Scammers pretend to be sending messages from trusted sources to fool people. Image Credit: Supplied

It could happen to any one of us and that’s why it is so scary - a scam that stole Dh100,000 from Wael Behairy within a span of few minutes.

It all started in June this year when his work visa was renewed and Emirates ID updated accordingly. As per UAE rules, First Abu Dhabi Bank (FAB) with whom he banks, asked the Dubai-based Behairy to update his ID on the institution’s records.

“So towards the end of June I went to the bank to update my ID. I went to a smaller branch on Sheikh Zayed Road, but they said I had to go to the Deira branch, because I was using Islamic banking.”

He works in the beauty and perfume sector, with the office located in Jebel Ali. It was a distance to Deira.

“I didn’t go immediately. They said I had three months to update the information, but it was at the top of my mind.

“On July 24, it was a Wednesday… I remember, I received a phone call. The person, who introduced himself as Mohammad, said that he was calling from FAB. He knew my name, Emirates ID number, account number and said, ‘you just renewed your Emirates ID’. He asked me if I wanted to update the information on my account over the phone. I was relieved and thought it was a FAB service.

I received a phone call. The person, who introduced himself as Mohammad, said that he was calling from FAB. He knew my name, Emirates ID number, account number and said, ‘you just renewed your Emirates ID’. - Wael Behairy

“This was around 2pm. To start, he was going to send me a text message from Emirates ID to confirm that this was my actual ID. He said that before activating on the bank’s system, I would need to receive a confirmation message.”

Behairy immediately received an SMS from the number that looked like the Emirates ID number. It was the same number that he had earlier received a message from confirming that his ID was ready for collection post his visa renewal.

“I then received a confirmation message from my bank which read: ‘You have successfully registered to the FAB mobile services.’ Again, this SMS was from the same number that sends me monthly confirmation when my salary is credited. After this message, I felt that it was a legitimate process happening. Throughout he was on the line with me.”

You may not be able to tell right away if an incoming call is spoofed. Be extremely careful about responding to any request for personal identifying information. Image Credit: Supplied

Scammer narrows in

As Behairy’s guard dropped, the scamster honed in. He sensed the trust building.

“He sent me another message with a six-digit OTP or One Time Password and then said that he wanted the number to complete the process. Within seconds of doing that I got a message from FAB that Dh98,000 and Dh2,000 had been withdrawn from my account in two transactions! And it confirmed that the money had been transferred to another FAB account. I have the screenshots to prove it!

Within minutes Wael Behairy lost Dh100,000! Image Credit: Supplied

“I was stunned. He was still on call with me. I cut the call immediately rushed to the FAB branch in Jebel Ali, which is literally 5 minutes away from my office.”

He met with the bank manager and explained his predicament, all the while panicking because realisation set in that it was a scam. Behairy pleaded with them to freeze the second FAB account temporarily, so that the money would not be lost.

“I have multiple sclerosis. The money was for my treatment. Every six months, I need an injection that costs Dh60,000. It is a life-threatening condition. I was diagnosed about eight years ago. So, I was desperate to save this money.”

I have multiple sclerosis. The money was for my treatment. Every six months, I need an injection that costs Dh60,000. It is a life-threatening condition. I was diagnosed about eight years ago. So, I was desperate to save this money. - Wael Behairy

Last ditch effort to save the money

But, the branch manager refused to do so. “He insisted that I call the call center. He said that he could not do anything. They made me fill a dispute form. I know I made a grave mistake, but I think at that point there was still a chance to save the money if the bank had helped.”

The manager then advised Behairy to file a police complaint. Frustrated he left the bank and tried calling the customer service call center for FAB.

I know I made a grave mistake, but I think at that point there was still a chance to save the money if the bank had helped. - Wael Behairy

“I called them maybe 10 times, and they promised they would have someone from the Fraud Department call me, but that never happened. Nobody reverted. Again, that wasted time.

“Finally, I went to the police station in Jebel Ali. They said that they needed proof to file the complaint, such as a bank statement. By then the Jebel Ali FAB branch was closed. So, I went to the branch in Mall of Emirates. It was 6pm. Four hours had passed.”

The manager at the branch was helpful. He checked for Behairy on the system and informed him that unfortunately the money had been transferred out of the second FAB account, too. Additionally, he could not give a bank statement because it was an Islamic account.

Filing a police case in Jebel Ali

The 30-year-old Egyptian national was completely disheartened by now. It was late. So, he waited till next morning and went to the main branch on Sheikh Zayed Road. Here, too, the bank manager was helpful and connected him to the Fraud Department. But, the money was already out of the FAB network. But, the manager advised him to come back with whatever document that would be issued by the police. So, Behairy took the bank statement and went back to the Jebel Ali police station and filed a case. Following that he went back to the Sheikh Zayed Road branch with the documentation received at the station.

