Understanding What Is a Spoof Email

Email spoofing is when an attacker forges the “From” field of an email so it looks like it came from someone you trust, your bank, your boss, a supplier, even your own company’s domain. In the UAE, spoofed emails are behind the single largest category of digital fraud targeting businesses: Business Email Compromise (BEC), which has cost UAE companies hundreds of millions of dirhams in wrongly wired payments. This guide explains exactly what email spoofing is in plain language, shows you real UAE-relevant examples, walks through the five main types of spoofing attacks, teaches you how to spot fake emails, and covers exactly how to protect your own company’s domain from being used to scam your clients.

What Is Email Spoofing, in Plain Language

The email protocol (SMTP) was designed in the 1980s, long before anyone thought about fraud. It was built to move messages, not to verify senders. By default, anyone with a mail server can put whatever they want in the “From” field, the same way you can put any return address on a paper envelope. The post office does not check whether the sender on the back of the envelope is really you, and neither does email.

This design flaw is what attackers exploit. A spoofed email arrives in your inbox with a “From” line that says ceo@yourcompany.ae, but the actual sending server is somewhere in Eastern Europe or West Africa, operated by someone who has never worked for your company. Everything visible in the email, the sender name, the domain, sometimes even the signature, can be fake.

The good news: modern email authentication standards (SPF, DKIM, and DMARC) were invented specifically to close this hole. The bad news: only a minority of UAE businesses have actually set them up properly, which is why spoofing attacks keep working.

Email Spoofing vs Phishing vs Impersonation: The Terms Explained

These three words get mixed up constantly, even in the press. They are not the same thing.

A typical UAE attack uses all three: impersonation of a CEO (Mr Al Mansoori), through spoofing of his email address (ceo@yourcompany.ae), for the phishing purpose of redirecting a supplier payment to the attacker’s bank account.

The Five Types of Email Spoofing You Will Actually See

“Email spoofing” is an umbrella term. In practice, UAE businesses get hit by five distinct attack styles. Knowing the difference helps you know what to look for.

Type 1: Display Name Spoofing (the easiest, most common)

The attacker sets the display name (the human-friendly name you see in your inbox preview) to something legitimate like “Ahmed Al Mansoori”, but the actual email address underneath is something like random-scam-address@gmail.com. On mobile phones, many email apps only show the display name, never the address, which is why this attack works so often.

Real-world UAE example: “Ahmed Al Mansoori <ahmed.mansoori.9284@gmail.com>” emails your accountant saying “I’m in a meeting, please urgently wire AED 45,000 to this supplier for a new contract.” The display name is right. The email address is completely fake. On a mobile preview, only the name shows.

How to catch it: Tap or hover on the sender’s name to see the actual email address. If the display name is a known colleague but the email is a random free-mail service, it is a spoof.

Type 2: Cousin Domain / Lookalike Domain Spoofing

The attacker registers a domain that looks almost identical to yours but has a subtle difference: a character swap (rn instead of m), an added hyphen, a different TLD, or a Cyrillic letter that looks like Latin. Then they send from that domain.

Real-world UAE examples:

• Your real domain: arabianholdings.ae
• Cousin domain: arabian-holdings.ae (added hyphen)
• Cousin domain: arabianholdings.co (different TLD)
• Cousin domain: arabianhold1ngs.ae (number 1 instead of letter i)
• Cousin domain: arabianholdings-uae.com (added suffix)

When an email arrives from finance@arabian-holdings.ae, most readers do not notice the hyphen, and a skilled attacker mirrors the real company’s email signature perfectly.

How to catch it: When an email involves money, payment changes, or anything urgent, copy the sender’s domain and paste it into WHOIS to see the real registration date. If it was registered three weeks ago, it is almost certainly a scam domain. Our WHOIS lookup tool makes this check instant. Also use our find a domain owner guide for deeper investigation.

Type 3: Exact Domain Spoofing (what DMARC stops)

This is the most dangerous type and also the one email authentication actually prevents. The attacker sends an email with the “From” address set to exactly your real domain, for example ceo@yourcompany.ae, from a server that has nothing to do with your company. If your domain has no SPF, DKIM, or DMARC records set up, the mail server receiving the message has no way to tell it is fake, and many will deliver it straight to the inbox.

