Thu, Nov 21, 2024 | Jumada al-Awwal 20, 1446 | DXB ktweather icon0°C

Got UAE Pass OTP request? Scammers pose as officials to bully victims for info

The TDRA has confirmed the app is secure; however, scammers continue to use sophisticated tactics to try and con residents

Published: Fri 28 Jun 2024, 6:00 AM

Updated: Sat 13 Jul 2024, 10:36 AM

Top Stories

They say they're from the police, the Ministry of Interior, or your bank. Regardless, their modus operandi is the same: to trick residents into revealing sensitive and personal information by asking them to authorise UAE Pass requests.

The vishing (voice phishing) scam is the latest in a series of sophisticated fraudulent attempts faced by UAE residents, amid warnings by authorities to be vigilant against unscrupulous parties. In a WhatsApp poll conducted by Khaleej Times this week, more than 8,300 people said they had received phone calls or emails from scammers impersonating UAE authorities. Unfortunately, those who do fall for the scammers' tactics end up in personal and financial loss.

Dubai resident Brejesh Rajan is still baffled after a vishing attack during which a woman had all his official information. Speaking to Khaleej Times, the Indian expat said, "I had submitted my Emirates ID (EID) for renewal and, on May 13, I received a call from a lady who claimed to be from the UAE ICP. She said they were in the final stages of the renewal process.

Stay up to date with the latest news. Follow KT on WhatsApp Channels.

"She had all my details, including the ID number and the expiry date. She said they were updating the system to protect residents from scammers and, therefore, needed the data. How was I supposed to doubt her?"

Rajan then received codes from his UAE Pass app (even though he had not initiated them) and was asked to click on one of the two that flashed on his screen. He followed the instructions, and "they got access to my app, which opened up for me as well," he said.

The fraudsters then deployed sophisticated tactics to trick Rajan. He was sent three emails from the ICP's gov.ae domain (see screenshots below). The expat, who moved to the UAE three years ago, was further convinced this is the usual procedure for renewing his Emirates ID.

"Our conversation continued for more than 15 minutes, as she talked me through the 'process'. The emails asked me to complete legal services, provide all financial verification, and authorise the card with the officer on call.

"As soon as I provided my bank details and card number, I received a debit request from ICP for Dh1 with an OTP (one-time password). Then, she asked for my CVV number and the OTP I received. That was the first time I was alarmed."

When the Indian expat refused to comply, the caller became aggressive and threatened consequences. Rajan did not budge. The agitated caller disconnected the call, and Rajan's UAE Pass was blocked. He later reinstalled the app and regained access using his biometrics.

High-pressure tactics

Scammers using this particular tactic even target residents who have yet to install the UAE Pass app. Narrating what happened to her, Dubai resident Ann Mel said, "I was running late and rushing to an appointment when I got a call from an unknown mobile number. The person on the other end was brusque and said something about the UAE Pass. I was barely registering what was being said while navigating my route. The lady then said she needed to verify my Emirates ID, but when I asked her why, she started to yell."

The media industry executive realised it was a scammer. "I told her 'I don't have the time for this.' Her response was the best. She shouted back, 'You think I have the time? I'm working too!' I cut the call, and she didn't bother calling me back — but, ma'am? You're a scammer. What do you mean you're working too?"

The expat highlighted the aggressive pressure tactics used by the scammers. "These tactics force people to make decisions quickly. They scare people into compliance and prevent them from immediately registering those minor but important details — like how Emirates ID authorities would never call from a mobile number, to begin with."

Another resident, Muhammed (who did not wish to disclose his full name), 39, found himself in a similar position when he was asked to confirm an OTP on the app. "I did not because I found it strange, as I did not initiate anything to generate a code. Although the man said he was from the Ministry of Interior, I just hung up." His doubts were confirmed when he saw similar posts online.

Several residents are sharing their experiences on social media forums — along with scammers' mobile numbers — in a bid to help fellow users be more aware. Recounting his own episode, Rajan said, "I should have known when I received the call from a mobile number. I was initially convinced when she had all my EID details; how was that possible?"

UAE Pass 'secure'

Khaleej Times reached out to the Telecommunications and Digital Government Regulatory Authority (TDRA) for comment; at the time of publication, a response was still awaited.

