Business Email Compromise (BEC) is one of the most financially devastating cybercrimes targeting UAE businesses. Unlike malware or ransomware, BEC doesn't require technical hacking skills — it exploits human trust and business processes. In a BEC attack, criminals either hack a legitimate email account or create a convincing fake email to impersonate a trusted person (CEO, finance director, supplier, or attorney) and manipulate employees into making fraudulent bank transfers, sharing sensitive data, or purchasing gift cards.
The UAE has seen significant BEC losses across all industries. Construction companies have lost millions when attackers intercepted supplier payment communications and substituted fraudulent bank account details. Trading companies have been defrauded through fake CEO payment instructions. The FBI's Internet Crime Complaint Center consistently lists BEC as the costliest type of cybercrime globally — and the UAE is no exception.
CEO/Executive fraud: An employee in finance receives an urgent email apparently from the CEO or a senior executive asking for a wire transfer to a new account for a "confidential acquisition" or "urgent payment". The email instructs the employee not to call to verify — "just process it quickly". This is a classic BEC red flag.
Supplier invoice fraud: Attackers compromise a supplier's email account (or spoof it convincingly) and send a notice that their bank account details have changed. The next payment goes to the attacker's account. This is particularly common in UAE construction and trading sectors where large supplier payments are routine.
Attorney/legal impersonation: Fraudsters impersonate law firms handling business transactions — particularly real estate deals which are common in Dubai — claiming that a payment must be made immediately to complete a legal matter.
Payroll diversion: An email to HR or payroll claiming to be from an employee asks to change their salary account to a new bank account. The fraudster collects the next payroll payment.
Verify all payment changes by phone: Any request to change a bank account number, make an unusual transfer, or process an urgent payment must be verified by calling the requestor directly using a known phone number — not a number provided in the suspect email. This single control prevents most BEC attacks.
Implement dual authorisation for payments: Require two authorised signatories for all payments above a threshold. This prevents a single employee from making fraudulent transfers regardless of how convincing the request appears.
Enable email authentication (DMARC, DKIM, SPF): These email security standards prevent attackers from spoofing your domain to impersonate your company when targeting your clients and suppliers. Al Aida IT configures DMARC, DKIM, and SPF as part of our IT AMC email security service for clients in Dubai and across the UAE.
Train your finance and HR teams: Regular security awareness training focused on BEC scenarios is essential. Finance teams need to be empowered to say "I need to verify this" without fear of overriding executive instructions.
Enable Microsoft 365 Defender: Microsoft 365 Defender includes anti-phishing policies, impersonation protection, and suspicious activity alerts that can detect and block many BEC attempts before they reach an employee's inbox.
If your business needs help protecting against Business Email Compromise in the UAE, our team at Al Aida IT Technology LLC provides expert email security, managed IT support, and IT Annual Maintenance Contracts (AMCs) across Dubai, Abu Dhabi, Sharjah, and the wider GCC region.
We respond within 1 business hour. Request a free IT consultation today — no obligation.