Pride Microfinance Limited a government of Uganda-owned deposit-taking Microfinance institution was early May 2023 hacked and UGX1.3 billion stolen, CEO East Africa Magazine can exclusively reveal.
Although the financial institution denied the loss, claiming it was a mere attempt, Luke Owoyesigire, the Kampala Metropolitan Police Deputy Spokesperson confirmed the digital theft, saying that the bank reported it to Kira Road Police, a day after the heist.
“Pride had an attempted fraud, and we are in the process of investigating the incident. Given our robust controls in place, none of our customers’ funds was accessed, and we assure them of our continued commitment to providing them with quality service,” Deo Kateizi, the Pride Microfinance Head of Business Development and Marketing, told this reporter via WhatsApp, after over two weeks of prodding.
However, in an exclusive interview, with this reporter, Assistant Superintendent of Police, Luke Owoyesigire, confirmed that the said hack happened on the night of 7th May 2023 heading into the morning of 8th May 2023. He also confirmed that indeed the financial institution had reported the case to Kira Road Police Station on the 9th of May 2023 under file number CRB/523/2023.
“On the night of 7th and 8th May 2023, unknown persons tampered with the Pride Microfinance Super Aggregated Mobile Money Account at the bank. The system was tampered with starting at 11 pm on the 7th of May and by 04 am on the morning of the 8th of May 2023, they had completed taking off the money,” ASP Owoyesigire told this reporter on a phone call.
“The money was taken from the Super Aggregated Mobile Money Account and sent, using designated Pride Microfinance numbers or rather configured to look like Pride Microfinance numbers and sent to external mobile money agent numbers. In total, about UGX1.3 billion was stolen. Investigations then commenced with looking at the history of how the money moved from the bank to the Airtel Money numbers. We have so far arrested two people; a Wanda Simon and Namatovu Rebecca and gotten one mobile money line operated by the two,” he went on to say.
He further said that on arresting the duo, and on interrogation, a one Kirabo Patricia a neighbour of one of the suspects in Bwebajja whose number received about UGX120 million was arrested.
“On interrogation, Patricia confessed how she was approached by her neighbour and told how money would be sent to her mobile money accounts and indeed the money came in bits and pieces until a total of UGX120 million was sent. She also confessed that she was told how and where to send the money once it came in, which she did. She has confessed that one of the accomplices is out of the country. We have identified and are tracing the recipient numbers, their owners and the other customers who received this money,” Owoyesigire said.
An industry source who talked to us on condition of anonymity, suggested that “it looks like there was internal collusion between internal staff managing the Super Aggregated Mobile Money Account (MNO) Account”.
Asked if there was any indication of this being an inside job, Owoyesigire said that it was too early to tell.
“Until we get the prime suspects we can’t tell if there was internal collusion or not. We need to be certain about the process of how money ordinarily leaves the bank, how and who approves and if we have any evidence we shall certainly make more arrests,” he said, adding that more investigations are ongoing.
Airtel Money freezes recipient accounts; clients complain to Bank of Uganda
CEO East Africa Magazine understands that as part of the investigations, Airtel Money, working with police, has frozen the mobile money accounts of recipient numbers and in some cases retracted some of the money, returning it to Pride Microfinance.
This Magazine, has seen a complaint filed by one of the affected Airtel Money agents to the Director of National Payments Systems, the regulator over the freezes.
In one of the complaints, a customer admits that whereas one of their lines actually received some of the money from the fraud, they had no way of knowing whether the money was fraudulent or not and therefore freezing their accounts was wrong, especially that entire accounts had been frozen with all the monies on it.
“When we are operating mobile money we can’t tell criminals and non-criminals. We call them clients. Our duty is to deposit money and withdraw money from clients. We can’t tell that this money we are withdrawing is stolen because all clients valk in the same way. We were told our money was confiscated and given back to Pride Microfinance. Am requesting you to help me demand our money back because we have no link to the crime. Our duty was to pay the client which we were contracted to do,” reads part of the complaint to the Central Bank.
In a WhatsApped response to this reporter, David Birungi, the Airtel Uganda Spokesperson said that whereas he was not privy to the full details of the particular fraud, temporary freezing of suspect accounts was a routine risk management procedure in the interest of all parties involved in the payments ecosystem.
