A large-scale scam campaign impersonating UAE law enforcement and exploiting citizen trust has been uncovered by security researchers.
The fraudulent scheme, which coincides with festive periods like the UAE National Day (Eid Al Etihad), involves cybercriminals deceiving victims into paying fake fines via targeted calls, emails and text messages.
Discovered by Resecurity, the scam exploits personal data to pose as Dubai Police and send fake payment requests for non-existent traffic violations, parking fines or license renewals. Victims are contacted through phone calls, often featuring scripted dialogues and background noise designed to mimic call centers.
In one instance, a fraudster, using an Indian accent, posed as an inspector and threatened a victim with vehicle seizure and license revocation unless a payment was made.
Key Tactics Used in the Campaign
“The malicious scenarios used were consistent in code with those observed in a similar campaign impersonating the UAE Federal Authority for Identity and Citizenship [...] last year,” Resecurity wrote.
“The tooling used by the Smishing Triad has been initially identified by Resecurity and is offered by a Chinese-speaking actor on Telegram. Notably, the group includes members from Indonesia, Vietnam and other countries involved in fraudulent activities.”
The tactics used by attackers in this campaign include:
-
Phishing and smishing: Fraudsters sent emails and text messages imitating Dubai Police branding, with links to fake payment pages
-
Vishing calls: Victims were pressured through calls, where scammers demanded sensitive information under the guise of investigations
-
Fake notifications: Messages mimicking legitimate UAE government systems like the UAE PASS platform led to theft of personal and financial data
The UAE Financial Intelligence Unit (UAEFIU) reported an alarming AED 1.2bn ($326m) in fraud-related losses from 2021 to 2023. Resecurity also identified more than 144 domains linked to the scam, many using inexpensive and poorly regulated generic top-level domains (gTLDs).
Fraud of this nature not only impacts victims financially but also aids money laundering activities. Cybercriminals, operating globally, have leveraged dark web-sourced databases containing phone numbers and other personal information. Experts estimate between 50,000 and 100,000 scam messages are sent daily.
Authorities are urging vigilance, reminding residents that official entities like Dubai Police never request personal or financial details over the phone. Victims can report scam attempts through designated hotlines and email services across the UAE.
Image credit: Edijs Volcjoks / Shutterstock.com