News and developments
Dealing with authorised push payment (APP) fraud in the UAE
This type of fraud is becoming increasingly prevalent and more sophisticated.
The type of potential victims is not limited to private individuals. Businesses of all sizes, and even governments, are frequently among the victims.
A common method of carrying out APP fraud is via compromised company email accounts whereby the fraudster intercepts a legitimate email chain between business-to-business parties and requests that the payer uses the payee’s updated bank account details for an upcoming (legitimate) payment. In this instance, the fraudster communicates via an email address which appears to be a genuine email address of the payee, but with a very minor difference which is undetected by the payer. In one recent case in the context of a construction project, we have seen this method becoming more elaborate in that the fraudster also arranged for a (forged) signed and stamped copy of the notice of changed bank account details to be delivered by an unknown person to the payer’s site office.
Other common examples of APP fraud include a fraudster pretending to be the CEO or high-level management of a company, a bank representative, or an investment advisor, and persuading a victim to transfer funds under an apparently legitimate and usually urgent pretext. Fraudulent websites selling non-existent goods and services are also used.
APP fraud in the UAE
The UAE has long grappled with an array of financial crimes and scams, from investment schemes, to gold trading and cryptocurrency scams. APP fraud is simply one of the latest iterations and is perhaps more efficient and more difficult to trace.
Attacks seeking to compromise business email correspondence saw a jump of 29% in the UAE, according to the 2024 State of the Phish report by Proofpoint.
It was reported in 2023 that 86% of the UAE organisations targeted in phishing attacks had fallen prey to at least one of the attempts. Nearly half of these attacks caused direct financial loss, according to the same report. Government agencies are also becoming increasingly targeted by cyber criminals. Mohamed Al Kuwaiti, Head of Cybersecurity for the UAE Government, said in June 2023 at a conference in Tel Aviv that the UAE was thwarting 50,000 cyberattacks a day, from ransomware to cyberterrorism.
What steps should victims take?
While the UAE is not alone in the battle to combat this type of scam, it should not be assumed that the steps to be taken and tools available for seeking recovery are the same as in other jurisdictions. Indeed, there are a number of nuances. Certain protections for consumers and other victims of financial crime which are available in the UK and Europe do not exist in the UAE. At the same time, law enforcement authorities and court procedures can be remarkably efficient and effective, which can be an advantage over other jurisdictions.
If the payer has become a victim of APP fraud, they should take the following steps as soon as possible.
Authors: Josh Kemp, Abdulla Al Roken and Arthur Dedels
-
- Phone the paying bank to notify it of the fraud and request reversal of the transfer instruction. If possible, contact a specific individual within the bank (e.g. anti-fraud unit, branch manager, or relationship manager).
- Phone the receiving bank to notify it of the fraud, request rejection of the transfer and blocking of the receiver’s account.
- Immediately send written confirmation of these requests to the paying and receiving banks.
- Lodge a criminal complaint. If in the emirate of Dubai, the complaint should be lodged online via the e-crime unit of the Dubai Police. If the receiving bank is outside the UAE, phone the police of that jurisdiction to report the fraud and request to open a criminal file.
Authors: Josh Kemp, Abdulla Al Roken and Arthur Dedels