Security experts say most fraud involves some of the bank staff who approve the loan. ILLUSTRATION/ FILE
Monitor can reveal that fraudsters perennially steal civil servants’ personal information before applying for loans. Our investigations indicate that several customers of financial institutions in the country are suffering in silence after losing money to rogue elements.
This comes after reports from cyber crime experts highlighted a “growing concern” around fraudsters who are getting loans using stolen identities.
What exactly happens?
Mr Joseph Okello, a cybercrime expert, told this publication that criminals steal personal information to impersonate individuals or conduct fraudulent activities.
This includes opening bank accounts, applying for loans, and mobile money transactions. He added that as well as banks (via their so-called called wallets), microfinance institutions, and mobile money entities particularly find themselves vulnerable to cyberattacks.
“They are prime targets for cybercriminals seeking to steal funds, commit fraud, or compromise customer data. This leads to significant losses and can erode public trust in banking systems,” Mr Okello said.
Other security experts we spoke to told us that fraudsters plying their ‘trade’ in East Africa have perfected the art of identity theft and loan stacking.
The latter refers to the practice of getting approval for multiple loans or lines of credit simultaneously within a short period. It typically transpires online.
The thefts are also perpetuated offline. Only a few weeks back, police in Mbale City arrested a police impersonator (name withheld) in a microfinance in stitution who had reportedly forged the signature of a former district police commander (DPC) to get a loan using another police officer’s details.
How was the racket in Mbale busted?
Trouble started when the suspect reportedly impersonated a police officer and presented forged documents to the said microfinance institution in Mbale City to get a loan. The police officer in
question was informed that some of his data was on the verge of being used for fraudulent purposes.
Mr Rogers Taitika, the Elgon Regional Police spokesperson, said this is but one of many such cases. He added that criminals have been getting loans using civil servant’s credentials. Millions of savings tucked away in the banks and microfinance institutions have consequently been lost.
Per Mr Taitika, several suspects (names withheld) were arrested after presenting forged documents such as warrant cards, National Identification cards, a DPC’s signature, police stamp, a recommendations letter, and a Force number.
Another suspect was arrested after a titip-offp off by a staff member of a microfinance institution. Police also revealed that one of the staff members of the said microfinance entity was also arrested.
“The suspects were using civil servant’s documents to get loans through forged bank statements, stamps of various offices such as the chief administrative officers (CAO), district police commanders (DPC), among others. They also forged appointment letters, national ID, employee ID to get loans,” Mr Taitika said, adding that the suspects were arrested inside the microfinance entity while trying to get a loan of Shs4.2 million.
Police identified one of the suspects as the general manager of another microfinance entity in Kampala.
“He gave me documents, including a warrant card, and recommendations from former DPC Mbale and told me to come to this microfinance to get a loan. He paid for my transport and accommodations in Mbale. I was in touch with one staff in this microfinance to have our deal succeed,” one of the suspects told detectives at Mbale City Division Central Police Station.
What is the scope of the damage?
Mr Taitika said that many banks and microfinance entities have lost millions of shillings to such scams. He was also
pleased to arrest what he described as “notorious bank fraudsters”, further disclosing that they“have been on the wanted list for close to two years”. Charges of forgery, uttering false documents, and impersonation have since been preferred against the suspects.
Mr Taitika said, for instance, the suspects had forged the signature, and stamps of the Mbale City police commander to get a loan from the headquarters of a microfinance entity in Mbale City.
A bank manager in Mbale City, who requested not to be named due to the sensitivity of the matter, said fraudsters usually target unsuspecting civil servants.
“Some of the civil servants are paying for the loans which they didn’t get. Several microfinance [entities] and banks have lost billions of shillings in the scam. It’s a big racket and they have stolen money from many financial intuitions,” the bank manager said.
Ms Annet Nambuya,a retired teacher, is one of the victims. Ms Nambuya told this publication that, before calling time on her teaching career, she paid a loan she didn’t get.
“Some fraudsters used my information to get a loan from one microfinance [entity],” she revealed, adding, with barely concealed disappointment, “ I paid the money for two years.”
How do they manage to pull it off?
