In January 2026, a Dubai-based company lost AED 2.3 million to a business email compromise attack. The finance manager processed a wire transfer to an account provided in what appeared to be a direct instruction from the CEO. By the time the fraud was identified, the funds had already cleared and were moving through the banking chain.
There’s no malware in a BEC attack. No suspicious attachment, no link to click, nothing for endpoint security to flag. It arrives as an email that appears to come from someone the recipient trusts, asking them to do something routine. Pay a supplier. Update bank details. Approve a transfer. The only thing wrong is the sender.
The attacker in the Dubai case registered a domain, wrote a convincing email, and waited. The cost to run the attack was a few dollars. The return was AED 2.3 million.
Business email compromise is the highest-value cybercrime category in the world by dollar loss. The FBI’s Internet Crime Complaint Center recorded $3.05 billion in global BEC losses in 2025. The UAE is a documented target in this pattern. The Cyber Security Council reported over 200,000 breach attempts against UAE organisations every day in 2025, rising to between 600,000 and 800,000 per day in early 2026. More than 75% of breaches originate from phishing or fraudulent messages. BEC is the financially motivated version of that ecosystem: simple execution, high return.
Dubai’s transaction volume, cross-border payments, and fast-moving finance processes make it a strong target environment. Attackers design campaigns around that speed.
The AED 2.3 million was gone. What followed cost considerably more.
How this class of attack works
BEC attacks begin long before the email is sent.
Attackers map the organisation using public data. LinkedIn reveals finance roles and reporting lines. Company websites expose executive names and email formats. Press releases expose transactions, acquisitions, or payment cycles that can be used to create believable urgency.
They then register a domain that closely resembles the real one. The email is sent from that domain, with the executive’s name shown as the sender. On mobile devices, the actual address is often hidden unless explicitly expanded.
Timing is deliberate. Messages arrive when verification is least likely. The content creates urgency, references real context, and often includes confidentiality pressure to reduce the chance of verification.
What makes this effective is the economics. Setup costs are minimal, but a single successful payment can return millions. That imbalance is what keeps BEC at the top of global cybercrime losses by reported value.
What the AED 2.3 million figure doesn’t include
The transfer amount is only the visible loss.
After an incident is confirmed, organisations typically bring in external incident response teams to determine how the email chain was compromised, how long attackers may have had access, and whether other accounts were affected. That process pulls in internal IT, finance, and legal teams for weeks.
If personal data was exposed, UAE PDPL obligations may require reporting to regulators, adding legal exposure beyond the fraud itself.
Recovery is time-sensitive. Once funds move through multiple banks and jurisdictions, retrieval becomes unlikely. Early intervention can sometimes freeze transfers, but after the initial window, outcomes are usually limited to legal escalation.
Broader cost research reflects this. IBM’s 2025 report places average breach costs in the Middle East at $7.29 million once investigation, response, compliance, and internal disruption are included.
The largest documented UAE-related case reached AED 185 million over several years, showing how sustained access combined with email impersonation can escalate far beyond a single transaction.
Why UAE businesses are a specific target
The UAE environment matches the conditions BEC relies on: high-value cross-border payments, international counterparties, and fast execution cycles in finance teams.
This is reflected in real campaigns. Research has documented attackers targeting UAE-linked energy supply chains by registering lookalike domains tied to contractors and waiting for invoice cycles to trigger payments.
Real estate introduces another layer of exposure. High-value transactions move quickly, and payment instructions are expected near completion, creating ideal conditions for impersonation of agents, developers, or legal intermediaries.
Global fraud routing patterns identified by the FBI IC3 show fraudulent wire transfers frequently passing through jurisdictions with high international payment volume, including the UAE.
What DMARC at p=reject shuts down
One common BEC pattern is direct domain spoofing, where an attacker sends email pretending to be your exact domain using external infrastructure.
With DMARC set to p=reject, those messages fail authentication checks and are blocked before delivery.
This depends on correct SPF and DKIM alignment for all legitimate email sources. Without that visibility, organisations often delay enforcement.
DMARC does not stop all BEC variants. Lookalike domains operate outside your domain entirely, while compromised mailboxes send authenticated email from real accounts. Both require separate controls.
What p=reject does eliminate is the cheapest version of impersonation: sending mail that appears to come from your domain without owning it.