Skip to content Skip to Search
Skip navigation

‘Hi, this is your bank…’ Inside the war on payment fraud

Bogus calls from fraudsters are becoming a near-daily occurrence Shutterstock
Bogus calls and emails from fraudsters are becoming a near-daily occurrence
  • Scam calls and payment frauds rising fast in UAE and wider Gulf
  • Shift from face-to-face interaction helps fraudsters
  • Gangs employ psychological manipulation tactics and malware

“Hello. This is the Central Bank of the UAE. We are contacting you because you need to surrender your debit card.” The call comes from a conventional mobile number while you’re on the way home from work.  

Welcome to the scamdemic – claim your prize, share your one-time password, update your bank details, click here for delivery. No one, from individuals to companies to government agencies, is immune. 

That bogus phone call is an attempt at an authorised push payment fraud – when the customer is persuaded to send money to a criminal posing as their bank or another trusted organisation. Such messages are near-daily occurrences for people in the Gulf.

It is difficult to find out how many of these attempts succeed because cases can take months to investigate – and because companies as well as individuals are loath to publicise their weaknesses. 

However, in the UAE, 32 percent of chief information security officers say they have seen an increase in targeted attacks in the past 12 months, according to cybersecurity consultancy Eastnets.

Mohamed Al Kuwaiti, head of cybersecurity for the UAE government, said in June that the country was thwarting 50,000 cyberattacks a day, from ransomware to cyberterrorism.

The number of payment fraud attacks has rocketed as customers and businesses increasingly depend on devices rather than face-to-face contact. Everyone, it seems, wants the convenience of the app and the ability to send money instantaneously. But it comes at a cost.

Mohamed Al Kuwaiti, head of cybersecurity for the UAE government, at a conference in Tel Aviv. He said in June the country was thwarting 50,000 attacks a dayWam
Mohamed Al Kuwaiti, head of cybersecurity for the UAE government, at a conference in Tel Aviv. He said in June the country was thwarting 50,000 attacks a day

Jason Lane-Sellers, director of fraud at tech company LexisNexis Risk Solutions, has seen triple-digit growth in this type of attack in the Europe, Middle East and Africa region.

“It’s something that has over the last few years really, really accelerated,” Lane-Sellers told AGBI.

Data from LexisNexis’ platform suggests that one in 11 applications to open new accounts turns out to be fraudulent.

The shift to working from home, where companies can find it more difficult to keep an eye on employees and to keep their networks secure, has also aided the scammers.

Scam callers may use plausible-looking numbers that appear to come from relatively prosperous and stable jurisdictions such as the UAE – but that’s not where they are.

“I could almost guarantee 99 percent of what you’re receiving in these attacks in-country are not originating in-country,” said Lane-Sellers. “These attacks are global. Their operations and the people originating the attacks aren’t in the UAE.”

Social media is a favoured avenue to access sensitive data and to share it with other digital criminals.

Analysts at Group-IB, another cybersecurity consultancy, found that 92 percent of scam campaigns targeting Middle East and African companies in the oil and gas, financial and banking sectors exploited social media – the highest of any region.

Don’t fall for scare tactics or ‘urgent’ demands

Fedor Chunizhekov, an analyst at Positive Technologies, estimates that about 41 percent of cyberattacks on organisations in the Middle East involve social engineering techniques – psychological manipulation, as seen in phishing emails or calls from “your bank” trying to scare and/or rush you into giving out information or transferring money.

“Distinguishing phishing emails from legitimate emails is extremely difficult, especially when criminals are involved in real internal correspondence, or correspondence with an external counterparty,” said Chunizhekov.

This is what happened in 2021 when criminals hacked into un-updated Microsoft Exchange servers around the world, gaining access to their functionality and sending malicious emails to customers and employees. 

In 2021 and 2022 the Swedish furniture giant Ikea was targeted by a ransomware gang, which injects malware into a system and extorts money to remove it. The company warned its employees that the malicious messages might come from colleagues’ or suppliers’ accounts, which had already been compromised.

In November 2022, the attack spread to Ikea’s franchises in Morocco and Kuwait. The gang “gained access to data on the company’s employees” and posted it online, Chunizhekov said.

The stolen personnel files might even have contained employees’ passport details.

Hassan Zebdeh, a financial crime adviser at Eastnets, points to research that found 86 percent of the UAE organisations targeted in phishing attacks had fallen prey to at least one of the attempts. Nearly half caused direct financial losses, according to the annual State of the Phish study from consultancy Proofpoint.

“These guys are actual operational businesses now,” Lane-Sellers said of the fraudsters. “They have a research team, they have an information gathering team, they’ll have a specialist team who have been trained specifically to do the phone calls … and then specialist teams that move the money around the globe.” 

What is to be done? European Union initiatives such as Payment Security Directive 2 and Strong Customer Identification, a protocol that requires two or more different security credentials for remote transactions, have made life much harder for the fraudsters.

Cybersecurity companies are also using behavioural biometrics, which monitor how customers type and how they use mouses and touchscreens in interactions.

“Ultimately, fraudsters are lazy,” said Lane-Sellers. “They will do the minimum amount for the maximum return. So, if you make the process of committing the fraud attack difficult, they will always go to the path of least resistance.”

Latest articles

Adnoc Distribution plans to open 15 to 20 new fuel stations this year

Adnoc Distribution targets 200 EV stations this year

Adnoc Distribution, the UAE’s largest fuel and convenience retailer, is planning to more than double the number of fast electric vehicle (EV) charging stations as part of its five-year expansion strategy. The company has 90 fast EV charging points and aims to reach 150-200 by the end of the year, the UAE state-run Wam news […]

Opec oil demand US crowded highway

Opec optimistic about oil demand through to 2025

Opec continues to expect strong oil demand growth this year and next as the world economy remains resilient, the group’s chief said. “For 2024, oil demand growth is at 2.2 million barrels per day, with total global demand anticipated to average 104.5 million bpd,” Haitham Al Ghais, the secretary general of Opec, the Organisation of […]

Elon Musk launched xAI last year. It will use the new funding to bring products to market and research technologies

Prince Alwaleed part of Elon Musk’s $6bn AI funding round

Elon Musk’s artificial intelligence startup xAI has secured $6 billion in a series B funding round led by investors including Saudi billionaire Prince Alwaleed Bin Talal and his investment firm Kingdom Holding Company. The round, which also included investments from Dubai-based Vy Capital and US companies Andreessen Horowitz and Sequoia Capital, will assist the commercial […]

PIF space unit

PIF launches space unit, despite Saudi funding constraints

Saudi Arabia’s Public Investment Fund has launched a space unit to develop off-planet commercial activities, despite challenges the sovereign wealth fund faces funding Saudi Arabia’s giga-projects.  The PIF-owned Neo Space Group will invest in satellite navigation and communications, Earth observation and remote sensing. It will also include a venture capital fund to help Saudi startups […]