In response to social media chatter about scam attempts involving UAE Pass, however, TDRA recently assured the public of the platform's high-security standards, calling it a secure digital identity solution for residents and citizens.

The authority stressed the importance of exercising caution when receiving OTP, notifications or login requests linked to UAE Pass. Users are urged not to share the details and meticulously verify any requests to avoid potential fraud attempts by individuals seeking unauthorised access to accounts.

On Friday, the Ministry of Human Resources and Emiratisation also put out an advisory warning customers against scammers impersonating authorities. "You may receive text messages claiming to be from official authorities, requesting data updates or one-time password. Official authorities will never send such requests through text messages or calls. Be cautious," it said.

Criminal minds

Detailing the possible ways through which organised criminals could source data, Rayad Kamal Ayub, managing director at technology firm Rayad Group, said, "Fraudsters can easily access personal information about individuals on the dark web with low effort and risk. They obtain private identity details from numerous sources, including databases compiled from data leaks or hacks of various service providers.

"Hackers have also started mining data from multiple databases containing user information (such as email or mobile numbers) to compile unique usernames and passwords based on commonly used combinations."

In cases like Rajan's, where hackers are seemingly able to trigger UAE Pass requests, he says they are likely using pirated software that can track portals visited by victims and steal credentials such as usernames and passwords. "With this, they are able to log in and send notifications to the UAE Pass app."

Khalifa bin Huwaidan Al Ketbi, Chairman of CAWCAB LLC, a UAE-based cyber security and technology enterprise, confirmed, "Fraudsters easily access data collected by credential stealers, a type of malware often embedded as a backdoor in widely used apps distributed through Play Stores."

Another method is for scammers to enter your mobile number into any UAE Pass-linked app. This would enable them to trigger an OTP request. If unknowing victims share this code, it would grant them login access.

As for how Rajan received an email similar to a government domain, Kamal Ayub explained, "Hackers constantly create seemingly similar domains that closely resemble legitimate ones. It is also relatively easy for hackers to clone a name in their server and send text messages that may seem genuine to the receiver. Since they already have all our information, they can also easily trigger a response from the website and send an email. These can be proactively tracked and removed by the government or organisations before they are used for cyber fraud."

Ayub said some fraudsters have even weaponised SEO and mobile ads to deceive innocent victims. "For instance, searching for the words 'refund for failed transaction' may display a scammer's website and contact details, which unsuspecting users click on and end up losing money. Governments should collaborate with digital advertising companies to enforce verification against financial fraudsters placing ads," he said.

Meanwhile, Al Ketbi highlighted the growing threat of identity cloning and 'digital arrest' scams these days. "With personal data gathered through various sources (as mentioned above), identity cloning has become much easier.

"There's also a new, dangerous trend where fraudsters use VOIP calls to threaten individuals with allegations of sexual harassment or illegal drug use and imminent arrest by law enforcement. The fear of arrest puts victims under stress, leading them to install more malicious software. This, in turn, gives hackers further access to personal information, which is then used to manipulate victims even more."

How to stay safe

Scammers are constantly changing their approach and employing dubious tactics to deceive victims. According to Ayub, it's important to remember a few basic tenets of cyber security:

1. Avoid installing common software from unknown sources and remove the software or app when there is no requirement. This will reduce the attack surface of the user.

2. Telltale signs are receiving calls from unknown numbers and unknown phishing emails constantly that some data has been leaked about you. Refusing to engage with unknown numbers and emails is very effective.

3. If scammers have access to your email and phone (through malicious mobile apps) and are able to retrieve the access codes, they can reset the account to threaten you. Follow digital security practices, including updating passwords regularly, enabling two-factor authentication, not sharing sensitive information (like banking details or OTPs), and being cautious of suspicious messages or links.

4. Once you share OTP, a transaction will be complete, but you can quickly contact the service provider to secure your account. Police can also help by creating a dedicated system for tackling identity theft cases with large service providers like Google, Meta, Microsoft and Amazon.

5. Stay up to date with advisories from the government, which is constantly tracking and monitoring cyberspace to alert users of malicious apps and to plug data leaks.

ALSO READ:



Next Story