Got UAE Pass OTP request? Scammers pose as officials to bully victims for info

They say they're from the police, the Ministry of Interior, or your bank. Regardless, their modus operandi is the same: to trick residents into revealing sensitive and personal information by asking them to authorise UAE Pass requests.

The vishing (voice phishing) scam is the latest in a series of sophisticated fraudulent attempts faced by UAE residents, amid warnings by authorities to be vigilant against unscrupulous parties. In a WhatsApp poll conducted by Khaleej Times this week, more than 8,300 people said they had received phone calls or emails from scammers impersonating UAE authorities. Unfortunately, those who do fall for the scammers' tactics end up in personal and financial loss.

Dubai resident Brejesh Rajan is still baffled after a vishing attack during which a woman had all his official information. Speaking to Khaleej Times, the Indian expat said, "I had submitted my Emirates ID (EID) for renewal and, on May 13, I received a call from a lady who claimed to be from the UAE ICP. She said they were in the final stages of the renewal process.

Stay up to date with the latest news. Follow KT on WhatsApp Channels.

"She had all my details, including the ID number and the expiry date. She said they were updating the system to protect residents from scammers and, therefore, needed the data. How was I supposed to doubt her?"

Rajan then received codes from his UAE Pass app (even though he had not initiated them) and was asked to click on one of the two that flashed on his screen. He followed the instructions, and "they got access to my app, which opened up for me as well," he said.

The fraudsters then deployed sophisticated tactics to trick Rajan. He was sent three emails from the ICP's gov.ae domain (see screenshots below). The expat, who moved to the UAE three years ago, was further convinced this is the usual procedure for renewing his Emirates ID.

"Our conversation continued for more than 15 minutes, as she talked me through the 'process'. The emails asked me to complete legal services, provide all financial verification, and authorise the card with the officer on call.

"As soon as I provided my bank details and card number, I received a debit request from ICP for Dh1 with an OTP (one-time password). Then, she asked for my CVV number and the OTP I received. That was the first time I was alarmed."

When the Indian expat refused to comply, the caller became aggressive and threatened consequences. Rajan did not budge. The agitated caller disconnected the call, and Rajan's UAE Pass was blocked. He later reinstalled the app and regained access using his biometrics.

High-pressure tactics

Scammers using this particular tactic even target residents who have yet to install the UAE Pass app. Narrating what happened to her, Dubai resident Ann Mel said, "I was running late and rushing to an appointment when I got a call from an unknown mobile number. The person on the other end was brusque and said something about the UAE Pass. I was barely registering what was being said while navigating my route. The lady then said she needed to verify my Emirates ID, but when I asked her why, she started to yell."

The media industry executive realised it was a scammer. "I told her 'I don't have the time for this.' Her response was the best. She shouted back, 'You think I have the time? I'm working too!' I cut the call, and she didn't bother calling me back — but, ma'am? You're a scammer. What do you mean you're working too?"

The expat highlighted the aggressive pressure tactics used by the scammers. "These tactics force people to make decisions quickly. They scare people into compliance and prevent them from immediately registering those minor but important details — like how Emirates ID authorities would never call from a mobile number, to begin with."

Another resident, Muhammed (who did not wish to disclose his full name), 39, found himself in a similar position when he was asked to confirm an OTP on the app. "I did not because I found it strange, as I did not initiate anything to generate a code. Although the man said he was from the Ministry of Interior, I just hung up." His doubts were confirmed when he saw similar posts online.

Several residents are sharing their experiences on social media forums — along with scammers' mobile numbers — in a bid to help fellow users be more aware. Recounting his own episode, Rajan said, "I should have known when I received the call from a mobile number. I was initially convinced when she had all my EID details; how was that possible?"

UAE Pass 'secure'

Khaleej Times reached out to the Telecommunications and Digital Government Regulatory Authority (TDRA) for comment; at the time of publication, a response was still awaited.

In response to social media chatter about scam attempts involving UAE Pass, however, TDRA recently assured the public of the platform's high-security standards, calling it a secure digital identity solution for residents and citizens.

The authority stressed the importance of exercising caution when receiving OTP, notifications or login requests linked to UAE Pass. Users are urged not to share the details and meticulously verify any requests to avoid potential fraud attempts by individuals seeking unauthorised access to accounts.

On Friday, the Ministry of Human Resources and Emiratisation also put out an advisory warning customers against scammers impersonating authorities. "You may receive text messages claiming to be from official authorities, requesting data updates or one-time password. Official authorities will never send such requests through text messages or calls. Be cautious," it said.

Criminal minds

Detailing the possible ways through which organised criminals could source data, Rayad Kamal Ayub, managing director at technology firm Rayad Group, said, "Fraudsters can easily access personal information about individuals on the dark web with low effort and risk. They obtain private identity details from numerous sources, including databases compiled from data leaks or hacks of various service providers.

"Hackers have also started mining data from multiple databases containing user information (such as email or mobile numbers) to compile unique usernames and passwords based on commonly used combinations."

In cases like Rajan's, where hackers are seemingly able to trigger UAE Pass requests, he says they are likely using pirated software that can track portals visited by victims and steal credentials such as usernames and passwords. "With this, they are able to log in and send notifications to the UAE Pass app."

• UAE: How dating app founder almost lost $250,000 in European investment scam

• UAE
• Newsletters
• UAE