Ms Phiona Nafula, a retired human resource officer, told this publication that the fraudsters access civil servant’s information from public offices such as chief administrative officers (CAOs), as well as offices of town clerks and human resource officers.
When we visited one of the offices of human resources in Bugisu Sub-region, we discovered hundreds of files containing civil servants’ information dumped on the floor.
Such carelessness perhaps explains why identity theft occurs with such absurd ease. Rogue elements have easy access to a rich trove of information, including the name of someone, their job, date of birth, current or previous addresses, etc. They use this information to commit fraud.
In Uganda, banks and telcos, which are the fastest-growing sectors in the economy, are the biggest victims so far. Several banks have registered huge losses of funds from customer accounts, and from electronic fund transfers, where lots of money is sent online.
Ms Nafula said cybercrime encompasses a wide range of criminal activities that are carried out using digital devices or networks. These crimes involve using technology to commit fraud, identity theft, data breaches, computer viruses, and scams.
How come most of the cases of cyber theft have the semblance of an inside job?
Mr Manzi Kagina, a cybersecurity lecturer, said cyber theft can happen if the racket includes the person who approves the loans.
“This fraud involves some of the bank staff who approve the loan even when the information doesn’t tally. For you the original owner of the credentials you are not aware,”Mr Kagina said.
An eye-watering Shs19.2 billion was lost to cybercrime in Uganda in 2022. In 2023, more than 245 cases were reported to police countrywide, translating to a Shs5 billion loss.
Cybercriminals, armed with advanced technologies and tactics, are exploiting vulnerabilities in banking systems to draw off funds, commit identity theft, and perpetrate various forms of financial fraud.
Data from the annual police crime report indicates that in 2023, there was an increase in economic crimes such as financial fraud, which resulted in more than 12,924 cases of economic crimes compared to 13,207 cases in 2022. The same report indicates that obtaining by false pretence registered the highest number of cases in economic crimes with 10,709 followed by forgeries and uttering false documents with 868 cases. Police recorded 245 cases of cybercrimes last year and 43 cases of bank and other corporate fraud were registered in 2023.
Mr Benson Mwesigwa, the associate director for the advisory department at KPMG Uganda, said there is connivance between some bank staff and fraudsters.
“If there is a fraudulent scheme it has to be within somebody from the bank and that person who can exploit the system,” Mr Mwesigwa said.
He said there is a right procedure for one to acquire a loan.
“When you’re going to get a loan there are procedures that you need to fulfil.
People need to confirm who is borrowing based on identifiable documents such as National ID, passport and letter
of undertaking. Maybe they forge these things. If somebody can forge all that, they must be getting help from within the bank or microfinance,” he said.
What should be done to address this worrying situation?
Mr Steven Masiga, a researcher, said many people are manipulating Information Communication Technology (ICT) to commit crimes. He called on the government to take data protection “extremely seriously”and enhance its procedures for protecting records.
“Today every company or organisation worth its name has more than 80 percent of its workforce using computers to generate and store information. But they don’t guard the information jealously,”
Mr Masiga said.
The cost of cyber-attacks is not only measured in financial terms, but also in terms of compromised data, loss of customer trust, and damage to a company’s reputation. According to cyber security
ventures, the global cost of cyber-attacks is projected to reach $9.5 trillion.
Uganda’s government should enact and enforce comprehensive security rules to protect critical infrastructure, sensitiveata, and personal information.
A police detective at the Criminal Investigations Directorate (CID) headquarters in Kibuli, Kampala, who preferred anonymity, said the majority of cases involving investigations have always linked bank staff to collusion with criminals in such incidents. He said cybercrime and bank fraud remain the biggest challenges hitting financial institutions in the region.
Mr Andrew Musoke, a former banker, said impersonation, identity theft, forgery and cash suppression are the most popular forms of bank fraud.
“Many financial institutions have lost billions of shillings to such fraud. The fraudsters are stealing an individual’s identity details to fraud banks and the victims,” Mr Musoke said, adding,“ In fraud cases, the individual or company such as banks who have or may have suffered a financial loss through the use of the stolen identity will be the person considered the victim of fraud and you will be considered as a victim of identity theft.
