It arrived at 8:47 AM. Subject line: “URGENT – Unpaid Invoice Attached.”
To most people, it looked ordinary. To Susan, the finance officer at a mid-sized Ugandan firm, it looked familiar, maybe even routine. She was barely done with her morning cup of tea when she clicked the attachment.
That one click cost her company UGX 246 million.
Here’s the truth: In 2025, it’s not armed robbers draining your accounts. It’s silent hackers, and their weapons are cleverly crafted emails, links that mimic trust, and human reflexes trained to act without thinking.
The scam was simple. The email appeared to come from a long-time supplier. The language was professional. The sender’s address had just one character off. The fake invoice came with malicious macros. Once opened, it quietly installed a remote access trojan (RAT) on Susan’s machine. No alarms. No pop-ups. Just quiet, lethal infiltration.
Within hours, attackers had mapped internal systems. They read every email. They intercepted a real payment approval process, altered bank details in a legitimate PDF, and by the end of the day, UGX 246 million was gone, sent to a Kenyan account, then split across mobile wallets and crypto wallets faster than URA’s fastest tax probe.
Summit Consulting was called in when the money had already vanished. Logs were overwritten. The attacker used Susan’s real credentials; there was no failed login attempt, no brute force. Just trust, abused.
So, what did we learn?
That email is no longer mail. It’s a potential breach point. Clicking a link isn’t harmless curiosity; it’s digital Russian roulette. Phishing isn’t always about Nigerian princes or misspelled spam. Today, it mimics your CEO’s tone. It hijacks ongoing email threads. It comes from a domain one letter away from your supplier’s real address.
The fix isn’t just antivirus. It’s vigilance.
Always verify unexpected emails, even if they seem familiar.
Call the sender. Hover over links. Use multi-factor authentication. And train your staff not to click in panic.
Because in cybercrime, one click is all it takes.
That’s not theory. That’s what Susan’s company is still recovering from: one invoice, one moment, one careless click.