Real-world UAE example: Your customer receives an invoice from billing@yourcompany.ae saying “We have updated our bank details, please send future payments to the following IBAN”. The email looks perfect. It is from your exact domain. But your company never sent it, and the new IBAN is a mule account.

How to catch it: Exact domain spoofing is invisible to the recipient in most cases. The only defence is technical: SPF, DKIM, and DMARC on the sending domain. If you have not set those up on yourcompany.ae, your own domain is wide open for attackers to abuse. Covered in detail below.

Type 4: Compromised Account (real domain, real login)

The attacker actually gains access to a real email account (through phishing, malware, credential reuse, or a data breach), then sends fraudulent emails from the genuine account. This is technically not “spoofing” because the email really is from where it claims, but the effect is identical: the recipient trusts a message they should not.

Real-world UAE example: In a widely reported case, a Dubai exhibition company (Cheers Exhibition in Al Quoz) lost approximately AED 195,000 when their own email account was compromised. The attackers silently watched genuine business correspondence for weeks, then intervened at a payment moment by sending the client new bank details from a near-identical email address. The client wired payment to the attacker. By the time the company realised, the money was in a European mule account.

How to catch it: Compromised-account attacks are the hardest to detect because everything is technically legitimate. The only reliable defence is a policy of always verifying payment changes through a second channel, a phone call to a known number, not a number in the email. Multi-factor authentication on all email accounts prevents the initial compromise.

Type 5: Reply-To Manipulation

The “From” address looks legitimate, but the “Reply-To” is quietly set to a completely different address under the attacker’s control. When you hit reply, your response goes to the attacker, who then impersonates the original sender to continue the conversation.

Real-world UAE example: An email arrives from client@realcompany.com asking about an invoice. When you reply, the message silently goes to realcompany-accounts@gmail.com, the attacker. They respond pretending to be the client, ask you to change payment details, and the fraud proceeds.

How to catch it: Always expand the email headers when replying to anything financial. If the Reply-To address differs from the From address, stop and call the real sender.

Business Email Compromise: The UAE’s Favourite Scam

Business Email Compromise (BEC) is the category name for financial fraud that uses spoofed or compromised emails. Globally, the FBI estimates BEC attacks cause over USD 2.7 billion in annual losses. UAE-specific figures are harder to pin down because many incidents go unreported, but we know:

• A Comparitech study found cybercrime costs the UAE about USD 746 million per year, across more than 166,000 victims
• The UAE Public Prosecution regularly prosecutes BEC-related fraud under Federal Decree-Law No. 34 of 2021 on Combatting Rumours and Cybercrimes
• Notable international BEC operators (including the Hushpuppi case) used UAE bank accounts and UAE-based operations to launder proceeds of BEC fraud against companies worldwide, UAE banks have tightened account opening as a result
• The British Chamber of Commerce Dubai, and Dubai Chamber, both regularly issue BEC warnings to members

The Four Main BEC Patterns Hitting UAE Businesses

1. CEO Fraud / Wire Transfer Fraud. Attacker spoofs the CEO or Finance Director, emails the accountant directly, asks for an “urgent and confidential” wire transfer to close a deal. The email is carefully timed (often when the CEO is known to be travelling or in a board meeting) and pressures the accountant to act fast. Average loss per incident: tens of thousands of dirhams on the low end, millions on the high end.

2. Vendor / Invoice Fraud. Attacker compromises or spoofs a supplier’s email and sends the UAE company a “change of bank details” notice just before a legitimate payment. The UAE company updates its records and wires the next payment to the attacker. Often not detected for weeks, until the real supplier complains about non-payment.

3. Account Takeover / Conversation Hijacking. Attacker accesses a real email account in your company and silently reads conversations for weeks. At the right moment, they step in with forged instructions from inside the real conversation thread. Extremely hard to detect because everything is technically legitimate.

4. Attorney / Professional Services Impersonation. Attacker pretends to be a lawyer or advisor handling a confidential transaction, pressures the target to send funds for “closing costs” or “escrow”, using time pressure and confidentiality as leverage. Common in UAE real estate deals.

How to Spot a Spoofed Email: The UAE Red Flags Checklist

Most spoofed emails fail at least one of these checks. Train your team to pause when they see any of these signals, especially in emails that involve money or credentials.

