Vijayant Mehra
Business Development Manager
Between 500,000 and 800,000 cyberattack attempts hit UAE infrastructure every single day, a figure that has tripled since regional tensions escalated earlier this year. Most of those attacks, over 70% by official estimates, are state-sponsored. The sectors at the top of the target list are government administration, financial services, and banking, which are precisely the environments where most enterprise IT operations in this country sit.
What makes the current period different from previous threat cycles is not just the volume. The methods have shifted in a way that changes how defenders need to think. Artificial intelligence has moved from being a future concern discussed at conferences into an active component of live attack operations. The Abu Dhabi Emergency, Crisis and Disaster Management Centre (ADCMC) recently published its Cybersecurity Awareness Guide During Crises, and the six threat categories it identifies as most prevalent during emergencies read less like an abstract risk list and more like a description of what is happening right now across UAE networks.
The Attack Kit Has an AI Upgrade
For years, phishing emails were easy to spot if you knew what to look for: the odd grammar, the slightly off sender domain, the urgency that felt performative. Security awareness training was built around that recognition. The training still matters, but the rulebook for spotting a suspicious message has become significantly harder to apply when the message was composed by a language model that writes more convincingly than most humans.
State-linked threat actors are now using tools like ChatGPT and WormGPT to write phishing content, generate malicious code, scan for vulnerabilities, and automate reconnaissance at a scale that would previously have required substantial human effort. An IBM research experiment demonstrated the pace of this shift: AI needed five prompts and five minutes to build a phishing campaign as effective as one that took human security experts sixteen hours to construct. The attackers know this. They are using it.
Beyond phishing, the more disorienting development is the weaponisation of deepfakes. Voice cloning, fabricated video messages, and AI-generated content from what appear to be trusted officials or executives are now being used not just to defraud individuals but to erode institutional trust during moments of heightened public anxiety. IRONSCALES research found that 85% of organisations experienced at least one deepfake-related incident in the past twelve months, and 61% of those that lost money reported losses above $100,000. One high-profile case involving a finance officer authorising a $25 million transfer after a deepfake video call with what appeared to be a company CFO became a landmark example of how far this has progressed.
During a crisis, the attack surface for this kind of manipulation widens considerably. People are seeking information from multiple sources, verification habits loosen under pressure, and emotional responses override the deliberate thinking that security awareness training is designed to encourage. The UAE guide is explicit about this dynamic: cyberattacks tend to escalate during emergencies precisely because fear and confusion make individuals more susceptible, rushed digital decisions bypass normal verification, and unofficial channels fill the gaps left by overwhelmed official communications.
Why Crises Create a Different Threat Window
There is something important in how the ADCMC framed its guidance, and it is worth taking seriously at an enterprise level rather than treating it as public-facing awareness material that does not apply to a corporate security programme.
When a major event creates sustained public anxiety, whether geopolitical, environmental, or economic, the psychological conditions that allow social engineering to succeed become widespread simultaneously across an entire population. An attacker who times a spear-phishing campaign to coincide with a period when employees are distracted, consuming news from personal devices, and sharing information through informal channels is exploiting a timing advantage that conventional security controls do not address. Multi-factor authentication does not compensate for a finance team member who verifies a payment request over WhatsApp because a deepfake audio message convinced them it came from their CFO.
This is also the environment in which disinformation becomes a direct business risk. Fabricated content targeting specific organisations, fake announcements attributed to official figures, and coordinated narratives designed to damage institutional reputation can cause significant operational disruption without a single system being breached. The UAE Cybersecurity Council has confirmed that fabricated videos impersonating public figures are already in circulation and that financial and banking sectors are being specifically targeted through this vector.
The guidance from the ADCMC identifies several indicators of fraud attempts that are worth translating into enterprise security awareness training: urgent requests for personal information or verification codes, unexpected requests for money transfers, messages from unfamiliar devices triggering login alerts, and communications with either an unusually casual tone or one that is excessively formal in a way that feels scripted. Those signals apply as much to business email compromise targeting a finance team as they do to an individual receiving a suspicious text message.
