Protect UAE business from AI fraud
The voice sounds right. The tone, the slight impatience, the way the CEO always says ‘just sort it quickly’ before hanging up, all of it is there. The request is reasonable on its face, an urgent payment to a supplier ahead of a deal closing, something that has happened before, something that feels routine. Your finance manager makes the transfer.
The CEO never made that call. Nobody at your company did. A handful of seconds of the real CEO’s voice, pulled from a conference recording, an earnings call, a podcast appearance, was enough to build a convincing clone. This is no longer a hypothetical for UAE businesses. It is a documented, growing pattern, and small and mid-sized businesses are now squarely in the crosshairs.
| VERDICT: This is now a real, measured risk for UAE SMEs, and the fix is mostly process, not software. One in five UAE organizations experienced an AI-linked cyber incident in the past 12 months, and AI-powered phishing now accounts for more than 90% of digital breaches in the country. The attacks getting through are not the obvious ones. They look like normal business activity. The good news: the single most effective defense costs nothing and takes ten minutes to put in place across your whole team. |
Why this is hitting UAE businesses specifically
A 2026 global study by insurer QBE found that 21% of UAE organizations experienced an AI-linked cyber incident over the past 12 months. That is lower than the 29% global average, which sounds reassuring until you read the rest of the picture. According to cybersecurity firm Illumio, AI-powered phishing now accounts for more than 90% of digital breaches in the UAE specifically, and phishing incidents increased by 32% in the first quarter of 2026 alone.
Sam Tayan, Illumio’s regional vice president for the Middle East, Turkey and Africa, put the core problem plainly: these attacks are getting harder for businesses in the region to spot because they no longer look like scams. The old tells, broken English, an unfamiliar sender, a slightly wrong logo, have mostly disappeared. What is left is a message, a voice, or a video call that is functionally indistinguishable from the real thing until the money is already gone.
The three attack patterns actually hitting SMEs right now
Business email compromise is the most financially damaging of the three. A criminal impersonates a supplier, a partner, or an executive, usually by compromising or closely spoofing a real email account, and requests a payment or sensitive information. AI has made these messages, and the invoices and supporting documents attached to them, considerably more convincing. A fake invoice generated with AI assistance can replicate a real supplier’s formatting, tone, and even past correspondence style closely enough that a busy finance team approves it without a second look.
Deepfake voice and video impersonation is the newer and faster-growing pattern. Criminals use AI-generated voices to impersonate company executives over the phone or in voice notes, typically requesting an urgent transfer or a change to payment details. The defining feature of this attack is urgency combined with authority, exactly the combination that bypasses normal scepticism in a busy workday.
AI-personalised phishing is the volume play. Generative tools now let scammers craft messages tailored to a specific employee’s role, recent activity, or known relationships, at a scale that was not previously possible by hand. A finance team member receives something that references a real recent project or a real colleague’s name, which is enough to lower their guard before they notice anything is wrong.
The one rule that stops almost all of it
Across every documented case of executive impersonation fraud, one defence works consistently: a callback verification rule, applied without exception, for any payment request or change to payment details that arrives by phone, voice note, or video call.
The rule is simple to state and the discipline is in applying it every single time, including when it feels awkward to question someone senior. Any request for a payment, a change to bank details, or an urgent transfer that arrives via phone, voice message, or video call must be verified by calling the requester back on a number already on file, never a number provided in the request itself, before any action is taken. This single habit defeats voice cloning completely, because a cloned voice cannot answer a call placed to the real person’s real number.
This needs to be a written policy, communicated to every employee who can authorise a payment, not an unwritten expectation. Put it in the employee handbook. Say it out loud in a team meeting. Make it clear that no one, including the actual CEO, will ever be offended by a callback to confirm an unusual request. The moment a senior executive demonstrably supports being double-checked, the policy actually sticks.
Five other checks worth doing this week
Verify any change to a supplier’s bank details by phone, using a number from a previous invoice or your existing records, never a number included in the email requesting the change.
Treat any request that emphasises urgency or secrecy, especially one discouraging you from checking with a colleague, as a reason to slow down rather than speed up. Genuine urgent business requests rarely come with an instruction to keep them quiet.
Enable multi-factor authentication on every email account with payment authority, not just admin accounts. Compromised email credentials are the starting point for most business email compromise.
Run a short, no-blame training session with your finance and admin team specifically on what a deepfake voice call sounds and feels like, since recognising the texture of the attack matters more than memorising a checklist.
Review who actually has authority to approve a payment without a second sign-off. If one person can approve a large transfer alone, that is the single point of failure these attacks are designed to find.
What this is not
This is not a reason to distrust every phone call from a colleague or to slow your business down with unnecessary friction. The vast majority of calls, emails, and requests your team receives are exactly what they appear to be. The point of a callback rule is that it costs almost nothing for legitimate requests and catches the fraudulent ones completely. It is not paranoia. It is the modern equivalent of checking a cheque has cleared before you ship the goods.
The businesses that get hurt by this category of fraud are rarely the ones that were careless across the board. They are usually the ones that had no written rule for this specific scenario, so when an urgent, authoritative-sounding request arrived at the wrong moment, on a busy day, with no policy to fall back on, someone made a reasonable-seeming decision that turned out to be exactly what the attacker was counting on.
Sources
• Khaleej Times: Deepfake CEOs, fake suppliers, AI phishing — scams UAE businesses need to watch out for — https://www.khaleejtimes.com/business/tech/the-scams-uae-businesses-need-to-watch-out-for
• QBE: 2026 global study on AI-linked cyber incidents, 21% UAE organisations affected
• Illumio: regional AI-powered phishing data, statement from Sam Tayan, VP META
Robius.news — Dubai, UAE — 2026 | Built to be first. Built to be trusted.
