Isabelle Jones made the mistake of clicking on a link in an email claiming to be from her bank.
“It asked me to change my password and it looked very legit and I was busy, so I didn’t pay attention,” says Ms Jones, 52, a Canadian personal trainer in Dubai. “I wanted to do it before forgetting – and I should have been more cautious – but I just did it."
Ms Jones forgot about the email until a few weeks later when she did her monthly check of her account online. There had been nearly Dh100,000 in that account, but – to her shock – there was only around Dh100 left.
Such phishing scams – fake emails that can lead to data breach or installation of malware – are commonplace in the UAE. It is unlikely they will go away anytime soon and neither will other types of bank and credit card frauds, including smishing, vishing, SIM swap, identity fraud and prize scams.
For Ms Jones, the money transfers started about three days after that email. "Over the course of a month, several small transfers were made," she says. After calling her bank and an investigation involving the police, she was reimbursed the full amount.
As the number of ways to bank have increased, so have the avenues through which fraud can be committed. While banks and credit card companies are constantly updating their security measures, they emphasise that consumer awareness is key to preventing and combating fraud.
“As banks have developed better strategies, the customer is always the target of the fraudster,” says Riann Van Schalkwyk, HSBC’s head of fraud for the Menat region. “There are myriad ways that the bad guys convince the customer to hand over their personal information … The moment that those details are with the bad guys, they can use it.”
When Emirates NBD customers, and non-customers, received emails in November promising VAT refunds, the bank issued a warning on its website that these were phishing emails intended to trick people into sharing sensitive information.
Yet the emails have continued with the hackers changing strategy. One email sent on January 6 from the legitimate email address email@example.com with the subject "Emirates NBD: Dispute Transaction" states "If you did not dispute the last transaction, please login in to your Emirates NBD account and cancel the dispute request," along with a login link.
In December, the Central Bank of the UAE issued a warning to the public about fraudulent WhatsApp messages telling customers their ATM card has been blocked. The fake message used the Central Bank logo as its profile image and included a hyperlink to click.
David Michaux, director of technical security services at Whispering Bell, a risk management and information security company, says fraudsters are now targeting social media a lot more, as the drive to make banking more accessible overlaps with social networks.
“Banks are trying to make their service as attractive as possible and they’re trying to offer as many services as possible. So you have telephone banking, android apps, iOS apps, online banking, WhatsApp banking – you have everything,” Mr Michaux says. “The more channels that you open, the more channels you have to protect and the wider the landscape.”
Emirates NBD, for example, is currently piloting WhatsApp banking for the bank’s employees with the intention of rolling it out to customers soon. In a September statement, the bank assured customers all messages on the bank’s WhatsApp business account are encrypted, ensuring safety and security.
Making banking more convenient means personal data is often shared across several platforms. Abu Dhabi's Al Hilal Bank, for example, allows customers to use their Emirates ID cards to make cash withdrawals from its ATM machines.
Mr Michaux says Whispering Bell works with UAE banks and telecom operators to close any vulnerabilities, including one where hackers divert text messages used by banks to authenticate users. When combined with the large data breaches happening around the globe, such text intercepts can have disastrous consequences.
Changing passwords regularly and being more creative with passwords can also help consumers protect their data.
“People don’t actually take this as seriously as they should,” says Mr Michaux. “The problem is that now every time you use any service … you’re asked to log on with a username and a password and to create an account. Now, most people don’t have amazing memories, so they basically stick with two, three or four passwords which they use and they just rotate these through all the different registrations that they do.”
The banks themselves are also taking action to increase consumer awareness. Emirates NBD launched a #DontTakeTheBait video series on social media networks, warning consumers of the dangers of vishing, phishing, advance fee frauds and identity fraud, while Abu Dhabi Islamic Bank features anti-fraud tutorials on its website.
However, there have also been cases of fraud happening internally. Seventeen men are currently on trial for allegedly stealing more than Dh20 million from Dubai Islamic Bank through fake transfers. Seven were bank employees who leaked client details to the other defendants. Last year, Al Hilal Bank uncovered internal fraud worth more than Dh500m, according to Bloomberg.
However, credit card fraud remains the most common issue. More than a quarter of UAE residents reported being a victim over a five-year period, according to a 2016 study by ACI Worldwide.
Major payment technology companies, such as MasterCard and Visa, work with banks to improve security. Making credit cards chip-enabled, rather than relying on magnetic stripes, makes them insusceptible to skimming. However, 3D Secure provides an added layer of security by prompting customers for an OTP (one-time password) when making an online purchase.
Neil Fernandes, Visa’s head of risk for Mena, says the company has a four-pronged approach when it comes to preventing fraud.
Protecting data is primarily done through data encryption, such as the account number being scrambled by an algorithm when making an online purchase. Harnessing data uses intelligence tools, such as 3D secure, to detect whether a transaction is fraudulent.
Devaluing data means making data unusable by implementing technologies like tokenisation and card chips. Tokenisation replaces the card’s 16-digit number with a unique “token” number that can be used for mobile point-of-sale transactions, in-app purchases and online purchases. Therefore, criminals are unable to use the credit card number without the token that changes every time.
Finally, empowering consumers is making them aware of tools, such as text message alerts and “consumer transaction controls,” says Visa, to determine how, where and when their cards can be used. While the text message alerts are mandatory, the transaction controls are a new option that provides a second line of defence for the consumer.
However, it is still up to consumers to protect themselves. “We recommend consumers don’t share credit card numbers with anyone and avoid responding to phone calls or emails that promise prizes or offers that are too good to be true in exchange for disclosing card details or passwords,” adds Mr Fernandes.
Ambareen Musa, founder and chief executive of the financial comparison website Souqalmal.com, says it is important that consumers also keep on top of their accounts.
"Monitor your account statements and card activity regularly, make sure you're signed up for and are receiving email and SMS notifications for all your account and card transactions," Ms Musa says.
Unfortunately, fraudsters can find ways around extra security measures if consumers are duped into trusting them. A British woman, 40, an events planner in Dubai who prefers to remain anonymous, says she was scammed into believing the Ministry of Finance was calling her to ask for her bank details as a background check. After she hung up multiple times, the caller accused her of disrespecting government officials and threatened her with imprisonment.
The fraudster acted as if he were authentic by sending her a text message from what appeared to be an official Emirates ID number. She then gave him her credit card number and even gave the one-time password when asked.
“I’m still questioning myself till today," she says. "I think it was more coercion and shouting and me worried about the prospect of going to jail."
About Dh30,000 was drained from her account within 20 minutes, while the male scammer kept her on the phone. She immediately called the bank and the police, but was only able to retrieve about half the amount.
“If I had seen the messages coming from my bank, I would know it was a scam,” she says. “But I was somehow blinded by fear.”