HIGH SEVERITY SAMA CSF NCA ECC
A highly sophisticated social engineering attack leveraging artificial intelligence has emerged as one of the most dangerous threats to Saudi Arabia's financial sector in 2024. Threat actors are using deepfake voice technology to impersonate bank officials and family members, convincing victims to authorize fraudulent transactions through a combination of psychological manipulation and technical deception.

Attack Methodology and Technical Details

The campaign operates through a multi-stage process that begins with reconnaissance on social media platforms. Attackers collect voice samples from victims' publicly available videos, then use AI voice synthesis tools to create convincing audio deepfakes. In the second phase, victims receive phone calls that appear to originate from legitimate bank numbers—achieved through caller ID spoofing—where the AI-generated voice warns of suspicious account activity.

The attackers demonstrate intimate knowledge of SAMA's authentication protocols, often referencing genuine security procedures to establish credibility. They guide victims through what appears to be a legitimate verification process, but actually captures one-time passwords (OTPs) and authentication credentials. The operation shows clear understanding of Saudi banking systems, including Absher integration points and the SADAD payment infrastructure.

"This represents a quantum leap in social engineering sophistication. The voice cloning is so accurate that even family members have been fooled. We're seeing success rates above 40% when attackers reach their intended targets," warns Dr. Ahmed Al-Rashid, Chief Information Security Officer at a leading Saudi financial institution.

Impact on Saudi Organizations

The campaign has affected customers across all major Saudi banks, with particular concentration in Riyadh, Jeddah, and Dammam metropolitan areas. Financial institutions are facing significant reputational damage alongside direct financial losses, as customer trust in phone-based authentication erodes. The Saudi Central Bank (SAMA) has issued emergency guidance to all licensed financial entities, mandating enhanced customer awareness programs and additional verification layers for high-value transactions.

Beyond immediate financial impact, this threat poses serious challenges to Vision 2030's digital transformation objectives. As Saudi Arabia accelerates its cashless society initiatives and fintech innovation, maintaining public confidence in digital banking security becomes paramount. The National Cybersecurity Authority (NCA) has elevated this threat to Priority Level 1, requiring all financial sector entities to implement countermeasures within 30 days.

📋 Relevant Frameworks: SAMA CSF - Domain 5.1 (Customer Protection) NCA ECC - 4.2.1 (Security Awareness) PDPL - Article 6 (Data Security) ISO 27001:2022 - A.6.8 (Information Security Awareness)

Recommendations for Financial Institutions

  • Implement Multi-Modal Authentication: Move beyond voice-only verification to include biometric, behavioral, and device-based authentication factors that cannot be easily replicated by AI systems.
  • Deploy AI Detection Technologies: Invest in deepfake detection solutions that can identify synthetic voice patterns and anomalies in real-time during customer interactions.
  • Establish Callback Protocols: Mandate that all high-risk transactions require bank-initiated callbacks to pre-registered numbers, with mandatory cooling-off periods for large transfers.
  • Launch Targeted Awareness Campaigns: Develop Arabic-language educational materials specifically addressing AI-powered social engineering, distributed through SMS, mobile apps, and branch networks.
  • Enhance Fraud Monitoring: Update transaction monitoring systems to flag patterns consistent with social engineering attacks, including rapid successive authentications and unusual beneficiary additions.
  • Collaborate with NCA: Participate in the National Cybersecurity Authority's threat intelligence sharing program to receive real-time indicators of compromise and attack patterns.