No firewalls, no antivirus alerts, because the request came from a “trusted” device.
Summit Consulting investigation. How we cracked the case
Summit Consulting Ltd was brought in after a whistleblower tipped off the finance director. We launched a cyber forensics sweep with SummitIR tools – Summit Incident Response Tools.
- Mobile Forensics: We imaged Susan’s phone using Cellebrite UFED and traced command & control server IPs.
- Network Forensics: We analysed server logs and flagged unusual VPN traffic from Eastern Europe.
- Payment Trail Analysis: Fraudulent payments traced to three local supplier accounts, opened weeks earlier using forged documents.
Suspect 1 – A disgruntled ex-employee in the finance department, identified by login anomalies.
Suspect 2 – An external hacker linked via a BTC wallet used for payments.
Susan was cleared of malicious intent, but the damage was done.
The real cost: UGX 235.3 million and a reputation in tatters
Beyond the money, donor confidence shook. The NGO’s international partners demanded a full cybersecurity overhaul.
Lessons from the battlefield
- Curiosity kills, literally, your network. Never click on unsolicited links, especially from unknown numbers or emails.
- Zero-trust isn’t just a buzzword; it’s a matter of survival. Assume every request could be malicious. Verify before trusting.
- Mobile is the new battleground. Most staff treat mobile phones as casual devices. Hackers don’t. They love exploiting WhatsApp, SMS, and personal email on work devices.
- MFA alone won’t save you. Hackers can intercept MFA tokens once inside your device.
- Train your people like soldiers. Regular cyber drills, simulated phishing, and curiosity traps should be part of your organizational culture.
How to protect yourself
In tactical warfare, situational awareness can be the difference between life and death. In cybersecurity, digital situational awareness saves your organization.
Your phone is a weapon and a vulnerability. Every link, every attachment, every message is a potential trap.
Curiosity may have killed the cat, but it could also harm your business.
