On the evening of Friday, 09th September 2018, unknown persons hacked the mobile money float accounts of a payments aggregator company called Beyonic Ltd and originated payments amounting to UGX2,617,761,200. According to police, the money was wired to and withdrawn in via 83 different MTN Mobile Money and Airtel Mobile money accounts/SIM cards. The fraud was detected 07 days later, the mobile accounts were blocked around the 16th of September. Investigations showed that the beneficiary SIM cards had been registered without the consent and or knowledge of the registered owners.
A couple of months later, between the 13th of March 2019 and the 22nd of April 2019, unknown hackers hit the MTN Mobile Money system and made off with UGX 802,476,500 that they withdrew via 112 MTN Subscriber SIM that had been fraudulently swapped. The owners of the agent SIM cards and beneficiary SIM cards were not aware of any transactions happening on their numbers.
SIM-swapping is the act of duplicating a SIM card’s credentials to make two lines with the same number, that work simultaneously.
Some time ago, the sector regulator, the Uganda Communications Commission (UCC) issued directives that all SIM cards must be registered using national identity cards. Mobile phone companies then gave all their agents biometric machines to obtain fingerprints to match the fingerprints held in the national database. Investigations by police show that the fraudsters penetrated the onboarding agents’ network and are now obtaining the biometrics of unsuspecting persons more than once, making more copies of the national identity card of unsuspecting persons and later registering more than one SIM card in the names of the unsuspecting persons. These unscrupulous agents then start using and or selling the pre-registered SIM cards to people with criminal intentions.
This is how for example, 4 SIM cards belonging to 4 dfcu Bank customers⏤ Jacqueline Nansubuga, Carol Massimo, Ogara Claude Masikin and Amoding Priscilla were fraudulently swapped and money amounting to UGX543,302,100 transferred on the 14th of May 2019 to swapped cards. By the time the bank learnt of the fraud and the accounts frozen, UGX383,236,097 had been withdrawn using ATM cards and various mobile money outlets. Only UGX 160,166,003 was salvaged.
Between May and June 2019, True African, another payments aggregator, had its systems hacked and money amounting to UGX116,000,000 was fraudulently transferred to 303 SIM cards (both Airtel and MTN) and withdrawn without the consent of the registered owners via swapped SIMs.
In a similar manner, between August and December 2019, various Centenary Bank accounts registered on mobile banking were hacked and money totalling to UGX800,000,000 was fraudulently transferred to 100 SIM cards and withdrawn. The thieves vanished in thin air, according to Uganda Police’s Annual Crime Report for 2019.
Overall, in 2019 police recorded several digital thefts in which 519 fraudulently swapped pre-registered SIM cards were used to transfer and steal monies from various banks and mobile money accounts.
Ensuing investigations and police intelligence led to the 17th March 2020 bursting and arresting of a cartel of 37 Chinese nationals who were illegally staying in Lubawo Zone, Kireka Ward, Namugongo Division, Kira Municipality in Wakiso District.
Upon search of their residence, 45 laptops, 2,697 mobile phones, 55 Mifi modems, 2,448 SIM Cards⏤ 2,215 of them Airtel SIM cards and 233 MTN, all registered in the names of Ugandans, 32 financial cards, debit cards and ATM cards were found and confiscated. Also found were 163 sacks of electronic parts that among others included 500,000 mobile phone motherboards, 09 boxes of integrated circuits (ICs) from phone motherboards, 06 stamps and 1 stamp seal blue for the following companies for various companies.
On 27/03/2020 all 37 suspects were charged at Buganda Road Court on 24 counts ranging from unauthorised use of computer services, carrying out business without a trading license to possession of goods suspected to have been smuggled among others. They were later remanded to Kitalya Prison. On 30/06/2020, through their legal representatives, the Chinese applied to the court to enter into a plea bargain. The plea bargain was allowed and the accused changed their plea to plead guilty on all counts. They were sentenced to various periods of imprisonment or payment of fines. In total, about UGX182,000,000 was paid in fines. Court also ordered that the Chinese nationals be deported as soon as the Covid-19 travel restrictions were lifted. The confiscated phones and electronic parts were all forfeited to the state.
More complex and bigger digital heists
You would imagine that after this sting operation, digital thefts would stop, but in perhaps one of the most brazen and costliest attacks, digital robbers struck again, only a few months later.
