A commercial bank based in Kampala has reportedly lost over Shs5.5 billion in two sophisticated cyber fraud incidents within a year. Investigations reveal that Shs3.56 billion was stolen through the bank’s Bill Pay System, while an additional Shs1.95 billion vanished from its agent banking platform.
The Bill Pay System, which facilitates utility payments like water, electricity, and school fees via mobile money, was targeted first in October 2023. Fraudsters exploited login credentials of a bank teller at the headquarters and accessed the system using a computer assigned to a loans officer at an upcountry branch in Kabale. The stolen funds were distributed to 40 fraudulent mobile money agents, with some receiving multiple disbursements.
The second incident, in August 2024, involved a similar scheme. Fraudsters used the credentials of a headquarters-based teller to access the agent banking platform via a loans officer’s computer in Bwaise, a Kampala suburb. The funds were sent as "float" to agents, who subsequently withdrew the money.
An internal investigation uncovered glaring weaknesses in the bank’s systems. These included the absence of time-out features, lack of One-Time Passwords (OTPs) for added security, and no transaction limits requiring supervisor approval. Dual control measures were also missing, allowing tellers unrestricted access to disburse funds.
The fraud was described as a coordinated effort involving both external hackers and insiders. “The fraud was orchestrated by parties external to the bank but with strong assistance from elements inside the institution,” an internal report stated.
Following the incidents, several staff members, including loans officers and IT specialists, were dismissed. However, the tellers whose credentials were misused remain employed.
Despite police involvement, investigations have faced significant challenges. Officers were reportedly denied access to the bank’s core systems, which could have provided crucial evidence. Additionally, a key investigating officer was unexpectedly transferred before interrogating implicated mobile money agents.
Experts warn that the lack of robust cybersecurity measures leaves financial institutions vulnerable to similar attacks. Mr. Apollo Ssekitoleko, an IT expert, noted that the breaches highlight critical system deficiencies.
The bank, whose identity remains confidential, has since implemented security upgrades to prevent future breaches. However, questions linger over the effectiveness of its response and the role of insider collusion in enabling the fraud. Cyber fraud in Uganda's banking sector is rising due to outdated IT security systems, insider collusion, increased digitization, and lack of robust fraud detection mechanisms. Weak enforcement of cybersecurity policies and inadequate employee training on emerging threats further expose banks to sophisticated schemes targeting mobile banking, agent platforms, and payment systems.
