'Cyber criminals took Dh39,000 from my account as I planned my wedding'

At a time when UAE resident Ambia Hoque should have been excited for her wedding, fraudsters were transferring her credit card to their digital wallet . The 30-year-old marketing manager says her RAKBank credit card was fraudulently registered on Apple Pay to an unknown device without her authorisation. “In the span of one hour, nearly Dh39,000 [$10,610] was drained from my account across multiple local and international transactions, which is completely out of character for my spending habits ,” she recalls. “Distracted by wedding preparations, I did not notice the transactions immediately, but the moment I did, I reported the fraud to the bank and filed a police case.” However, she claims the bank has refused to help, insisting that Apple Pay transactions are “secure” and that she must bear the loss. Ms Hoque says she never shared her one-time password with anyone, yet her card was added to an unknown device. The experience left her emotionally and financially shattered. Transactions involving large sums were approved without any security checks. No fraud alerts were triggered , no verification was done, and Ms Hoque says she was left to discover the theft on her own. The bank has also charged her cash advance fees on the fraudulent transactions, she claims. As digital wallets gain popularity for their speed and ease, they become more attractive targets for cyber criminals . US consumer losses involving digital wallet fraud exceeded $347 million in 2024, according to Federal Trade Commission data. A digital wallet is an electronic payment storage system that houses your credit card, debit card and other financial information so you can conveniently pay for purchases by tapping your phone or other connected device at a merchant’s contactless checkout terminal. It’s usually facilitated by payment applications like Google Pay, Apple Pay or Samsung Pay. Ms Hoque says although the Central Bank of the UAE acknowledged her experience was fraud, since it happened through Apple Pay, both RAKBank and the regulator told her to bear the financial loss. “Instead of focusing on my wedding and my new life with my husband, I was dealing with endless calls and emails, desperately trying to get back what was stolen from me,” she says. “How is it fair that scammers can exploit us so easily while we’re left to deal with the consequences? I just got married three months ago and don’t have the funds to cover transactions I never authorised. How many more people need to fall victim before real change happens?” When she contacted Apple, Ms Hoque was told that Apple Pay is not a payment service and is not involved in authorising, executing or processing transactions. She was asked to raise any dispute related to the authorisation of a transaction or alleged fraud with the financial institution that issued the card, according to Apple’s response seen by The National . While RAKBank refused to comment on individual customer cases, a representative says when customers compromise their credentials outside of the bank’s secure systems, the lender’s ability to assist the customer is “limited” and the appropriate remedy for customers in these instances is to reach out to law enforcement agencies and report the fraud. “This is why we continuously urge customers to remain vigilant against fraud attempts and to safeguard their personal and banking information. We remain committed to support affected customers to the extent possible and to raising awareness on fraud prevention,” said the representative. Steve Cronin, a financial independence coach and founder of DeadSimpleSaving.com, says banks and the UAE Central Bank need to step up to address this challenge, as many people's cards are being added to someone else's Apple Pay and then not getting reimbursed. He advises customers to limit the number of cards they have, use the bank’s website or app to reduce their card limit, block international transactions and reduce the maximum transaction limit. He suggests even temporarily blocking cards that aren’t used often. Avoid using debit cards online or in shops. Ensure SMS notifications are switched on for all cards. If you see anything suspicious, block the card immediately through the app and then call the bank. Some people have been reimbursed by complaining to Apple or even the merchant, Mr Cronin says. Carol Glynn, founder of Conscious Finance Coaching, says the burden of proof often falls on the consumer and stresses the need for stronger protections, clearer accountability between financial institutions and tech companies, and better education on digital security. Until then, awareness and vigilance are the best defence, she warns. Users should enable biometric and two-factor authentication, use strong and unique passwords, and avoid storing card details in unsecured apps to secure digital wallets, says Maher Yamout, lead security researcher for the Middle East, Turkey and Africa at cyber security company Kaspersky. “Always download wallet apps from official stores and ensure your device is equipped with online payment protection. Users should also activate real-time banking transaction alerts to catch any suspicious activity, and lock both devices and financial apps with unique passcodes to secure sensitive data in case of theft or loss,” he suggests. “Lastly, it’s essential to have an endpoint security software or modern antivirus to protect against specific malware types that steal digital wallet details.” It’s important to use only trusted providers like Apple Pay, Google Pay, Samsung Pay, or PayPal, and take the time to understand the security features each one offers, Mr Yamout recommends. Hackers exploit phishing, fake apps and malware-like banking trojans to steal login credentials or intercept one-time passwords, he warns. Ms Glynn suggests freezing the card immediately, cancelling it and reporting the fraud to the bank. Work with them on their refund request process. “If you are not happy with their treatment of your case, you can log a complaint with the Central Bank of the UAE through their official channels. You need to give the bank 30 days after lodging a formal complaint with the bank to respond before you can approach the Central Bank. You can also file a police report, especially if large amounts are involved. This creates an official record that may support further action with your bank,” she says. “Request a full investigation and ask your bank for documentation showing how and when your card was added to the wallet, including IP addresses and device IDs. If your bank refuses responsibility, you can also raise the issue with the consumer protection department at the Central Bank.” She explains that while the Central Bank has stated that Apple Pay transactions are considered secure, persistent complaints and a clear pattern of similar incidents could prompt further scrutiny or even policy changes in the future. While Apple Pay doesn’t process payments themselves (the bank or card issuer does), Apple has a duty to investigate if a card was fraudulently added to their platform. Victims can contact Apple Support and request an investigation into when and how the card was added, the device ID and location linked to the unauthorised registration, and whether biometric or password protections were bypassed or exploited, Ms Glynn suggests. “In some cases, Apple may provide supporting documentation that can be used to escalate the issue with the bank or regulator. However, Apple typically redirects liability to the issuing bank, because the bank is the one authorising the transaction once the payment leaves the Apple Pay environment,” she says. “That’s why it’s so important for both companies to be held accountable and for consumers to push back when responses are dismissive.”

'Cyber criminals took Dh39,000 from my account as I planned my wedding'

Customers accuse some banks of shunning responsibility