Between Friday 2nd and Saturday 3rd October 2020 hackers hit the systems of Pegasus Technologies, a Ugandan-based payments aggregator and therefrom gained access to the online vendor accounts of various banks- including Stanbic Bank, Bank of Africa and Absa Bank Uganda and made off with UGX10.5 billion according to police. The money was withdrawn via 877 Airtel SIM cards (5,026,523,000) and 755 MTN Mobile Money Simcards (5,500,000,000) at various mobile money agents in areas of Luzira, Mukono and other various locations in Kampala.
09 suspects were arrested and charged in court.
The digital thieves would strike again and again with more complexity.
For example, between April and May 2022, digital thieves hacked into UGAFODE Microfinance Limited and made off with an amount said to be UGX400 million. The money was then wired to several mobile money accounts before being withdrawn.
UGAFODE is one of five licensed micro-deposit-taking financial institutions (MDI) in Uganda.
Again, on or around 27th October 2022, hackers broke into the accounts of a payments aggregator, from where they accessed the virtual wallets of banks, held with Airtel Money from where they wired and withdrew⏤ according to The New Vision newspaper, quoting a police source, UGX7.6 billion via 1,840 SIM cards.
In between, several other frauds have happened, according to industry sources, but many of them went unreported.
In February 2023, a team of 12 suspects, including two Stanbic bank staff, using a forged passport of a client, one Mohamed Abdul Hakim Hussein, a company director and signatory to the Nile Energy account, transferred USD1.8 million to three bank accounts held in Stanbic’s Garden City and Freedom City branches in the names of Dixon Kagurusi Ampumuza, Petrom Limited and Famane Investments Co. Ltd. The money was then withdrawn as soon as it was deposited- in 7 instalments of USD 495,000, USD 287,000 USD 295,000, USD 90,000, USD 60.000, USD 295,000 and USD 495,000 according to Uganda Police.
On 3.02.2023, one Tefera Okubaslassie Robel, an Eritrean Refugee, was intercepted with two Nile Energy inter-account transfer forms, with a face value of USD 988,200, that was to be transferred to Dixon Kagurusi Ampumuza’s account. The suspect also had in his possession, a Kenyan Passport Number AK 0849025 in the name of the victim⏤Mohamed Abduhakim Hussein.
Just a tip of the fraud-berg
If these amounts strike you- then you should be worried more, because according to Sarah Arapta the Chief Executive of Citibank and Chairperson of Uganda Bankers Association- an umbrella organization of 36 financial institutions licensed and supervised by the Bank of Uganda, these reported cases, are just a minute fraction of the actual fraud incidences.
A study conducted by UBA amongst its members for 2017-2022 shows that at least some UGX43.6bn in cash and value equivalent was lost. This doesn’t include mobile money theft as mobile money companies are not UBA members.
Of this, according to Arapta and Wilbrod Owor, the UBA Executive Director, 42.4per cent was on account of impersonation, identity theft forgeries and cash suppression; 31.9per cent on account of cyber, digital and payments and 25.7per cent was related to loan fraud.
Arapta says, that in 2022, UBA members reported 206 fraud incidents, which in her view, “were grossly underreported”.
However, what is more telling about the gravity of the challenge is, of these 206 incidents, “91per cent of the attempted fraud, resulted in a loss”.
“The number of incidents must have been much higher than was reported. But it is very revealing to indicate that 91 per cent of the attempted cases resulted in a loss. The greatest number of incidents were in mobile banking/agent banking and cash suppression. In terms of impact- the highest amount of category loss includes- loan fraud, and impersonation fraud,” Arapta told industry stakeholders at the just concluded Financial Fraud Forum 2023.
She also said that the impact of fraud was far-reaching.
“The impact of fraud on Financial Institutions is immense, because it is not limited to financial loss only. There is a loss in customer confidence…there is also reputation damage when our customers believe that we have poor systems that allow fraud. There’s also loss of trust from stakeholders, shareholders and regulators and with that also comes increased regulatory scrutiny, and increased costs of fraud management and control,” she said.
All these costs, she said, contribute to increased costs of business for the industry, translating into higher interest rates.
Being your brother’s keeper⏤ Stanbic bank leads industry stakeholders to lift the veil off the fraud hydra
The Financial Fraud Forum 2023- the first of its kind, was organised by Stanbic Bank to create a collaboration platform for the prevention, detection, and investigation of financial fraud as well as the recovery of fraud proceeds.
The Forum, held on Thursday, March 23rd 2023, at Mestil Hotel, brought together a broad spectrum of the private sector, regulatory, law enforcement, legal, civil society and the media. Those invited and who participated in the Forum, included the Bank of Uganda, the Uganda Bankers Association and Chief Executives from member financial institutions as well as the Uganda Police, Office of the Director of Public Prosecutions, and the Statehouse Anti-Corruption Unit.