1. Unexpected urgency. “I need this wire sent in the next 30 minutes.” Real bosses do not usually work this way. Real suppliers do not usually need instant action.
2. Secrecy request. “Please do not discuss this with anyone until it’s done.” This is the classic CEO-fraud pattern, an attacker trying to bypass your verification policies.
3. Payment details change. Any email asking you to wire money to a new bank account, IBAN, or SWIFT code, especially “effective immediately”, needs to be verified by phone call to a known number.
4. Slightly-wrong domain. Read the sender’s full email address character by character. paypal-support.ae is not PayPal. yourc0mpany.ae (zero instead of O) is not your company.
5. Free-mail service pretending to be a company. Your CEO’s real email is not going to be ahmed.ceo@gmail.com or ahmed.boss@hotmail.com. If an email claims to be from a company executive but arrives from a free-mail provider, it is a spoof.
6. Display name right, email address wrong. On mobile especially, tap the sender name to reveal the real email address. This catches most display-name spoofing instantly.
7. Generic greeting. “Dear valued customer”, “Dear user” from a company that knows you. Legitimate emails from your bank or supplier usually greet you by name.
8. Spelling and grammar errors. Large companies proofread. A mail that has obvious typos, broken grammar, or weird punctuation is a warning sign, although modern AI-generated phishing is closing this gap.
9. Hover over links before clicking. The visible text can say www.mybank.ae but the actual href can go anywhere. On desktop, hover without clicking to see the real destination in the status bar.
10. Attachments you did not expect. Invoices, shipping documents, contracts, especially as .zip, .iso, or .html files, from unfamiliar senders are often malware delivery vehicles.
11. Reply-To differs from From. Expand the headers when anything feels off. If they do not match, it is a trap.
12. Odd timing or context. An email from “HR” about a salary change on a Friday evening, or from “the bank” outside business hours, is timed to exploit reduced vigilance.

How to Read Email Headers (the 2-Minute Forensics Skill)

Every email carries a full set of headers, metadata that most email clients hide by default but that contain the real story of who sent the message, from where, and whether authentication checks passed. Knowing how to read them is the single most powerful anti-spoofing skill.

How to Access Email Headers

• Gmail: Open the email, click the three-dot menu, choose “Show original”
• Outlook (web): Open the email, click “…” menu, choose “View”, then “View message source”
• Outlook desktop: Open the email, File > Properties, Internet headers
• Apple Mail: Open the email, View > Message > All Headers
• Yahoo Mail: Open the email, More > View raw message

What to Look For

In the headers, search for the authentication results. In Gmail’s “Show original” view, you will see a summary like this at the top:

SPF:       PASS with IP 192.0.2.1
DKIM:      'PASS' with domain yourcompany.ae
DMARC:     'PASS'

If all three say PASS, the email is very likely legitimate. If any say FAIL, SOFTFAIL, or NONE, treat the email with extreme caution, especially if it asks for money or credentials.

Deeper in the headers, the Received: lines show the actual server chain. If an email claims to be from yourcompany.ae but the first Received line shows a server in Nigeria or Russia with no relation to your UAE hosting, that is a smoking gun.

For detailed header analysis, paste the full headers into Google’s Message Header Analyzer or MXToolbox Email Header Analyzer, both free.

SPF, DKIM, DMARC: The Three Layers That Stop Spoofing

These three DNS-based standards are what stop exact-domain spoofing. Every UAE business with its own domain should have all three configured. Here is what each one does in plain language.

SPF (Sender Policy Framework): The “Authorised Senders” List

SPF is a DNS record that lists which mail servers are allowed to send email on behalf of your domain. When a receiving server gets a message claiming to be from yourcompany.ae, it looks up your SPF record and checks: is the sending server on this list? If yes, SPF passes. If no, SPF fails, and the receiving server has a strong signal the email might be spoofed.

Example SPF record for a UAE business using AEserver mail + Google Workspace:

v=spf1 include:_spf.aeserver.com include:_spf.google.com -all

This tells receivers: emails from AEserver’s mail servers and Google Workspace servers are authorised for this domain, anything else should be rejected (-all is hard fail).

Limitations: SPF alone can be bypassed by certain types of email forwarding, and it does not sign the message contents. It is necessary but not sufficient.

DKIM (DomainKeys Identified Mail): The Tamper-Proof Seal

DKIM adds a cryptographic signature to every email leaving your domain, using a private key that only your mail server has. The public key is published in your DNS, so any receiving server can verify that (a) the email really came from your authorised mail server, and (b) the content was not modified in transit.

