Philip Currie received a text message on May 7 about an outstanding bill from his telecom provider, du.
Mr Currie, 49, from Britain, decided to pay the bill through du Quick Pay, as he did every month.
On his phone, he typed du Quick Pay into the Google browser and search results came up. He clicked on what looked like a sponsored ad for the page.
“It looked exactly like the du website, had the same sort of web address. Even when you clicked on it, it looked like the mobile version of du. I clicked on the link and it went to a payment page which looked identical to du Quick Pay,” Mr Currie recalls.
“I proceeded and entered my details, just as I have done many times. I've been in Dubai for almost six years and I've paid my monthly bill this way all the time.”
Despite entering his HSBC credit card details the first time, he did not receive a one-time password. He tried resending it. A pop-up window opened on his phone and he copy pasted the OTP in the website.
As soon as he entered the OTP, he started receiving messages about different payments worth thousands of dirhams each.
“I felt sick to my stomach. In hindsight, I wish I'd gone through my SMS messages and seen what charges were coming through and what the OTP was for, but I didn't because I thought I was on the du website,” he says.
He was charged $4,080, €3,500 ($3,810), €1,000 and $1,530 in four transactions in the space of a few minutes. “I thought they were going to clean me out,” Mr Currie says.
The UAE’s financial sector has recorded a surge in financial fraud in recent years. Advances in technology and an increase in online banking make it easier for fraudsters to exploit weaknesses, cybersecurity experts say.
There has been an increase in the number of fake emails, bogus calls and text messages aimed at tricking people into sharing their personal details and stealing their money.
Despite more than half of respondents (61 per cent) in the UAE claiming to be savvy enough to sidestep online and phone fraud, the reality is that nine in 10 are likely to disregard the warning signs that suggest online criminal activity, according to Visa’s annual Stay Secure survey released in December.
About 54 per cent of people in the UAE have been a victim of fraud at least once, compared with the global average of 52 per cent, the study found.
Mr Currie called his bank and immediately blocked his credit card. HSBC said it managed to block all transactions, except the one for $4,080.
The criminals had made a fake website for du Quick Pay and taken out a sponsored Google ad. “I've never been scammed before. It didn't have a random weird domain. It looked all legit to the eye,” he says.
He raised a dispute with HSBC and reported the link to Google as a fraudulent website. Although Google took down the website, a few days later, another set of fraudulent websites appeared, but with dodgy domain names, he says.
On inspecting the payment that went through, Mr Currie realised the merchant was Raseed Invest, a trading platform for the US stock market.
He went to the merchant’s website and chatted with an agent. He asked them to trace the perpetrator of the crime using the last four digits of his credit card and the exact amount deducted.
They refused to give this information but said if either his bank or the police contacted them, they would co-operate.
“I called up Dubai Police’s cybercrime unit. They promised to investigate if I get an official letter from the bank. You have to physically go to a bank branch and get a stamped letter. It's a little bit of red tape because time is of the essence,” Mr Currie says.
How criminals use technology to scam victims – in pictures
“I called my bank a few times to get updates. I told them I had not knowingly authorised this payment. I've never traded with this merchant before or made a purchase of this value. If you check my bank records in the past six years, the biggest purchase was probably only 50 per cent of this amount.
“Why didn’t the bank immediately block my card on that basis? Surely the bank has algorithms to detect potential fraud.”
He says he rarely uses his HSBC Visa card to make any foreign transaction, relying instead on a UK-issued credit card.
Mr Currie says his Lloyds credit card, when he was in the UK, would get blocked on many occasions when he tried to make a foreign transaction. The fraud team would call him to confirm the payment and then unblock the card.
“The OTP system that was set up a few years ago as a security measure is now a vulnerability. It's so easy for criminals to get the OTP and intercept it. I'm scared to make any purchases or use my mobile now,” he says.
Mr Currie, who has had an account with HSBC for 40 years, says the bank's dispute team sent him a "very impersonal email saying they have conducted an investigation and because I had given the OTP, they are closing the case".
When contacted, HSBC said the OTP secure payment system is designed to protect customers by confirming their consent before processing a transaction.
The bank reminded its customers of the importance of reading all text message notifications and OTP messages carefully before authorising any transaction.
HSBC launched a free Fraud and Cyber Awareness app two years ago to help users protect themselves against cyber attacks. The app can be downloaded from the Google Play and Apple App stores in the UAE.
OTPs are one-time use, numeric codes which are used to confirm your identity or approve genuine transactions you have made.
If you unexpectedly receive a one-time pass code, it may mean a fraudster is trying to use your card or access your accounts, the app warns.
Anyone who calls and asks for this pass code, even if they claim to be from the bank, is trying to scam you.
Du also advises customers to make payments via its app and website directly rather than through search engines.
“Du is proactively addressing cyber security by implementing various comprehensive measures to protect customers from bogus websites and cyber threats. The telco conducts regular public awareness campaigns to educate users about online dangers and safe internet usage, helping them recognise phishing attacks and fraudulent websites,” it says.
The company also invests in security to monitor and block suspicious activities, it adds.
systems engineering manager, Netscout
People should use secure channels for financial transactions and enable multifactor authentication whenever possible, says Emad Fahmy, systems engineering manager at cybersecurity provider Netscout.
“They should also regularly monitor accounts for suspicious activity and be cautious of phishing attempts, which are on the rise in the region and worldwide,” he says.
People should also keep devices updated with security patches, "use strong, unique passwords" and consider a password manager. "By following these steps, individuals can significantly reduce their risk of financial fraud."
Banks should use advanced threat detection solutions and lean on artificial intelligence and machine learning to identify and mitigate sophisticated cyber threats in real time and safeguard customers, Mr Fahmy recommends.
Implementing stringent access controls, encrypting data both in transit and at rest, and regularly updating security policies are also vital.
“Banks should also provide ongoing security awareness training to employees and customers and adopt continuous monitoring solutions for prompt incident response,” he adds.
How to avoid financial fraud
- Read all SMS notifications and OTP messages carefully before authorising any transaction
- Never share your OTP with anyone
- If someone calls and asks for an OTP, hang up immediately
- Make telecom payments directly through the app or website
- Avoid search engines and use secure channels for secure financial transactions
- Enable multifactor authentication for transactions
- Keep devices updated with security patches
- Use strong, unique passwords and consider a password manager