Others included representatives from the Inspectorate of Government, Financial Intelligence Authority (FIA), Internal Security Organisation (ISO), External Security Organisation (ESO), Office of the Attorney General, Chieftaincy of Military Intelligence, The National Information Technology Authority-Uganda (NITA-U), Agent Banking Company of Uganda, Licensed National Payment Service Providers, the Media, the Judiciary, Uganda Revenue Authority (URA), Uganda Communications Commission (UCC), the Association of Certified Fraud Examiners and the ICT Association of Uganda (ICTAU).
Anne Juuko, the Stanbic Bank Chief Executive, and the brain behind the initiative, said that given the advancement of technology and the ease with which it was easier to carry out fraud, there couldn’t have been a better time to put an end to suffering in silence, and breaking the taboo walls around talking about fraud and together sharing knowledge on how to combat it.
“The contemporary fraudster is invisible, highly skilled, very well connected, is more aware of your technology set up and is well aware of your internal and external fraud measures; is aware of the regulation and the laws, is very aware, keen and skilful in how they are doing their thing,” Anne told the Forum.
“While we are silent in our approach⏤ if fraud happens in a particular institution, the practice has been that we handle it internally. It is handled quietly. You want to keep the problem in one setting. You don’t want to talk about it. You do not want to tell your neighbours. Yet the reverse is true. For the people on the other side, the fraudsters, are highly connected, in their syndicate approach,” she added.
“The fraud we are dealing with is multilayered and also operates in several forms. The same fraudster who will hit Stanbic is gonna come and hit UBA Bank; will come and hit Standard Chartered and when they are finished, they will go through MTN Mobile Money and Airtel Money. So every single one of us is at risk, and therefore we must change our approach. This is not a problem that we can tackle as individuals. This is not a problem that we can sweep under the carpet. This is not a problem that we can deal with at a micro-level. So this forum, is to create an enabling environment, where we collaborate, we share information and get to the bottom of the matter,” she reiterated.
“As the economy and technology grow, we are faced with a problem that grows with time; in depth and in magnitude. Today in a space of seconds, you can move trillions into 1000 different locations, at the same time. The problem we are dealing with is not what we knew before. It is a moving problem and therefore, is going to require a whole new set of solutions. And these solutions must come from within us,” Anne further emphasises.
She said the purpose of the Forum is to get stakeholder acknowledgement of the problem, keep each other abreast with the latest trends in fraud and how to fight it, create a central multi-organ/multiplayer platform for dealing with fraud as well as share best practices, as well as cultivate and reinforce a zero-tolerance to fraud environment.
“We must create an environment where fraud is so difficult⏤ make the life of a fraudster very difficult, that if there is fraud in one institution, we then close the doors to the fraudster in all other institutions. What we have is a situation where a person will commit fraud in a particular place, let’s say one bank and they just go down the street to the next bank and open an account. The person will default on an agreement, and within a matter of hours, the door will be opened for them to do a similar thing. So, how do we together create an environment where there is zero tolerance to fraud in our financial system? We all must have a role to play in this⏤ today the fraud is with your neighbour, but certainly, the next day, it is not a question of if, it is a question of when it will come to your door,” she adds.
Fraud⏤ the enemy within
Speaking at the Forum, Dr Tumubweine Twinemanzi, the Bank of Uganda’s Executive Director for Supervision, said that beyond the advancement in technology, the problem was getting worse given that there was growing internal collaboration with the fraudsters.
“Recent developments are that the majority of fraud in the banking sector is not necessarily about external actors coming in, it is about internal actors enabling external actors. That is why in every discussion of fraud in the financial sector, if we don’t address the reasons why people internally find it worthwhile to engage in or be part of the fraud, however good the systems that you put in place are⏤ you can spend 20per cent of your Opex or Capex on systems, but if you do not address the internal component⏤because in any case, every system is as good as its weakest point. And fraud within the banking sector today is increasingly a result of or is closely associated with or highly correlated with the people,” he said.
Dr. Twinemanzi said that in addition to technology, there was a need to constantly check the processes and update them as well as educate people⏤ staff and customers, about fraud, how to detect it and prevent it. He also proposed a water-tight people sieving process at the recruitment stage, so as to weed out bad apples.
“To what extent as a banking sector do we assess ourselves and our employees about fraud? But even more important, yes the Central Bank undertakes fit and proper tests for senior executives, but I think every bank should have some form of fit-and-proper test for its people. To what extent are you optimising your processes to reduce the likelihood of bringing in bad apples? It just takes one bad apple to spoil the whole sack,” Twinemanzi said.
