GCC Banks Lag On Fraud Defences As UAE Sets Security Benchmark

The UAE Central Bank's recent decision to phase out one-time passwords (OTPs) in favour of stronger authentication methods has underscored the Emirates' leadership in safeguarding bank customers at a time when many of its regional peers are falling behind.

Fresh research reveals that while UAE regulators are tightening digital security standards, banks across much of the GCC are showing worrying signs of complacency.

According to Proofpoint, a leading cybersecurity company, adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) - the global email protocol designed to block phishing and spoofing - has slipped across the region. In 2024, 96 per cent of GCC banks had published DMARC records, but by 2025 that figure had dropped to just 77 per cent. Even more concerning, only 60 per cent of banks are enforcing the strictest“reject” policy that prevents fraudulent emails from reaching inboxes, compared with 71 per cent a year earlier.

These lapses matter because phishing remains the most common vector for fraud, particularly in financial services where customers rely on email for account alerts, password resets, and transaction notifications. Proofpoint's study found that nearly a quarter of top regional banks are taking no steps at all to prevent misuse of their domains. This exposes millions of customers to the risk of impersonation attacks - precisely the kind of vulnerabilities the Central Bank of the UAE (CBUAE) is moving decisively to close.

In July, the CBUAE instructed lenders in the Emirates to retire OTPs delivered by SMS or email, long regarded as a weak link in digital security. Instead, UAE banks are adopting biometric logins, app-based secure notifications, and token-driven multi-factor authentication. These measures align with global best practice in financial hubs such as Singapore and London, where regulators are also moving away from OTPs vulnerable to SIM-swapping, spoofing, and interception.

Cybersecurity specialists argue that this regulatory foresight is placing the UAE several steps ahead of its Gulf neighbours.“We are witnessing a worrying trend this year as the number of financial institutions in the GCC with a published DMARC record has decreased, potentially exposing vast amounts of sensitive personal and financial data to cybercriminals,” said Emile Abou Saleh, vice president for Northern Europe, the Middle East, Turkey, and Africa at Proofpoint.“However, it is never too late for banks to revisit security protocols and protect their email traffic against phishing and other fraudulent activity.”

Banking industry analysts said the contrast is stark.“While the UAE is tightening digital banking rules and pushing institutions towards more secure, customer-centric authentication, banks in other GCC states are struggling to maintain momentum.”

Proofpoint's analysis shows Oman, Bahrain, and Kuwait are among the weakest performers, with adoption rates well below the regional average. This creates a patchwork of protections across the Gulf, undermining customer confidence and exposing cross-border transactions to greater risks.

The timing could not be more critical. Digital payments are expanding rapidly across the region. In the UAE alone, the value of digital transactions surpassed Dh1.5 trillion in 2024, with mobile banking adoption at record highs. Similar growth patterns are seen in Saudi Arabia and Qatar as young, tech-savvy populations embrace cashless lifestyles. But without strong protocols such as DMARC and secure authentication replacing OTPs, these gains come with heightened exposure to fraud.

UAE regulators have also coupled their policy with consumer education campaigns, ensuring that residents understand the risks of phishing and the importance of multi-factor authentication. By contrast, analysts say that in several GCC markets, banks still rely heavily on OTPs and outdated fraud-prevention tools, leaving customers less protected and more likely to fall victim to scams.

The divergence also has reputational implications. As the Gulf competes for international investors, demonstrating strong digital infrastructure and resilient banking security has become critical. By moving proactively, the UAE is signalling that it can meet the highest standards of consumer protection, reinforcing its position as a global financial hub. For its neighbours, the message is clear: without accelerating adoption of advanced safeguards, regional banks risk not only greater exposure to cybercrime but also diminished investor confidence.

For customers in the UAE, the payoff is immediate. Phasing out OTPs means fewer risks of account takeovers, safer digital payments, and greater trust in online banking. For the banking sector, it provides a more resilient foundation as competition intensifies across the Gulf.

Analysts said the bigger picture is that the UAE is setting a benchmark for the region.“While Proofpoint's data highlights backsliding elsewhere in the GCC, the the UAE apex bank's initiatives show that strong regulatory leadership can pre-empt risks and drive higher standards. The question now is whether neighbouring financial markets will follow suit - or risk being left exposed as the digital banking revolution accelerates.”

MENAFN14092025000049011007ID1110059652