‘Hi, this is your bank…’ Inside the war on payment fraud

Shutterstock

• Scam calls and payment frauds rising fast in UAE and wider Gulf
• Shift from face-to-face interaction helps fraudsters
• Gangs employ psychological manipulation tactics and malware

“Hello. This is the Central Bank of the UAE. We are contacting you because you need to surrender your debit card.” The call comes from a conventional mobile number while you’re on the way home from work.  

Welcome to the scamdemic – claim your prize, share your one-time password, update your bank details, click here for delivery. No one, from individuals to companies to government agencies, is immune. 

That bogus phone call is an attempt at an authorised push payment fraud – when the customer is persuaded to send money to a criminal posing as their bank or another trusted organisation. Such messages are near-daily occurrences for people in the Gulf.

• Billions being spent to foil rising cyberattacks
• Opinion: Gulf must pair its digitalisation goals with cybersecurity
• One in 10 financial transactions in UAE are malicious cyberattacks

It is difficult to find out how many of these attempts succeed because cases can take months to investigate – and because companies as well as individuals are loath to publicise their weaknesses. 

However, in the UAE, 32 percent of chief information security officers say they have seen an increase in targeted attacks in the past 12 months, according to cybersecurity consultancy Eastnets.

Mohamed Al Kuwaiti, head of cybersecurity for the UAE government, said in June that the country was thwarting 50,000 cyberattacks a day, from ransomware to cyberterrorism.

The number of payment fraud attacks has rocketed as customers and businesses increasingly depend on devices rather than face-to-face contact. Everyone, it seems, wants the convenience of the app and the ability to send money instantaneously. But it comes at a cost.

Wam

Jason Lane-Sellers, director of fraud at tech company LexisNexis Risk Solutions, has seen triple-digit growth in this type of attack in the Europe, Middle East and Africa region.

“It’s something that has over the last few years really, really accelerated,” Lane-Sellers told AGBI.

Data from LexisNexis’ platform suggests that one in 11 applications to open new accounts turns out to be fraudulent.

The shift to working from home, where companies can find it more difficult to keep an eye on employees and to keep their networks secure, has also aided the scammers.

Scam callers may use plausible-looking numbers that appear to come from relatively prosperous and stable jurisdictions such as the UAE – but that’s not where they are.

“I could almost guarantee 99 percent of what you’re receiving in these attacks in-country are not originating in-country,” said Lane-Sellers. “These attacks are global. Their operations and the people originating the attacks aren’t in the UAE.”

Social media is a favoured avenue to access sensitive data and to share it with other digital criminals.

Analysts at Group-IB, another cybersecurity consultancy, found that 92 percent of scam campaigns targeting Middle East and African companies in the oil and gas, financial and banking sectors exploited social media – the highest of any region.

Don’t fall for scare tactics or ‘urgent’ demands

Fedor Chunizhekov, an analyst at Positive Technologies, estimates that about 41 percent of cyberattacks on organisations in the Middle East involve social engineering techniques – psychological manipulation, as seen in phishing emails or calls from “your bank” trying to scare and/or rush you into giving out information or transferring money.

“Distinguishing phishing emails from legitimate emails is extremely difficult, especially when criminals are involved in real internal correspondence, or correspondence with an external counterparty,” said Chunizhekov.

This is what happened in 2021 when criminals hacked into un-updated Microsoft Exchange servers around the world, gaining access to their functionality and sending malicious emails to customers and employees. 

In 2021 and 2022 the Swedish furniture giant Ikea was targeted by a ransomware gang, which injects malware into a system and extorts money to remove it. The company warned its employees that the malicious messages might come from colleagues’ or suppliers’ accounts, which had already been compromised.

In November 2022, the attack spread to Ikea’s franchises in Morocco and Kuwait. The gang “gained access to data on the company’s employees” and posted it online, Chunizhekov said.

The stolen personnel files might even have contained employees’ passport details.

Hassan Zebdeh, a financial crime adviser at Eastnets, points to research that found 86 percent of the UAE organisations targeted in phishing attacks had fallen prey to at least one of the attempts. Nearly half caused direct financial losses, according to the annual State of the Phish study from consultancy Proofpoint.

“These guys are actual operational businesses now,” Lane-Sellers said of the fraudsters. “They have a research team, they have an information gathering team, they’ll have a specialist team who have been trained specifically to do the phone calls … and then specialist teams that move the money around the globe.” 

What is to be done? European Union initiatives such as Payment Security Directive 2 and Strong Customer Identification, a protocol that requires two or more different security credentials for remote transactions, have made life much harder for the fraudsters.

Cybersecurity companies are also using behavioural biometrics, which monitor how customers type and how they use mouses and touchscreens in interactions.

“Ultimately, fraudsters are lazy,” said Lane-Sellers. “They will do the minimum amount for the maximum return. So, if you make the process of committing the fraud attack difficult, they will always go to the path of least resistance.”