What a Proper Defensive Posture Looks Like Right Now
The UAE Cybersecurity Council’s response to the current threat environment has centred on the National Cybersecurity Operations Centre, a zero-trust architecture framework, real-time threat intelligence sharing across government and private sector entities, and AI-based detection systems that counter AI-generated threats. The Council issues more than 200 threat intelligence bulletins daily to government and private sector entities. That infrastructure reflects the scale of investment required at a national level, and it sets a useful reference point for what enterprise environments need to do proportionally.
For most organisations, the immediate priority is identity. Credential compromise remains the most common initial access vector across UAE incidents, and multi-factor authentication remains the single most effective control at the entry point. This is not a novel recommendation, but the enforcement is patchy across many enterprise environments, particularly for legacy applications, privileged service accounts, and third-party vendor access. In a threat environment where AI is accelerating credential stuffing and phishing success rates, gaps in MFA coverage are not edge cases anymore.
Endpoint visibility matters more in this environment than it did when threats moved more slowly. EDR tools that flag unusual behaviour rather than just known signatures are significantly better suited to detecting AI-assisted attacks, which are increasingly designed to evade pattern-based detection by varying their signatures and timing. The 44% of organisations in IBM’s 2024 research that had deployed XDR solutions were able to detect and contain breaches roughly a month faster than those that had not, reducing exposure time in an environment where every day of dwell time has a measurable cost.
The human element cannot be patched. The ADCMC’s guidance closes with a line from H.E Mohammed Al Kuwaiti, the UAE Government Cybersecurity Council head, that cuts through the technical complexity: in times of tension, awareness must be faster than phishing, calmer than rumours, and more accurate than fabricated content. That is not a platitude about user training. It is a description of the cognitive state that social engineering is specifically designed to disrupt. Security awareness programmes that focus only on recognising suspicious links are not equipped for an environment where the threat arrives as a convincing video call or a voice message from what sounds exactly like a colleague.
Establishing clear out-of-band verification protocols for financial transactions, sensitive data requests, and any communication that carries urgency is an operational control, not a training exercise. If someone calls your treasury team claiming to be the CFO and requests an urgent transfer, the policy should require a physical or pre-agreed secondary verification regardless of how convincing the voice sounds. That protocol needs to exist, be documented, and be practiced before the moment of pressure arrives.
The Regulatory Context Is Not Standing Still
The UAE’s national cybersecurity strategy covering 2025 to 2031 was approved in February of last year and represents a comprehensive legislative and technical roadmap. DFSA-regulated entities in DIFC are operating under a Cyber Threat Intelligence Platform that explicitly aims to shift financial services firms from reactive to intelligence-sharing postures. ADGM has published detailed data protection guidance and self-assessment tools. The Central Bank of the UAE has cybersecurity requirements built into its operational risk frameworks for financial institutions. Across all of these, the direction is consistent: continuous monitoring, identity-centric controls, documented incident response capability, and supply chain security.
Organisations that have not yet formalised their incident response playbooks face a particular exposure. Ransomware attacks in the UAE increased 32% in 2024 year-on-year according to the UAE Cyber Security Council, and the attack groups are diversifying, with RansomHub, Qilin, and DarkVault all establishing presence in the region alongside the longer-established players. Incident response that depends on ad-hoc decisions made under pressure is consistently more expensive than incident response built on documented, tested procedures.
The broader point is that compliance with UAE regulatory frameworks and robust security posture are largely pointing in the same direction. The investment case for identity hardening, endpoint visibility, network segmentation, and SOC capability is simultaneously a risk reduction case and a regulatory readiness case.
The threat environment in the UAE right now is measurably more complex than it was twelve months ago, and the use of AI by attackers is not a projected future risk but a documented present reality. Organisations that want to understand where their exposure sits, whether in identity controls, detection capability, endpoint coverage, or human-layer vulnerabilities, are the ones that are better positioned when the next wave arrives. iConnect’s cybersecurity team works with enterprises across the UAE on exactly that kind of assessment, from ZTNA architecture and SOC deployment to staff awareness programmes built for the regional threat context. If the current environment has surfaced questions about your security posture, it is worth working through them now rather than under pressure.
