Deepfake and digital impersonation fraud is now a board-level risk for UAE businesses: criminals use AI-generated voice and video to impersonate executives, banks and suppliers, and the Central Bank of the UAE now requires licensed financial institutions to formally assess this exposure. The most effective defence is not detection technology but process — verify every request to move money or data through a separate, pre-agreed channel before you act.
Through 2025 and into 2026 the UAE became the region’s primary cyber target, with daily attack attempts surging into the hundreds of thousands during periods of geopolitical tension. What has changed is not just the volume but the nature of the deception. Generative AI has made it cheap and fast to clone a voice from a few seconds of audio, or to place a convincing synthetic face on a live video call. For a market where so much business is done over voice and video, telling a real colleague from a synthetic one has become both an operational and a legal problem.
The CBUAE digital impersonation mandate — and why it matters beyond banks
The Central Bank of the UAE (CBUAE) has issued mandatory guidance requiring every Licensed Financial Institution — retail banks, digital banks, payment service providers and card issuers — to strengthen defences against brand impersonation, phishing, fake advertisements and digital fraud campaigns aimed at their customers. Crucially, the framework explicitly names AI-generated impersonations, deepfake audio and video scams, and fraudulent customer-support handles as threats that must be monitored. The first digital impersonation risk assessment was due by 30 June 2026, and failure to comply can trigger supervisory action or administrative penalties.
Even if you are not a licensed bank, treat this as the direction of travel for the whole market. Regulators rarely mandate a control for one sector and stop there, and the underlying threat is sector-agnostic. Any organisation that authorises payments, changes vendor banking details, or trades on the trust of its brand is squarely in scope of the same risk.
How deepfake fraud actually works
Modern impersonation fraud is really “business email compromise 2.0” — a classic scam upgraded with AI. Attackers use generative tools to write flawless, personalised messages at scale, then reinforce them with cloned voice or video to push a target into an urgent, high-value action such as wiring funds or updating supplier bank details. The most cited example remains the engineering firm Arup, which lost roughly US$25 million after a finance employee joined a video meeting in which every other “participant” was AI-generated.
The pattern is consistent: a trusted-looking identity, manufactured urgency, a request to bypass the normal process, and pressure to keep it confidential. The technology is new, but the psychology is the same social engineering finance teams have faced for years — which is precisely why the defence is procedural rather than purely technical.
A practical defence playbook for UAE and GCC businesses
1. Make out-of-band verification mandatory for money and data
Any request to move funds, change payment details or release sensitive data should be confirmed through a second, independent channel before it is actioned — no exceptions for urgency or seniority. Call the person back on a number already stored in your directory, never a number supplied in the suspicious message. Pair large or unusual transfers with multi-person authorisation so no single employee can be socially engineered into releasing money alone.
2. Shrink your deepfake attack surface
Voice and video clones need source material. Reduce what is publicly available: limit the executive audio and video that can be scraped from public channels, and actively monitor for spoofed domains, fake social profiles and counterfeit app listings that impersonate your brand. This brand-protection monitoring is exactly what the CBUAE now expects of financial institutions, and it is sensible practice for any recognisable UAE business.
3. Train for the deepfake scenario, not generic phishing
Standard phishing awareness is no longer enough. Staff — especially finance, procurement and executive assistants — need training built around the specific deepfake attack pattern: how urgency and secrecy are used to bypass controls, and exactly which verification steps to follow when a “CEO” calls asking for an emergency transfer. The goal is a workforce that feels empowered to pause and verify an unexpected request even when it appears to come from the top.
4. Adopt a zero-trust posture: never trust, always authenticate
Re-engineer your payment and data processes to assume any request is fraudulent until proven otherwise through a pre-established authentication channel. Deepfake detection tools can help, but attackers iterate faster than detectors — so the durable control is a process that does not rely on a human spotting a fake in the moment. Continuous, adaptive verification, not one-time trust, is the model UAE and Saudi organisations are increasingly building into their infrastructure.
Where to start this quarter
- Document a single, mandatory verification workflow for all payments and vendor bank-detail changes.
- Run one deepfake-specific tabletop exercise with your finance team.
- Commission a brand-impersonation scan of the domains, social handles and app stores using your name.
Deepfake fraud rewards organisations that have decided, in advance, exactly how they verify a request — and punishes those that improvise under pressure. Explore our cybersecurity services to build these controls, or book a free consultation with our Dubai-based team to assess your exposure before an attacker does.