More than a dozen bank customers have spoken of unauthorised payments being made from their accounts in the UAE — sometimes while they were asleep.
At least 18 account holders described receiving a stream of text messages, often late at night or early in the morning, notifying them of purchases they had not made.
Saffron McAllister, a teacher in Abu Dhabi, said she woke on Sunday, February 27, to find messages alerting her to several transactions which had been declined due to insufficient funds.
Then, she saw a message stating that a transaction had been “successful”.
“I checked my online banking and realised they weren’t fake messages and then called [my bank],” she said.
The bank cancelled Ms McAllister’s card. When a payment status remained “pending” in her account 10 days later, the money was refunded to her.
She was told by a representative at the bank that if the money had left her account, the matter would have been investigated.
When Ms McAllister described her problem on an expats’ Facebook page, 17 people responded to say they had had similar experiences with multiple banks in the UAE.
Tackling scams are 'top priority' for banks
A spokesperson from HSBC, the only UAE bank which responded to The National about the scams, said they make a point to both educate their customers about keeping their information private as well as tackling cyber criminals.
“Protecting customers against fraud is a top priority for us and we constantly work with the authorities, alongside others in the industry, to identify and address the ever-changing techniques used by fraudsters,” HSBC said in a statement.
“We have robust systems in place to protect the bank and our customers against cyber criminals, and through our awareness campaigns we regularly educate our customers on banking safely online.”
Shah Sheikh, co-founder and cyber security adviser at DTS solutions, said it is possible that victims’ card details were harvested during phishing exercises.
Typically, this involves criminals emailing a huge number of people with requests for bill payments from organisations that appear genuine. For example, they may be fake electricity or phone bills.
When the person clicks the link, they are taken to a web page that looks deceptively like the organisation’s real site.
The victims insert their bank card details, including the CVC number. They then receive a successful payment notification.
“But what's happening in the background is that the hackers are collecting this information,” said Mr Sheikh. “Now, what can happen is that the hackers can then go to other sites — commercial platforms — and use that information.”
He added that hackers can also sell people’s card details on the dark web.
“The dark web is anonymous, so I can post on it and say: ‘Do you want this file? I have a file of 500 credit cards and its one day old, or six hours old or two days old, or whatever’,” said Mr Sheikh.
The hackers will buy and sell in Bitcoin, he added.
Using cryptocurrency, the dark web and proxy channels makes it harder for criminals to be caught, said Mr Sheikh.
Peter, 42, a teacher in Dubai, was awake at 8am on Saturday, February 19, when his phone started pinging incessantly — alerting him to payments being made to Google Play.
“In the space of 30 seconds, eight payment attempts were made,” he said.
“I asked my wife if she’d made any purchases on Google Play. When she said ‘no’, I was quite quick to get on the app and cancel my card.”
The transactions were made in Saudi rials and amounted to roughly Dh200. Around 10 seconds after Peter cancelled his card, he got a message from ADCB bank to say it had put a block on his card because of suspicious activity.
Even with his quick response, five of the eight transactions appeared to have gone through.
Peter described his alarm when he realised he was being scammed.
“I just felt a sense of panic as the rapid transactions kept pinging and I was still fumbling with my phone trying to block my card,” he said.
His bank has refunded the amount temporarily, while it investigates the transactions, he said.
When Peter, who did not want to give his last name, told colleagues what happened, two other people said they had endured scams within the last couple of months.
One person described waking up to more than 20 messages detailing unauthorised payments.
An ADCB bank representative said it was still investigating the cases but declined to comment further.
In November, Martin Jagger, 61, saw five rapid payments being made to Apple iTunes. It was approaching midnight and the payments totalled around Dh130.
But Mr Jagger, who lives in Abu Dhabi, knew this bank card was not linked to his iTunes account.
So, he cancelled the card.
The bank sent him a new card and asked him to complete a complaint form.
The money was held as “pending” in his account for around two months before it was released back to Mr Jagger.
“I assumed it was a phishing operation based on establishing a payment history with small payments and then going in for one large payment,” said Mr Jagger, an energy transition consultant.
“When I talked to [the bank], they also said that sometimes the scammers take lots of small amounts from lots of people.”
Mr Sheikh said banks should educate their customers about the risks of “phishing emails and SMSs’, as this tactic is responsible for “99 per cent” of bank card or financial theft.
Finally, banks and credit card companies should have advanced fraud detection capabilities to thwart hackers, he said.
Abu Dhabi Police advise the public not to share their confidential information with anyone. This includes bank account or bank card information, online banking passwords, ATM PINs, CVV (Card Verification Value) numbers or passwords.
Officers say that anyone who falls victim to fraud should call or go to the nearest police station and report it.
HSBC tips to stay safe online:
· sign cards as soon as it is received and follow the security instructions details in the enclosed letter
· protect card and security details such as card number, expiry date, CVV number etc
· not allow anyone else to use their card(s)
· not disclose their PIN, one time password for online transactions or online banking passwords to anyone
· always check transaction details such as currency and amount on the verification PIN message
· not allow anyone else’s biometrics to be stored on their mobile device
· destroy any documents which contain their card and security details
· not write down their card or security details, nor disclose them to anybody else, including the police or bank staff
· securely store and dispose of card receipts including merchant receipts
· cut any invalid and unused cards into at least 6 pieces
· keep sight of cards at all times while in public
· regularly monitor online banking, transaction alert and monthly statement received from the bank