But police frustrated as companies prefer to suffer silently
Stanbic, Stanchart banks also affected as cyber crime rises
Many Ugandan companies are increasingly struggling to deal with cyber crime through which they have lost billions and yet the police find it difficult to help because the companies prefer silence, The Observer has established.
As MTN Uganda, Warid Telecom, Standard Chartered and Stanbic banks, among others, count their losses, the police have confirmed to us that cyber crime is taking on a life of its own having become a popular way through which local and international conmen make quick and easy money.
Yet our investigation reveals that several companies in Uganda have opted to suffer in silence for fear of negative publicity as their staff and accomplices continue to cream off billions of shillings in a new wave of cyber fraud.
“Everyone is trying to learn how to use a computer, even the school dropouts. Imagine if someone sent out 50 fake emails, but manages to hoodwink one. That is already enough. One doesn’t require capital to start this kind of fraud,” our source in the police said, adding, “It is the new trend now. There is no risk of a mob descending on you. Besides, Ugandans are getting smarter with the available gadgets”.
The companies that have been hit the most include telephony giant MTN Uganda which has lost an estimated Shs 16bn within one year through mobile money fraud. According to the police, the most affected companies hate to publicise their misfortune for fear of losing the confidence of their customers.
In fact, MTN has gone as far as installing software to ensure that their internal online communications can’t be forwarded or accessed outside the office, all to guard against such ugly secrets leaking to the public. The police are, however, uncomfortable with that arrangement as they would rather the crimes and criminals were exposed.
MTN counts its losses
This paper has established that a fortnight ago, MTN lost Shs 450m to fraud after some of her staff connived to steal the money. Another Shs 450m was intercepted before reaching the final destination. Consequently, one Richard Wasswa, the in-charge of the mobile money function in Jinja, was arrested and charged with theft and conspiracy to steal. He was allegedly in cahoots with another three employees, as well as one Frances Agnes Kayaga, a mobile money agent/advisor.
It is alleged that Wasswa was using Kayaga’s phone number to transfer and withdraw the money. However, like in other cases, MTN didn’t want the matter publicised. It is alleged that Wasswa, and others still at large, would own any given mobile phone number for just a few hours. During that time, the phone would show that there was no network.
They would then swap the phone number by accessing the serial number on the sim card. The number would then be swapped to the fraudster’s mobile phone where one’s line ‘sits’ on the fraudster’s line. Money would then be sent from one of the accounts MTN operates to that phone number. It would, however, end up on the fraudulent sim card. The money would then be withdrawn using the fraudulent sim card. This scheme is referred to as IMSI/ISDN mapping - serial theft.
In May, news of a scam whereby crafty MTN Uganda staff manipulated the mobile money suspense account – where cash from poorly executed transactions is kept – and stole up to Shs 15bn broke. The matter is currently before court.
The same company reported another scam in August where it was alleged that between 2009 and 2012, one of their suppliers, Three Ways Shipping, submitted fictitious invoices totalling $3.8bn as shipping charges for network equipment that was paid by it (MTN) yet no goods had been shipped. This matter is also before court.
Warid also licks wounds
Police is also investigating three incidents, one of Warid employees who used to collude and steal money from the company’s mobile money platform; an unemployed youth who used to hack into people’s phones and make mobile money transfers; and another ingenious Ugandan man who used to hack into people’s email accounts and access their credit card details.
For a long time, the aforesaid man, whose identity is still being withheld by the police, flew around the world shopping under false identities, of mostly Americans. The banks would then have to reimburse money to the authentic owner of the credit card after it had been used by the Ugandan thief.
It was not until one American victim complained that he hadn’t visited Uganda after he noticed money had been debited from his account to buy an air ticket to Entebbe that the man’s luck run out. One affected airline, which also doesn’t want its identity revealed, complained to the police, leading to the suspect’s subsequent arrest.
In August, police arrested four Bulgarians for trying to rob Stanbic bank. According to the police, the four, identified as Katsarski Milen, Adrian Dimitrov, Ivan Ganchev Emilov, and Ivonov Anton, would use a microchip inserted in the ATM machine before accessing all the bank customers’ accounts.
They would later make the ATM cards mostly for persons holding accounts with huge sums of money and start withdrawing money as and when they wanted. They later changed the money into dollars before wiring it to their home accounts. This matter is also before court.
It has emerged that several banks have also been at the receiving end of the fraudsters with Standard Chartered bank alone having lost a reported Shs 1.6bn in one year. The biggest form of fraud is through diversion of money into fictitious accounts. Again, the actual figure of how much money is lost cannot be arrived at because the banks prefer to keep the losses under wraps.
Last month, the police arrested Peter Sajjabi for allegedly forging names of pensioners in connivance with officials in the ministries of finance, public service, and Cairo International bank. For a long time, Sajjabi together with the principal accountant in the ministry of public service, Christopher Obey, the head of IT, Francis Lubega, and some Cairo International bank officials allegedly connived to steal an estimated Shs 66bn meant for former employees of the East African Community.
The Anti-Corruption Court is also hearing a case in which an estimated Shs 10bn was lost through fake car registration by former Uganda Revenue Authority staff that circumvented the company’s firewall and accessed vital data. It’s not only companies falling victim to this fraud. One of the cases the Uganda police and Interpol are investigating involves a Palestinian woman who lost $10,000 (Shs 26m) to cyber schemers.
They sent her an email claiming that an American woman, who had lost the battle to cancer, had decided to transfer to her $10m. There was a caveat, though. The woman was required to wire some money to accounts in Benin and UK. Several transactions later, the woman had been conned of $10,000.
“In fact she is still being harassed by the same people. They are demanding more money. They have threatened her with death,” a police source said.
Elsewhere, four employees of Gulu University also lost millions of shillings through a bogus online car dealership. The conmen manning the website encouraged the lecturers to send money for buying cars, which they did but no car was shipped.
“When they insisted, the dealers sent a car without an engine then shut down the website,” our police source said. Investigations into that have commenced.
In another case, 11 Russian expatriates working with the UPDF Air Force lost an estimated $4m when sex workers in Entebbe duplicated their ATM cards. They only realised long after they had returned to Russia that monies were being withdrawn from their accounts.
Bank statements and telephone printouts obtained by the police show that Shs 700,000 was being withdrawn at regular intervals from a particular ATM in Kireka. The Russians, however, reportedly advised the police not to follow up the matter for fear of being exposed to their families back home.
Such secrecy compounds the frustration the police have to contend with, The Observer has learnt. The other drawback is the weak penalties handed out to the criminals after they have been convicted under the Computer Misuse Act, Electronic Transactions Act and the Electronic Signature Act, which deal with cyber crime.
A survey by Association of Certified Examiners, the world’s largest anti-fraud organisation and premier provider of anti-fraud training and education, showed that on average companies lose 5% of their annual revenue to fraud.
In the telecommunications sector, common fraud schemes include R/IC (International Roaming and Interconnect), revenue leakages during provisioning and switching, IMSI/ISDN mapping - serial theft, CDR manipulations and mobile money – interceptions.
In the banking sector the common schemes include Fictitious Client Accounts, Transaction Replication, Key Loggers (Lakeside Logger), Syndicated Inter-Branch Withdrawals using fake identities, Falsification of Client Identities, use of Default Generic Account, Alteration Loan Parameters (principal installments, interest, etc), Steganographic Manipulation of Client Photos, Signatures or Thumbprints, Identity Theft (ATM, PCI, etc ), Salami Techniques (a dollar here, a dollar there, etc), Perpetual Overdrafts and Electronic Scavenging - searching for residual data left in a computer.