UAE bank SMS OTP scam
Your Bank Stopped Sending SMS Codes. So Anyone Asking You for One Is a Scammer
For years, the scam script was the same. Someone calls, says they are from your bank, and asks you to read out the code you just received.
That script is now broken. UAE banks have stopped sending one-time passwords by SMS and email. Your bank does not send those codes anymore.
Which hands you the simplest fraud rule you will ever need. If anyone asks you for an SMS code, they are not your bank.
| THE ROBIUS VERDICT: Your bank no longer sends SMS or email codes. So a request for one is not a warning sign. It is proof of a scam. Under a Central Bank of the UAE directive, licensed banks and financial institutions have phased out SMS and email one-time passwords, replacing them with in-app approvals, biometrics, and passkeys. Major banks switched off SMS codes for online card payments in January 2026. The rule now is absolute. No legitimate bank will ever ask you to read out a code, because it does not send one. |
What the Central Bank Actually Changed
The Central Bank of the UAE issued a directive, known as Notice 2025/3057, requiring licensed financial institutions to stop using SMS and email one-time passwords for customer transactions. The transition began in mid-2025 and was set to complete by 31 March 2026.
Banks moved even faster than required. Several of the country’s largest lenders told customers that from 6 January 2026 they would stop sending OTPs by SMS for online card purchases. Approvals now happen inside the bank’s own app instead.
The replacements are stronger by design. In-app push approvals, biometric checks like fingerprint or face recognition, and cryptographic passkeys. Instead of typing a code you received, you open your banking app, look at the transaction, and confirm it with your face, your fingerprint, or a PIN.
Why They Killed the Code
The SMS code was never as safe as it felt. Criminals learned to steal it in two main ways.
The first is SIM swapping. A fraudster convinces a telecom operator to move your mobile number to a SIM card they control. Your number, your messages, your codes. The second is phishing. A fake website or a convincing phone call persuades you to hand the code over yourself, in real time, while the criminal uses it to complete a transaction.
Both attacks depend on the same weak link. A code that travels to you, and can therefore be intercepted or talked out of you. Remove the code and you remove the attack.
The New Rule, and Why It Is So Powerful
This is the part worth committing to memory. Before, a caller asking for your OTP was suspicious, but you had to judge the situation. Maybe the bank really did need it. That hesitation is what scammers fed on.
Now there is nothing to judge. Your bank does not send SMS codes. So there is no legitimate reason for any person, on any call, in any message, to ask you for one. If they ask, they are a criminal. Full stop. Hang up.
Old Way vs New Way
| Old SMS OTP | New in-app approval | |
|---|---|---|
| How you approve | Type a code from a text | Confirm in your bank app |
| What proves it is you | Possession of the code | Your face, fingerprint, or PIN |
| Can a caller steal it | Yes, by asking or SIM swap | No, it never leaves your app |
| If someone asks for it | Suspicious | Definitely a scam |
Who This Covers, and Who It Does Not
The directive applies to institutions licensed by the Central Bank. That means banks, finance companies, exchange houses, insurers, and payment service providers. If it is a licensed financial institution, it should not be sending you SMS codes.
Not everything else has moved. Plenty of non-bank services still send SMS codes, from e-commerce checkouts to ride-hailing apps and some government portals. So the rule needs one word of precision. Your bank does not send codes. A shopping site still might.
That distinction matters, because scammers will try to blur it. A caller claiming to be from your bank, referencing a code you received from an online store, is stitching two things together to sound legitimate. Whatever code you received and from wherever, the answer is the same. You do not read it out to anyone.
What Scammers Will Try Instead
Criminals adapt. Expect the pressure to move to the app itself. The new script will be someone calling to “guide” you through approving something in your banking app, or asking you to confirm a push notification you did not expect.
So extend the rule. Never approve a payment in your app because a caller told you to. Read the transaction details on the screen before you confirm anything. If the amount or the merchant does not match something you are doing right now, deny it and call your bank on the number printed on your card.
Watch for the other angles too. Fake “update your banking app” links that install malware. Requests to install remote-access software so someone can “help” you. Messages saying your account will be blocked unless you re-verify immediately. Urgency is the tell, whatever the technology.
What to Do Right Now
- Install and activate your bank’s official app, and turn on push notifications so approvals reach you.
- Never read a code aloud to anyone, and never type one into a page you reached from a link.
- Never approve an in-app request you did not personally start.
- Check the amount and the merchant on the approval screen before confirming.
- If a caller pressures you about your bank account, hang up and call the number on your card.
- Report attempts through the Dubai Police eCrime platform at ecrime.ae, or call 901.
The Bottom Line
This is a rare case where a security upgrade also hands consumers a clean, memorable rule. The UAE is among the first countries to push banks off SMS codes entirely, and the benefit lands directly in your pocket.
Learn the one line and teach it to your family, especially anyone who might be talked into panicking. Your bank does not send SMS codes. So anyone asking you for one is a scammer.
Sources
- Gulf News: UAE banks to end SMS OTPs for online card payments from January 6 — https://gulfnews.com/business/banking/uae-banks-to-end-sms-otps-for-online-card-payments-from-january-6-1.500396452
- Biometric Update: CBUAE Notice 2025/3057, the March 2026 deadline, and the SIM-swap and phishing risks — https://www.biometricupdate.com/202601/biometrics-replacing-sms-otps-for-uae-online-transactions
- ID Tech Wire: Approved replacements: biometrics, FIDO2 passkeys, and in-app confirmation prompts — https://idtechwire.com/uae-to-end-sms-and-email-otps-for-digital-banking-by-march-2026-adopting-biometrics-and-passkeys/
- Central Bank of the UAE: Regulator for banks and financial institutions in the UAE — https://www.centralbank.ae/en/
Robius.news — Dubai, UAE — 2026 | Built to be first. Built to be trusted.