DKIM records in DNS look like a long string of characters. Your mail provider (AEserver, Google Workspace, Microsoft 365) gives you the exact record to add:

default._domainkey.yourcompany.ae  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

How to verify DKIM is working: send an email to a Gmail account you control, click “Show original”, look for DKIM: 'PASS'.

DMARC (Domain-based Message Authentication, Reporting & Conformance): The Enforcer

DMARC is the critical third layer. It uses SPF and DKIM together, and tells receiving mail servers what to do when a message fails those checks. Without DMARC, a mail server might still deliver a failing email to the inbox. With DMARC, you can tell the world “if it fails, reject it”.

Example DMARC policy, from simplest to strictest:

_dmarc.yourcompany.ae  TXT  "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.ae"

This starts in “monitor only” mode (p=none), which sends you reports about who is using your domain to send email, without blocking anything. Most businesses should start here for 2-4 weeks to collect data.

Then you step up to quarantine mode:

_dmarc.yourcompany.ae  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourcompany.ae; pct=100; aspf=s; adkim=s"

Failing emails now land in spam folders rather than the inbox.

Finally, full enforcement (reject all failing emails):

_dmarc.yourcompany.ae  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourcompany.ae; pct=100; aspf=s; adkim=s"

This is the gold-standard protection. Any email forged to claim your domain will be rejected by Gmail, Yahoo, Outlook, and all major providers.

BIMI (Brand Indicators for Message Identification): The Logo Layer

BIMI is newer and optional, but worth knowing. Once you have DMARC at p=quarantine or p=reject, you can publish a BIMI record that shows your verified company logo next to every email you send, in Gmail, Apple Mail, Yahoo, and others. It is a visible trust signal that phishers cannot replicate without first bypassing DMARC.

default._bimi.yourcompany.ae  TXT  "v=BIMI1; l=https://yourcompany.ae/logo.svg; a=https://yourcompany.ae/bimi-cert.pem"

Gmail and Yahoo’s New Sender Requirements (Important for UAE Senders)

Starting February 2024, Gmail, Yahoo Mail, and later Microsoft Outlook (from May 2025) introduced strict new rules for any domain that sends more than 5,000 emails per day to their users. Many UAE marketing teams, WooCommerce stores, and B2B senders crossed this threshold without realising it.

What the new rules require:

1. SPF + DKIM both set up correctly (previously one was enough)
2. DMARC published with at least p=none (monitoring mode acceptable as baseline)
3. Alignment: the “From” domain must match either the SPF or DKIM domain
4. One-click unsubscribe via RFC 8058 List-Unsubscribe-Post header for all marketing emails
5. Spam complaint rate below 0.3% (Google recommends below 0.1% for inbox placement)
6. TLS encryption for all outbound email

Not meeting these requirements means Gmail and Yahoo will start rejecting your emails outright. Microsoft is following with similar enforcement. For a UAE e-commerce business or anyone running newsletters, this is existential: fail to comply, and your emails stop reaching customers.

Even if you send fewer than 5,000 emails per day, it is now best practice to have the same setup, because mailbox providers use these signals as inputs to deliverability decisions for smaller senders too.

How to Protect YOUR Company from Being Spoofed

This is the side most UAE businesses miss. Spoofing is not just something that happens to you in your inbox. If your own company’s domain is not protected, attackers can spoof you to scam your clients, suppliers, and partners. The damage to your brand reputation often exceeds the direct financial loss.

The checklist for domain owners:

1. Register defensive lookalike domains. If you own yourbrand.ae, also register yourbrand.com, your-brand.ae, and obvious typos. See our defensive domain portfolio guide.
2. Deploy SPF, DKIM, and DMARC on every domain you own, even ones you do not send email from (attackers love unused domains with no protection). AEserver’s DMARC Force service handles this for you.
3. Progress to p=reject. A domain with p=none is barely protected against spoofing, it only gives you visibility. Only full enforcement blocks forged mail.
4. Use a trustworthy business email provider. Our AEserver Business Email, Microsoft 365, and Google Workspace plans come with properly configured SPF/DKIM from day one.
5. Enforce MFA on every mailbox. Most compromised-account attacks start with a stolen password. MFA stops that dead.
6. Monitor DMARC aggregate reports weekly. The reports tell you who is sending email claiming to be your domain, both legitimate services you forgot about and actual spoofers.
7. Publish a clear “we never change bank details by email” policy to clients and suppliers. Visible on your website, on every invoice, and in email signatures.
8. Train staff on BEC red flags. Once a quarter, 30 minutes. Most BEC losses are human errors, not technical ones.
9. Add an external-email banner to inbound mail. Every email from outside your domain should be flagged visually. Google Workspace, Microsoft 365, and most email security gateways support this natively.
10. Deploy an email security gateway with behavioural analysis. Our Email Spam Protection service filters known threats before they reach the inbox.