“For a week after that I followed up, but didn’t receive any response from FAB.”

Then on August 4, he got a call from the bank informing him that the bank had concluded it was not a case of fraud as he had provided the OTP number to the caller. Behairy was devastated. He went to the Deira branch of FAB to persuade them to re-open the investigation, which they agreed to.

But, following that there has been no feedback or response. “It’s been complete neglect from them. I emailed and called several times.”

Don't answer calls from unknown numbers. If you answer such a call, cut the call immediately. Image Credit: Supplied

We decided to ask the bank for their perspective on the case

Why had they not paid heed at his initial request to freeze the second account? Could they have been more helpful?

And this what they had to say…

A First Abu Dhabi Bank (FAB) spokesperson said via email: “While we cannot comment on individual cases, we take protecting our customers extremely seriously. FAB ensures that it continuously raises awareness among customers on the risks of sharing personal information. We would like to remind our customers that FAB will never make unsolicited requests for banking or personal details, and we urge them to report such incidents immediately by contacting our helpline. FAB will continue taking action on all fronts to combat fraud, working closely with our partners in law enforcement to prevent such incidents.”

We then spoke to Dubai Police and they explained…

that they are investigating the complaint. An official letter from the police to the bank has asked FAB to provide details of the transaction and the details of the benefiter or any other details that would help the investigation.

Meanwhile, Major Rashid Al Ketbi, Acting director of Security Awareness Department at Dubai Police, urged the public not to share bank account information with an unverified source through email or phone.

“Banks won’t ask personal data from customers over the phone or through email. Only scammers do that. People should be careful not to share their user names, passwords or data with strangers over the phone or emails.”

Banks won’t ask personal data from customers over the phone or through email. Only scammers do that. People should be careful not to share their user names, passwords or data with strangers over the phone or emails. If you believe someone is trying to commit fraud by pretending to be your bank, notify the bank immediately and change your online banking password often and use strong alphanumeric passwords. - Major Rashid Al Ketbi, Acting director of Security Awareness Department at Dubai Police

He advised the victims to act quickly if he or she suspects fraud.

“If you believe someone is trying to commit fraud by pretending to be your bank, notify the bank immediately and change your online banking password often and use strong alphanumeric passwords,” he added.

He said that recently, Dubai Police had collaborated with a bank to launch a joint public campaign drive on the dangers of online conmen using a video, which was inspired by Jamaican singer Shaggy’s number It Wasn’t Me.

“Security Awareness Department is always looking for creative and innovative ideas in police campaigns to educate public about security matters,” Al Ketbi added.

Never give out personal information such as account numbers, mother's maiden names, passwords or other identifying information in response to unexpected calls or if you are at all suspicious Image Credit: Supplied

What exactly happened?

Behairy was essentially a victim of Caller ID Spoofing, wherein someone pretended to send him SMSes from trusted sources, thereby convincing him of their authenticity. This led to him giving away confidential information.

Spoofing is explained by the US Federal Communications Commission (FCC) as, “when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity. Scammers often use something called neighbour spoofing, so it appears that an incoming call is coming from a local number, or spoof a number from a company or a government agency that you may already know and trust.”

The FCC give 9 key tips to protect yourself against spoofing:

You may not be able to tell right away if an incoming call is spoofed. Be extremely careful about responding to any request for personal identifying information. Don't answer calls from unknown numbers. If you answer such a call, cut the call immediately. If you answer the phone and the caller - or a recording - asks you to hit a button to stop getting the calls, you should just hang up. Scammers often use this trick to identify potential targets. Do not respond to any questions, especially those that can be answered with "Yes" or "No." Never give out personal information such as account numbers, mother's maiden names, passwords or other identifying information in response to unexpected calls or if you are at all suspicious. If you get an inquiry from someone who says they represent a company or a government agency, hang up and call the phone number on your account statement, in the phone book, or on the company's or government agency's website to verify the authenticity of the request. You will usually get a written statement in the mail before you get a phone call from a legitimate source, particularly if the caller is asking for a payment. Use caution if you are being pressured for information immediately. If you have a voice mail account with your phone service, be sure to set a password for it. Some voicemail services are preset to allow access if you call in from your own phone number. A hacker could spoof your home phone number and gain access to your voice mail if you do not set a password. Remember to check your voicemail periodically to make sure you aren't missing important calls and to clear out any spam calls that might fill your voicemail box to capacity.

- Dubai Police response was obtained by Ali Al Shouk, Gulf News Staff Reporter