Related
He also emphasised the importance of what he called “consequence management”, and rebuked the practice by most banks preferring to deal with fraud incidents internally and most often resulting in amicable settlement and or separation, which sees the errant employees even get positive recommendations from their victim employers.
“What you have inadvertently done as a financial institution, is that you have put a bad apple in someone else⏤ you have just kicked the can down the street. Another financial institution will take on that person as an employee, they will commit fraud, and they will negotiate and let the person go again. You can have one person cause a similar kind of fraud in several institutions”.
“The perspective we have taken as the Central Bank is that while it is good to have the systems, while it is good to have the most updated technology in terms of fraud, trying to digitise everything, we need to keep very close observation, the people that we use. As we talk about fraud, I would like that perhaps, 10-15per cent of the conversation should be about the individuals that potentially aid this fraud and also remind the whole banking sector, that Trust is not an anti-fraud tool,” Twinemanzi concluded.
A 2020 PwC’s Economic Crime and Fraud Survey revealed that economic crime remains a persistent threat for Uganda with 54per cent of companies surveyed (compared with 47per cent globally) reporting that they experienced incidents of fraud and economic crime within the past 24 months.
18per cent of these companies said they had experienced at least 10 incidents in the previous 2 years.
The top 5 types of economic crimes are bribery & corruption, customer fraud, asset misappropriation, accounting / financial statement fraud and procurement fraud.
In Uganda, the survey results show that in the past two years, the main perpetrators of frauds suffered by Ugandan companies continue to be Internal perpetrators (36per cent) (56per cent in 2018) and collusion between internal and external perpetrators (36per cent). In total 72% of all frauds had an internal element, while globally, most incidents were committed by external perpetrators.
The report also revealed that 43 per cent of all frauds were by Senior Management, an increase from 30per cent in 2018). This was followed by operations staff (24per cent) and middle management (19per cent).
“The number of economic crimes perpetrated by Senior Management has seen a significant increase in the last 24 months. These crimes are often the most insidious because of the ability (whether through delegated authority levels, system knowledge, or influence) top executives have to override or conspire to override, internal controls. It is also an indicator of a resultant poor organisational culture given the wrong signals from the top,” the report observed.
The report also noted that customer fraud continues to be rampant, topping the list of externally perpetrated economic crimes reported in Uganda at 53 per cent, compared to 35 per cent globally.
Of more concern is that only, 14 per cent of the frauds were disclosed to regulators/ law enforcement, with the majority choosing to keep and deal with the matter in-house.
Making Fraud Extremely painful for fraudsters
Twinemanzi, expressed support for the creation of a national blacklist register of known and or convicted fraudsters, but however, warned it must be done within the laws of the country and with extreme care.
“The national blacklist, is a good idea, but we will have to sit down with those responsible and see how it can be done, in a way that doesn’t disadvantage anyone, because, someone may inadvertently put you on that list when you have done nothing wrong. While the list is important and very helpful, we have to ensure that we have very few false negatives⏤people who are accused when they are innocent”.
Wilbrod Owor agrees with BoU’s Twinemanzi on putting in place a tighter and more punitive regime, arguing that the current laws are lenient and do not provide a strong deterrent.
“As the financial sector, and Mobile Network Operators (MNOs), we need to make it extremely painful, o defraud a financial institution. We need publicise their faces, expose them, block their accounts such that they can never open an account in this country, or any of the 36 financial institutions under UBA. We need to put them under the suspicious watch list, such that they cannot cannot travel anywhere outside the country. If as an industry, we need draw from our strengths, apply two or three very painful things, to send a signal against fraud,” Wilbrod implored stakeholders at the Forum.
He said the banking association has already been working closely to blacklist fraudulent staff and last year, fraudulent valuation firms that work with clients to overvalue property for purposes of lending were also blacklisted.
“Electronic fraud is increasing by the day in percentages, and yet when these fraudsters are caught, the penalties, even when the judgement is against them, they pay a small fee and tomorrow you find them on the streets. Yes, indeed fraud is complex. We should lobby and change laws so that the laws are really stiff,” he said.
He also urged financial institutions to start to implement 24/7 anti-fraud desks to reduce the time it takes to act when a fraud is detected.
“There is a need to sponsor maybe a bill in parliament as the banking fraternity and amend the laws so that there stiffer penalties, falling under the financial crimes court⏤ may be even fund the court so that there is expertise in understanding the complexity of fraud today, especially digital and electronic fraud. It is more complicated and more sophisticated,” Wilbrod added.
We cannot go the bank to the banking hall; we need to embrace technology.
