In six minutes, scammers claiming to represent Dubai's utility body stripped a man’s bank account of Dh2,300 ($626) leaving him penniless, after promising him a refund for an overpaid water bill.
Antonio da Silva said he was fortunate there had not been more money to take.
“Thankfully, this happened at a time when my finances had hit rock bottom,” said Mr da Silva, 68, who works in public relations and communications. “The scammer probably expected to wipe off my bank balance. Imagine if I had Dh1 million in my account."
It is the latest example of UAE residents becoming victims of cyber crime, and signs of a growing sophistication in methods used to extort cash.
In February, Indian national Mr da Silva received an email supposedly sent from Dewa, the electricity and water authority in Dubai, which said he was due a refund on his monthly bill. As he recently moved from Dubai to Sharjah, he assumed a payment may have been due to close his account.
Mr da Silva did not check the sender’s full email address and clicked on the link. He said the email was convincing and included his details on a Dewa letterhead.
“I fed in my bank's debit card details, expecting the amount to be credited to my card and went back to work,” said Mr da Silva. “A few minutes later, there was an SMS saying that €100 ($102) were deducted from my account in San Diego. Alarm bells rang and I felt the ground beneath me give way. It suddenly hit me that I had fallen prey to cyber criminals.”
Rapid rip-off
Mr da Silva called the RAKBank call centre and by the time he spoke to a customer service agent several minutes later, €600 had been swiped from his account.
"The email seemed genuine. I was a first-time victim of a financial fraud, but that shock of being robbed of what I consider a big sum was terrible. I know every day there are hundreds of victims. It really hurts when it happens to you. It took me months to get over the trauma.”
Although a complaint was lodged with his bank and his claim investigated by Mastercard, Mr da Silva was unable to retrieve his money.
RAKBank said in a statement that it was unable to take the case further because Mr da Silva authorised the transaction.
Dewa issued a message to warn its customers of cyber crime. “This is a scam / phishing email from hackers. Do inspect the sender's email address before you open it; hackers can use emails to access your personal information including your credit card details. Do not click on links or open attachments from unknown email source. Also, make sure you make payments of Dewa bills through trusted channels and we shall escalate the case to our concern department for their information and further action. [Do not click on any link within that phishing email].”
Growing global issue
Global concern has increased over cyber crime and online fraud. As more transactions are carried out online, cash is used less frequently, and that trend is set to continue as cryptocurrencies gain a foothold in mainstream economics.
In 2018, cyber crime cost global economies $860 billion, according to Statista Market Insights. By 2024, worldwide fraud reached $9.22 trillion and is expected to climb to $13.82 trillion by 2028.
“Attackers often use domains with slight changes, such as g00gle.com instead of google.com or amaz-on.com instead of amazon.com, so checking for subtle misspellings should be done before replying to any emails,” said Agam Chaudhary, chief executive of Two99, a consortium of agencies specialising in e-commerce, technology, marketing and cybersecurity.
“If you suspect you’ve fallen victim to a phishing scam, it should be reported to Dubai Police as soon as possible by using the Dubai Police e-crime portal to file a detailed report. Victims of online fraud should also immediately report unauthorised transactions to their bank and request to block compromised accounts or cards.”
Legitimate URLs on websites follow a clear structure, such as "login.[bankdomain].com". If formats appear different, such as "login.bank-domain-secure-payment.com", which include unexpected words or dashes, then people should be suspicious. It is also important to verify the top-level domain (TLD) of any web address or email.
“Reputable companies use standard TLDs like .com, .net, or official country-specific extensions, so suspicious domains with endings like .xyz or .app can be red flags,” Mr Chaudhary said. “By following these steps and utilising these tools, individuals can detect phishing scams, safeguard their personal information, and take action to recover funds or report fraudulent activities.”
As artificial intelligence becomes more embedded in everyday life, experts said cyber crime would continue to climb, but banks and institutions were also taking action.
A targeted approach towards victims, with scammers developing an in-depth understanding of their movements, online habits and trends - as well as when they may be going on holiday or moving house - is also contributing to increasing fraud.
“Cyber criminals have realised attacking the end consumer is much easier and more profitable than attacking an established organisation,” said Jason Lane-Sellers, a director of fraud and identity at LexisNexis Risk Solutions. “There was a big acceleration during Covid, that shifted the dynamic of how people interoperate online. They're utilising AI to actually attack organisations and fool some of the controls, like facial recognition or voice identification."
Younger generation at risk
Mr Lane-Sellers said people aged 18 to 25 were more at risk from online fraud. Many were more willing to share passwords with friends and had a larger online footprint, through social media accounts, than older generations.
“In our analysis, their attitude to data security is somewhat more open than an older generation, who were the next highest targeted group due to better credit profiles and savings,” he said.
“The good thing about behavioural intelligence and biometrics is that it can't yet be manipulated by AI. We're using AI to detect that unique interaction on that unique page by that unique user. When the customer lands on the page and when they interact, that is the shift that needs to happen from a detection prevention point of view.
"Don’t trust anybody you don’t know and, if it sounds too good to be true, be suspicious.”
