UAE bank fraud: Criminals increasingly focusing on contactless transactions

Abu Dhabi resident Nadeen Awwad encountered a case of fraud involving her First Abu Dhabi Bank credit card on April 6.

Three unauthorised contactless payments totalling about Dh10,500 ($2,859) were made using her card in the span of two to three minutes.

She reported the fraud immediately to her bank and was told that these contactless transactions were being made in China.

Although the fraudsters attempted to make six transactions, the card was blocked after the third transaction.

Within the same hour that the fraud was committed, she filed a transaction dispute form and the bank said they would revert in about 120 days.

“I was worried that I’d be asked to pay this amount in my next credit card bill,” Ms Awwad says.

“A customer service agent said I could submit a chargeback request where the bank would return the amount charged on my card until the investigation is over. However, after providing my transaction dispute reference number, another call centre agent denied the bank would accept a chargeback request.”

By then, several days had passed since the fraud occurred. Later, she was told that FAB’s fraud investigation team had determined that the fraudster had hacked her online banking app and connected her credit card to their Apple Pay for the transactions.

The bank said it could not retrieve the funds due to the contactless nature of the payments, leaving Ms Awwad liable to pay the amount.

“I refused to accept this because I was not at fault and had not provided a one-time password for these transactions to go through,” she says.

“In my bank app, you can connect your card to Apple Pay without any verification. Usually, when you add a card to Apple Pay, there are three forms of verification: OTP by SMS, OTP by email or contact the bank.

“If someone logged into my app using a different device in a different country, the bank should notify you.”

Ms Awwad also noticed on her credit card statement that the amount incurred from the three fraud transactions was higher by Dh400.

The bank said it would refer her to the collections team if she refused to make the payment.

She then submitted a complaint with the Central Bank of the UAE and lodged an online report with the police.

A day before the fraud, she recalls receiving two messages listing her Apple Pay activation OTP. However, she ignored these messages since her credit card had already been connected to Apple Pay.

First Abu Dhabi Bank did not respond to questions until the time of publication.

The rise of fraud incidents involving contactless payments raises questions about consumer protection and security measures put in place by banks.

The UAE’s status as a regional business centre with a high concentration of wealth makes it a target of cyber criminals, according to personal finance experts.

Fraudsters are drawn to the Emirates due to its affluent population, high internet penetration rate and the perception that consumers may be less cautious when conducting online transactions, says Carol Glynn, founder of Conscious Finance Coaching.

Internet penetration in the UAE stands at more than 96 per cent, making it one of the world’s highest, she says.

How criminals use technology to defraud victims – in pictures

The use of technology in everyday lives has led to growth in scams and fraud. Reem Mohammed / The National

Phishing is one of the most common methods used by fraudsters and it involves sending an unsolicited email that appears to be from a financial institution or online retailer. The National

Smishing — the SMS equivalent of phishing — is where fraudsters falsify the telephone number so it appears to be a genuine text from a bank or well-known company. Chris Whiteoak / The National

Vishing is the telephone equivalent of phishing and smishing. Fraudsters may pose as bank staff, police or government officials. Getty Images

SIM swap involves fraudsters duplicating the SIM of your mobile number without your knowledge or authorisation, allowing them to conduct financial transactions with your bank. AP

Identity theft is where someone illegally obtains your confidential information, through various ways such as theft of your wallet, bank and utility bill statements, computer intrusion and social networks. Getty Images

Prize scams involve fraudsters claiming to represent well-known organisations. They contact victims to tell them they have won a cash prize and request them to share confidential banking details to transfer the prize money.

The tax authority said some bank customers in the UAE have received phishing emails impersonating financial institutions. EPA

Jenny Ross, Which? Money editor, says: ‘Scammers are relentless when it comes to wanting our personal information and ultimately our money.’ PA

Netflix’s The Tinder Swindler tells the story of three women who say they were conned out of $500. Photo: @simon_leviev_official via Instagram

According to a World Bank report, 9.82 million UAE residents made online purchases in 2023, a figure expected to reach 11.11 million by 2025.

“Additionally, the rapid growth of e-commerce in the UAE has led to an influx of new online shoppers who may be less aware of the risks associated with online transactions, making them more vulnerable to scams and fraud,” Ms Glynn says.

The UAE’s e-commerce sector has registered substantial growth in recent years, reaching a market value of $8.86 billion last year. It is projected to rise to $16.53 billion by the end of 2029, according to research by Mordor Intelligence.

This expansion can be attributed to factors such as widespread internet access, a young and tech-savvy population, and a strong infrastructure, Ms Glynn says.

“Financial crimes are increasing at an alarming rate worldwide. One major reason is the rapid advancement of technology, which has led to new forms of financial transactions and digital platforms. Criminals often exploit even the slightest vulnerabilities, often due to old and outdated set-ups,” she says.