How to Protect YOURSELF from Incoming Spoofs

On the receiving side, build habits that assume every email might be fake until proven otherwise.

1. Verify every payment request via a second channel. If a supplier emails a change of bank details, call them on the number you have on file (not the one in the email). This single habit stops 80% of BEC losses.
2. Enable MFA everywhere. Email, banking, accounting software, CRM, anywhere a compromised login could cause damage.
3. Use unique passwords with a password manager. 1Password, Bitwarden, Dashlane. Never reuse passwords across services.
4. Keep your operating system and browser up to date. Most malware delivered by phishing requires known unpatched vulnerabilities to succeed.
5. Be suspicious of any email demanding urgency, secrecy, or unusual payment methods.
6. Train your accountant and finance staff first. They are the highest-value targets.
7. Set up a reporting channel. Make it easy for staff to forward suspicious emails to IT for review, without fear of being blamed for being “paranoid”.

UAE Legal Context: What the Law Says

Email spoofing and BEC are explicitly criminal under UAE law. Federal Decree-Law No. 34 of 2021 on Combatting Rumours and Cybercrimes criminalises:

• Article 11: Online and email fraud, penalties include imprisonment and fines
• Article 14: Forgery of electronic documents
• Article 15: Fraud through compromising electronic payments
• Article 40: General cyber fraud via false name or impersonation through information networks, minimum one year imprisonment and/or a fine of at least AED 250,000

Penalties can reach 3,000,000 AED in fines and up to 10 years imprisonment depending on severity. Foreign offenders can be extradited through international cooperation agreements.

If your UAE business has been hit by spoofing, phishing, or BEC fraud, the reporting channels are:

• Dubai Police eCrime portal: ecrimehub.gov.ae
• Abu Dhabi Police cybercrime unit through Aman service (8002626)
• UAE federal reporting: Ministry of Interior portal
• Your bank’s fraud team immediately, they can sometimes freeze outbound transfers within minutes if you act fast

What If You (or Your Staff) Already Clicked a Suspicious Link

Speed matters. Every minute counts. Work through this checklist in order:

1. Disconnect the device from the internet. If the link triggered malware download, disconnecting stops any data exfiltration in progress.
2. Change your email password immediately from a different device. If you entered credentials on a phishing page, the attacker already has them.
3. Revoke active sessions on your email account (Gmail: Account Security; Microsoft 365: Sign in and security; AEserver Business Email: webmail settings). Kicks the attacker out of any active session.
4. Enable MFA immediately if you had not already.
5. Scan the device with updated antivirus/EDR. Windows Defender, Malwarebytes, Sophos, CrowdStrike depending on what you have.
6. Check the Sent folder and Rules for anything the attacker may have set up. Common attacker tactic: forwarding rules that send copies of your incoming email to their address, plus rules that auto-delete password reset notifications.
7. If financial information was entered: call your bank immediately. Banks in the UAE can sometimes freeze outgoing wire transfers within a short window. Emirates NBD, ADCB, Mashreq, FAB, and others have 24/7 fraud lines.
8. If company credentials were entered: inform IT immediately. Reset all potentially exposed passwords, review access logs, check for suspicious admin activity.
9. Report to Dubai Police eCrime or relevant authority. Include full email headers, screenshots, any transaction details. The sooner you report, the better the chance of recovery.
10. Notify clients/suppliers if the breach could affect them. A short professional note acknowledging the incident and warning about potential follow-on phishing is standard practice.
11. Document everything. Dates, times, actions taken, people contacted. You may need this for bank recovery claims, insurance, and regulatory reporting under PDPL.

Frequently Asked Questions

Why am I getting spam emails from my own email address?

