The Cost of One Click
In February 2024, a finance team at Pepco Group (a retailer with 4,800 stores across 21 countries) received what looked like a routine internal email. The sender appeared legitimate, the request was familiar, and the instruction was one that landed in their inbox every day: process a payment. They processed it, and then another, and by the time the fraud was identified, €15.5 million had been wired to accounts controlled by attackers. Pepco confirmed publicly that recovery was unlikely.
No system was breached and no malware was deployed. An email arrived, it looked like business, and experienced professionals acted on it. This is the attack pattern now targeting enterprises across the UAE.
Speed Is the Vulnerability
The UAE's digital economy was built to move fast. Same-day decisions, rapid contract cycles, payments approved across time zones before the next meeting begins; friction is treated as a disadvantage here, and speed defines the competitive edge. That tempo is a genuine strength, and it is also what attackers are increasingly designing cyber attacks around.
The UAE Cyber Security Council reports blocking over 800,000 cyberattacks daily, and more than 75% of those begin with a phishing email or fraudulent message; not because email security is weak, but because speed makes people predictable. In an environment where acting quickly is a professional virtue, pausing to question feels like the opposite of efficient, and attackers have built their methods around that reality.
The era of obviously suspicious emails is largely over. An estimated 82% of phishing emails now contain AI-generated content; well-written, contextually accurate, that mirror the tone of genuine internal communications, timed to land when inboxes are full and decisions move fast. AI-enhanced phishing campaigns now achieve click-through rates of 54%, compared to 12% for conventional attempts, driven almost entirely by how well the message fits the moment it arrives in.
How €15.5 Million Disappeared
Someone outside Pepco sent emails that appeared to come from a trusted colleague inside the company; the right name, the right formatting, the kind of language the finance team saw every day. The emails asked for payments to be processed; the staff complied, and by the time anyone questioned the instructions, €15.5 million had left the business.
No passwords were stolen and no systems were broken into. The only thing that failed was the assumption that an email carrying a familiar name is genuinely from that person.
This is the exposure that most UAE enterprises are sitting with today. In a fast-moving environment, people act on instructions quickly, it is how business gets done here. Attackers rely on exactly that. They add a deadline, put a senior name on the sender line, and make the request feel like one of a hundred routine messages, knowing that in a busy inbox, most people will act before they stop to question.
The Fix Is a Habit, Not a Tool
Enterprise-grade security did not stop Pepco's loss because the exploit was procedural, not technical, and the defence works the same way.
Stop: Before acting on any email that requests a payment or access to a system, pause. The urgency in these messages: the bolded deadline, the senior name on the sender line; is engineered to make pausing feel like a mistake. It is not.
Verify: Confirm the request through a separate channel. Call the person on a number already in your contacts, message them through your internal platform, or if they are in the building, ask them directly. Do not use any contact details provided within the email itself. One call to the colleague whose name appeared on Pepco's fraudulent email would have stopped the fraud before a single payment was made.
Report: If something feels wrong, even after you have already acted, tell your IT or security team immediately. The sooner a suspicious instruction is flagged, the better the chance of limiting the damage.
The UAE Cybersecurity Council has made this a national priority, and forward-thinking organizations here are embedding Stop, Verify, Report into their workflows through training built around their own processes and communication patterns. In a high-speed economy where pressure to act fast is constant, these three steps are not friction. They are the human firewall.