Arapta says that while fraud remains a key operational risk affecting international financial institutions and domestic alike, the “benefits of innovation, outweigh the risks and technology” and believes fraud can be fought.
Samuel Gitta, General Manager, Risk & Compliance at MTN Uganda agrees with her.
“I honestly think we cannot go back to the banking hall. We need to embrace technology. A few weeks back I shared an article on biometrics and financial inclusion,” he says.
His proposed solution is to be mindful of the people, technology and processes.
He told the Forum that one of the “greatest tools of fraud has been the stolen SIM card”.
“A lot of the SIM cards used to externalise these funds (proceeds of fraud), are stolen SIM card” he said, adding: “Most of the fake/fraudulent calls to customers, are from these stolen SIM cards”.
He emphasised the need for customers to report to the telecom any stolen cards so that they are blocked.
He also said that the telco had enhanced transaction monitoring so as to detect fraud early in its tracks and make corrective measures before much harm is done.
“After the infamous 2020 fraud, we amplified our transaction monitoring in Uganda. We have a team that on a 24/7 basis monitors transactions and we have managed to prevent so many frauds in the bank space because a lot of the money comes from the banks to our system,”.
He also cautioned the banks to elevate their transaction monitoring processes to 24/7, beyond the current 0800am – 05 pm, Monday-Friday.
”Oftentimes, our team picks up suspicious transactions and reaches out to the banks and the partners that manage these systems and some of them are still operating Monday-Friday; 08am -05 pm. Some of the frauds that have happened on Friday evenings, these fraudsters tend to target these windows- either Friday evenings or public holidays, so we need to look into ways to improve our time to detect and our time to respond”.
He said in some cases some of the stolen funds have been wired outside Uganda’s borders and reducing the time between detecting and taking action increases the chances of stopping and or minimise damage through funds recovery.
To further shorten the time of detection to action, he said, the telcos were also deploying technologies that can detect and block suspicious transactions in real-time 24/7.
Gitta also emphasised the need to monitor people’s movements across the industry, especially the bad apples, saying in some cases, these have been the source of the fraud risks.
“We (the National Payments Providers Association) are also emphasising the issue of software developers moving from one aggregator to another⏤and we do share, because some of the guys who perpetrate these frauds, are indeed very good programmers and move from one company to another. So we have a good working relationship there. If someone has been involved in a fraud, we do share information, so that they don’t move from one aggregator to another,” he told the Forum.
Sulaiman Mugalasi, the Head Of Information Technology at Airtel Mobile Commerce (AMCUL) also underscored the need for collaboration amongst financial services providers.
”There is a need for us to be sharing data when we detect fraud; the need for us to be open when fraud happens. The speed to investigation is very critical because known fraudsters are connected,” he said adding: “When we provide information of how the fraud was orchestrated, there is a need for security agencies and the enforcement and prosecution agencies to work with speed to bring the fraudsters to book”.
He intimate that after the recent fraud incident, Airtel had built an intelligent Open API platform that among others can detect recently swapped SIMs and block them from transacting.
“This will help bring down the SIM swap frauds that have really eaten up our banks. So far we have integrated with two banks and we implore other banks to use this API,” said Mr. Mugalasi.
He also said that Airtel had enhanced its automated suspicious transactions monitoring system that is able to filter and block transactions above certain thresholds set in the system.
“After blocking the transactions, then we engage with our partners to find out if these were acutely legit transactions or fraudulent transactions,” he said.
At the end of the Forum, participants had an online poll on the various measures suggested by stakeholders to prevent, detect, investigate as well recover the proceeds of Fraud.
To improve fraud prevention, some of the key measures suggested included an automated national blacklist of convicted fraudsters housed in the central bank, mandatory sharing of fraud statistics with the Central Bank, as well as Mandatory reports of fraud to BoU. It was also suggested that bank clients be given a unique Bank Verification Number to track transactions. Stakeholders also proposed the setting up of a UBA fraud unit financed by all members.
To improve fraud detection, it was suggested that among others, stakeholders should embrace enhanced suspicious transaction reporting, mandatory information sharing between financial institutions, as well as the adoption of three-factor authentication.
To improve fraud investigations, the setting up of a mandated 24/7 fraud desk; a rehabilitation centre for fraud criminals (ethical hacking) to increase capacity and the involvement of the IGG in tracking and punishing private sector fraud were recommended.
Stakeholders also recommended that to improve the recovery of fraud proceeds, there be changes in the law to ease private prosecution to complement public prosecution, as well as frequent lifestyle audits, and a 72-hour freeze on suspected stolen funds, amongst other measures.