This almost always means your domain has no DMARC enforcement, and an attacker is spoofing your own address to bypass spam filters (emails from “yourself” often get special inbox priority). Your actual account is usually not compromised. The fix is to deploy DMARC with p=reject on your domain.

How can I stop someone spoofing my company domain?

There is only one effective technical defence: SPF + DKIM + DMARC with p=reject deployed on your domain. Once those are in place, any spoofed email claiming to be from your domain will be rejected or junked by Gmail, Outlook, Yahoo, and all major mailbox providers worldwide.

Can my bank detect spoofed emails?

Banks detect many spoofs at their own incoming mail gateways, but they do not protect emails supposedly from them arriving at your inbox. Your bank cannot stop a spoof of customer-service@yourbank.ae arriving to you, only your own email provider can, through DMARC enforcement on the bank’s domain. All major UAE banks deploy DMARC, but many smaller UAE businesses do not.

Is it illegal to spoof an email in the UAE?

Yes. Federal Decree-Law No. 34 of 2021 criminalises electronic forgery, impersonation through information networks, and cyber fraud. Penalties range from substantial fines (AED 250,000+) to imprisonment (up to 10 years) depending on severity, plus deportation for non-citizens.

Does HTTPS on my website stop email spoofing?

No. HTTPS and SSL certificates protect website traffic, not email. Email has its own security standards: SPF, DKIM, DMARC, plus TLS for the mail-server-to-mail-server connection. See our SSL certificates guide for the website side, but understand it does not replace DMARC.

How long does it take to set up DMARC properly?

Technical deployment takes an hour. Progressing safely from p=none to p=reject without blocking your own legitimate emails takes 4-8 weeks of monitoring and tuning.

What is “email header analysis” and can non-technical staff do it?

Yes. Anyone can copy the raw headers from a suspicious email and paste them into Google’s free Message Header Analyzer or MXToolbox. The tool shows in plain English whether SPF, DKIM, and DMARC passed, and where the email actually came from. A 5-minute skill that catches most spoofs.

Is it safe to click on “unsubscribe” in a suspicious email?

No. Attackers use fake unsubscribe links to confirm your email address is active (and valuable to sell), or to deliver malware. For genuine unwanted mail from a known legitimate source, clicking unsubscribe is fine. For anything suspicious, mark it as spam in your mail client instead, that signals the provider and does not interact with the attacker.

We are a small UAE business, do we really need DMARC?

Yes, now more than ever. Small businesses are the favourite BEC target because they often have no protections. A single spoofing-based invoice fraud can wipe out months of profit. DMARC Force costs a fraction of one typical BEC incident.

Can AI-generated phishing bypass DMARC?

AI makes the content of phishing emails more convincing (better grammar, personalised details). It does not change the underlying infrastructure: the email still has to come from somewhere, still has to pass (or fail) SPF/DKIM, and DMARC still catches domain spoofing. Good-looking phishing on a random domain is easier to catch than bad-looking phishing from your own domain.

AEserver’s Verdict

Email spoofing is not going away. Attackers have industrialised it, automated it, and now equipped it with AI. UAE businesses are high-value targets because the region’s wire transfer culture, fast deal pace, and international supplier networks create exactly the conditions where BEC thrives.

The good news: the defences are proven, affordable, and under your control. For a typical UAE SME, the complete anti-spoofing playbook is:

1. Deploy SPF, DKIM, and DMARC with p=reject enforcement on every domain you own. Our DMARC Force service handles this end-to-end.
2. Use trustworthy business email hosting (Business Email, Microsoft 365, or Google Workspace) configured correctly from day one.
3. Add email security gateway filtering with AEserver Email Spam Protection.
4. Enforce MFA on every mailbox in your company.
5. Register defensive domains (see our multi-domain guide).
6. Train staff quarterly on BEC red flags and the “verify by phone” rule for payment changes.
7. Publish a clear policy that your company will never change bank details by email, and communicate it to all clients and suppliers.

Most BEC losses in the UAE come down to a single preventable moment: someone in finance trusted an urgent email and wired money without verifying. Technical controls stop the email from arriving. Human training stops the action from happening if one does slip through. You need both.

AEserver has been securing UAE businesses since 2008. If you want to stop being a target, start with DMARC, add spam protection, train your team, and keep your email on hosting that is configured correctly by default. When in doubt, call us, our UAE-based team has seen every flavour of spoofing attack, and we can walk you through the right response.

×