UAE cybercrime experts are warning residents not to fall prey to threats and demands from online fraudsters who are using increasingly elaborate schemes to blackmail their victims out of money.
In a recently released email sent to people in the UAE, which was shown to Al Arabiya English, blackmailers told the victims that they had accessed their work emails and personal data and that they would spread humiliating information about them to their family, friends and colleagues if they did not pay a ransom fee.
For all the latest headlines, follow our Google News channel online or through the app.
In one, the email wrote: “Unfortunately I have some unpleasant news for you. About several months ago I managed to get full access to all the devices you use to browse on the Internet.
“A week after that, I proceeded to install a Trojan horse virus into the operating systems of all your devices, which you use to log into your email.
“With this software, I can access all your device controllers (such as your video camera, microphone, keyboard, etc.) and I can easily download all your data, photos, web browsing history and other information on my servers.”
The scammer went on to say that he had obtained “embarrassing” data which he would share publicly unless his victim paid thousands of dirhams via Bitcoin transfer, and warned against going to the authorities to report the email.
“Do not attempt to call the police as well as other security services,” the scammer wrote.
“Plus, don’t even think about sharing it with your friends. If I learn about this (based on my skills, it would be very easy, because I have all your systems under my control and constant monitoring) – your (information) will become public without delay.
Experts from the United Arab Emirates have said that these cyber exploitation crimes are not new, but are on the rise.
Brian Chappell, chief security strategist at cybersecurity firm BeyondTrust, told Al Arabiya English: “It’s been a common scam for a very long time now and it’s not resurfacing, it’s never gone away.
“We are seeing changes in the types of phishing attacks as attackers seek out the most lucrative options and this can make attackers seem to have forgotten about you. You can be fairly certain that your details will come back to the top off their list at some point.
“Because scams are carefully crafted to push the right buttons and people, for all we’d like to think we’re above the animal kingdom, are still subject to the stimulus/response cycle and doubling down when they’re stressed.”
He said there are many different scams – often playing on a need for urgent action.
“Phishing attacks (a cybercrime in which crooks attempt to trick you into sensitive information or data) will rely on the hierarchy of most organizations to attempt to get someone to act immediately by posing as their CEO or similar.
“They almost certainly have sample emails from your organization or similar organizations, they will have the wording of the emails to the point that it can be difficult to tell them apart from a real email being sent, to haste, from a cellphone, by your CEO.”
Chappel said there are basic security protocols to follow when receiving any type of email that looks suspicious.
“Don’t click on anything until you verify that it is a legitimate email. Even if you’re expecting an email or it seems relevant, misspellings, older logos, and poor formatting are commonly used to weed out the most knowledgeable recipients. It’s rarely an accident; the criminals at the end of the email are smart and don’t want to waste time with people who might be asking questions and wasting their time.
“Also ideally don’t have your email set up to automatically display images in the email as this can be used to verify that your email address is a legitimate address that has a person at the end. – which alone has value for the sender as they can sell your email address as verified live.
Sam Curry, chief security officer at Cybereason, said anyone who receives a suspicious email sent to their work account should immediately check with their IT or security department.
“There is normally a submission process to a team, sandbox or service. If you don’t have an IT team to contact, never open attachments in emails from people you don’t know, don’t visit questionable websites, and if you receive an offer for a product or an email service that sounds too good to be true, it probably is.
There are several telltale accounts of a phishing email, Curry said.
“They can vary wildly because ultimately a human being is actively crafting and tailoring the mail to fool you. However, you should never click on a link. Period.
“Nothing should ask for your approval, money, information, unless it’s part of an established process. For example, if you have an invoice approval app that regularly sends you reminders with a link, that’s fine but far from ideal. Best is to just warn you and let you access the website manually. Sore? Slightly. Safer ? Absolutely.
Curry believes cyber crimes and online blackmail scams are on the rise.
“Overall, it’s hard to gauge the rate, but all indications at the macro level are that they’re going up and the best of them are getting better,” he said.
“We are human beings: we want to help, we want to do our duty, we want to do the right thing, we want to do our job. In fact, these are wonderful imperatives; but they are also usable. Even security experts are exploited. No one is immune, but we can all improve and make systems and processes robust to minimize the risks and impact of email-based exploitation.
Curry said that in work environments, employers should ensure their staff are trained to detect phishing emails.
“It may not seem obvious, but even seemingly innocuous interaction and information can actually cause harm, even if it’s just a matter of teaching the user to trust the source and style of Companies should aim for “zero click” emails in their business processes, so they can say “never click”.
Bahaa Hudairi, regional sales manager for META at Lookout, a cloud security company, said this type of scam is both a growing problem and one for which many are unprepared.
“The potential harm to reputation, job prospects, standing in the community and family relationships further raises the stakes. However, if you are a victim of it, report it immediately to the relevant department in your organization.
“If you have received this on a personal level, report it to the police and regulatory authorities. Also report this to your internet service provider so that they can take action to prevent the person from contacting you further.
“Internet scams are becoming more and more common. No one is safe. The desire to explore and visit new websites, open emails from unknown sources and download things that are not legitimate often causes people to fall prey to such scams.
The UAE takes crimes committed on the Internet very seriously. In 2012, Federal Decree No. 5 was issued to specifically combat cybercrime.
With regard to cases where an individual makes a threat for money, article 16 of Federal Decree No. 5 of 2012 stipulates that the extortionist “shall be punished with imprisonment for two years at most and a fine of at least 250,000 Dh and not exceeding 500,000 Dh, or one of these two penalties.
UAE convicts eight people of $3.8m cyber fraud and money laundering
Remote work drives surge in cyberattacks in Middle East by COVID-19 scammers (expert)
Up to 25 years in prison, $1 million fine for violating UAE cybercrime law