“I have not yet gotten into the full details of this, since you’ve just alerted me to it. But what you should know, and I think what everybody needs to know is that we have a role to protect everybody⏤ everybody in the ecosystem. It is within our mandate, and we work with various partners, including police and other financial institutions,” he said in a WhatsApp message,
“In the same way a customer would call us and say, they have maybe sent money to a wrong number and request for a reversal if there any issues that need to be resolved, our duty is to cooperate with whichever partner including customers, police, payment partners etc, to make sure that we rid the system of all such incidents. What that means, is we work with the with police, work with banks, etc verify the complaints and because mobile money moves so fast, we have no alternative but to temporarily block the suspect accounts. No one is exempt from such scrutiny,” he added.
Fraud⏤ the enemy within
Speaking at a recent anti-fraud forum organised by Stanbic Bank, Dr Tumubweine Twinemanzi, the Bank of Uganda’s Executive Director for Supervision, said that there was growing internal collaboration with fraudsters.
“Recent developments are that the majority of fraud in the banking sector is not necessarily about external actors coming in, it is about internal actors enabling external actors,” he said.
A 2020 PwC’s Economic Crime and Fraud Survey revealed that economic crime remains a persistent threat for Uganda with 54% of companies surveyed (compared with 47% globally) reporting that they experienced incidents of fraud and economic crime within the past 24 months.
18% of these companies said they had experienced at least 10 incidents in the previous 2 years. In Uganda, the survey results show that in the past two years, the main perpetrators of frauds suffered by Ugandan companies continue to be internal perpetrators (36%) (56% in 2018) and collusion between internal and external perpetrators (36%). In total 72% of all frauds had an internal element, while globally, most incidents were committed by external perpetrators.
The report also revealed that 43% of all frauds were by senior management, an increase from 30% in 2018). This was followed by operations staff (24%) and middle management (19%).
“The number of economic crimes perpetrated by Senior Management has seen a significant increase in the last 24 months. These crimes are often the most insidious because of the ability (whether through delegated authority levels, system knowledge, or influence) top executives have to override or conspire to override, internal controls. It is also an indicator of a resultant poor organisational culture given the wrong signals from the top,” the report observed.
The report also noted that customer fraud continues to be rampant, topping the list of externally perpetrated economic crimes reported in Uganda at 53 %, compared to 35 % globally.
Of more concern is that only, 14 % of the frauds were disclosed to regulators/ law enforcement, with the majority choosing to keep and deal with the matter in-house.
According to Sarah Arapta the Chief Executive of Citibank and Chairperson of Uganda Bankers Association- an umbrella organization of 36 financial institutions licensed and supervised by the Bank of Uganda, a study conducted by UBA amongst its members for 2017-2022 shows that at least some UGX43.6bn in cash and value equivalent was lost. This doesn’t include mobile money theft as mobile money companies are not UBA members.
Of this, according to Arapta and Wilbrod Owor, the UBA Executive Director, 42.4% was on account of impersonation, identity theft forgeries and cash suppression; 31.9% on account of cyber, digital and payments and 25.7% was related to loan fraud.
Arapta says, that in 2022, UBA members reported 206 fraud incidents, which in her view, “were grossly underreported”.
However, what is more telling about the gravity of the challenge is, of these 206 incidents, “91% of the attempted fraud, resulted in a loss”.
Selected fraud incidents over the last 5 years
Some of the industry’s big thefts reported over the last five years, include:
- A 09th September 2018, theft of UGX2,617,761,200 from Beyonic Ltd, a fintech.
- Between the 13th of March 2019 and the 22nd of April 2019, unknown hackers hit the MTN Mobile Money system and made off with UGX 802,476,500.
- In May 2019 UGX543,302,100 was stolen from client accounts at dfcu Bank.
- Between May and June 2019, True African, another payments aggregator, had its systems hacked and money amounting to UGX116,000,000 was fraudulently stolen.
- Between August and December 2019, various Centenary Bank accounts registered on mobile banking were hacked and money totalling to UGX800,000,000 was fraudulently stolen.
- Between Friday 2nd and Saturday 3rd October 2020 hackers hit the systems of Pegasus Technologies, a Ugandan-based payments aggregator at stole UGX10.5 billion.
- Between April and May 2022, digital thieves hacked into UGAFODE Microfinance Limited and made off with an amount said to be UGX400 million.
- On or around 27th October 2022, hackers broke into the accounts of two payments aggregators⏤ from where they accessed the virtual wallets of banks held by Airtel Money from where they wired and withdrew approximately UGX7.6 billion via 1,840 SIM cards.
- In February 2022, a team of 12 suspects, including two Stanbic bank staff, using a forged passport of a client, one Mohamed Abdul Hakim Hussein, a company director and signatory to the Nile Energy account, transferred and stole USD1.8 million from Nile Energy.