“With easy access to AI tools, communications from fraudsters are becoming more sophisticated and harder for the average person to identify. Usage of tools such as ChatGPT means fraudulent emails are better written than before and the old telltale signs such as poor grammar and incorrect spelling are no longer so prevalent.”

Cyber security is developing rapidly in the Africa, Middle East and Turkey region.

There is a direct correlation between this development and the surge of cyber crime, which is also becoming more complex, according to Maher Yamout, lead security researcher in the global research and analysis team at Kaspersky.

A Kaspersky report found that the amount of mobile threats detected in the UAE increased by 74 per cent in 2023, compared with 2022.

“An increase at such an alarming rate is only possible as users become evermore reliant on their mobile devices,” he says.

“As a result, sensitive and personal data is being shared from mobile devices, particularly in the corporate industries.”

Attackers are monetising the increase in users sharing valuable data and connecting to public networks from their mobile devices, he says.

One of the most prevalent cyber threats detected on mobile devices in the Middle East is mobile banking Trojans, according to Kaspersky.

Trojans can steal data from victims’ devices, add unwanted subscriptions and appropriate money. A victim’s data or files will become encrypted and only made accessible in exchange for payment.

Kaspersky research also shows that targeted ransomware attacks, which are highly financially motivated, have increased by 70 per cent from 2022 to 2023, both regionally and globally.

“Unlike common, arbitrary ransomware attacks, targeted ransomware groups are much more selective in their approach,” Mr Yamout says.

The anonymity provided by contactless transactions can make it difficult to trace, which adds to the attractiveness for fraudsters

Carol Glynn, founder of Conscious Finance Coaching

“Attacking selective groups of people within an organisation or specific government bodies yields an easier, more guaranteed return on investment for criminals. Such a rise in targeted attacks makes it even more important to ensure that solid safety measures are employed.”

Another fraud tactic is where perpetrators trick account holders by using tactics such as pretending to be calling as Dubai Police or medical insurance providers to verify Emirates ID details, which catches a victim off guard, leading them to share bank account access information and OTPs, Abi-Gail Marshman, senior managing director at business advisory FTI Consulting, says.

“Irrespective of the fear and urgency the caller creates, tell them you will call the bank or authorities yourself to verify the request and drop the call,” she says.

“Report the telephone numbers to the police and perhaps block that caller from your phone.”

Also, criminals are using cloned bank card details to conduct fraudulent online purchases and transactions, Ms Marshman warns.

Cards can easily be cloned when handed over to a merchant in a store to make a point-of-sale payment, she says.

The card can be quickly swiped through a skimming machine to retrieve and copy all its details in order to make a replica, or use the card details for online purchases. This often happens when travelling to risky countries, she adds.

Contactless transactions have become a target by fraudsters due to the volume of customers using them.

Watch: UAE’s national fraud awareness campaign to curb email scams

It is easier for criminals to carry out fraudulent transactions without the need for physical cards or identification, according to Ms Glynn.

The anonymity provided by contactless transactions can make it difficult to trace, which adds to the attractiveness for fraudsters, she says.

Humans remain the weakest link in such crimes, with the uptake in digital wallets such as Samsung Pay, Apple Pay and Google Pay being widely recognised by cyber criminals and customers alike, Kaspersky’s Mr Yamout says.

“In particular, those with older devices are the most vulnerable to attacks involving contactless transactions. Outdated operating systems lack the security and protection present on newer systems,” he says.

“These vulnerabilities are identified in a user’s digital wallet and exploited by hackers who may interfere using radio equipment. Payments can then be made from the device, unbeknownst to the user.”

Besides the basic security recommendation to stay alert when conducting contactless transactions, it is crucial for customers to keep their operating systems up to date to prevent attackers from interfering with any potential vulnerabilities, he suggests.

To minimise further risk, passkeys should be enabled where possible, requiring either biometrics or two-factor Pin authentication to access a digital wallet, Mr Yamout recommends.

“Having a separate card dedicated to online payments, in which money can be transferred only when necessary, is another good way for customers to protect their finances,” he says.

“The multilayered approach to security ensures that contactless transactions are protected from the threat of malicious code.”

Security measures to avoid fraud in contactless transactions

• Always enable two-factor authentication for online and mobile banking services
• Do not share a one-time pin (OTP) with anyone
• Check the details of the transaction when the text message/email comes through with the OTP to ensure the transaction amount in the message matches your purchase amount
• Avoid storing sensitive information such as card details on devices or online platforms
• Reduce the transaction limits on your debit and credit card to limit your exposure. You can always increase them temporarily if you need to make larger payments
• Always analyse emails and be aware of phishing fraud and deceitful emails or text messages.
• Look out for unusual language or slightly distorted email addresses. If you are unsure, do not engage
• Set up transaction alerts so that if there is fraud on your account, you can quickly be made aware of it and take action to limit your exposure
• Never use a debit card for online purchases and keep only the minimum amount in your current account
• Keep excess cash in a separate account, without a debit or credit card attached and never make online payments from that account

Courtesy: Carol Glynn