HIGH SEVERITY SAMA CSF NCA ECC
A sophisticated phishing campaign impersonating the Saudi Central Bank (SAMA) has successfully compromised thousands of banking customers across the Kingdom, marking one of the most significant financial cyber threats detected in the region this quarter. The attackers are leveraging advanced social engineering techniques combined with near-perfect replicas of official SAMA communications to harvest credentials and conduct unauthorized transactions.

Key Details

The phishing operation, first detected by the National Cybersecurity Authority (NCA) in collaboration with major Saudi banks, utilizes SMS messages and emails that appear to originate from SAMA's official channels. The fraudulent messages warn recipients of "suspicious activity" on their accounts and direct them to fake banking portals that capture login credentials, one-time passwords (OTPs), and personal identification information.

Security analysts have identified that the campaign employs domain names closely resembling legitimate Saudi banking institutions, with subtle character substitutions that are difficult to detect on mobile devices. The attackers have also registered domains mimicking SAMA's official website, complete with SSL certificates that display the padlock icon in browsers, creating a false sense of security.

According to incident response teams, the threat actors are operating during peak banking hours (10 AM - 2 PM Saudi time) to maximize the likelihood of immediate victim response. Once credentials are captured, unauthorized transactions are initiated within minutes, often transferring funds to cryptocurrency exchanges or international money mule networks before detection systems can intervene.

"This campaign demonstrates a concerning evolution in threat actor capabilities targeting the Saudi financial sector. The level of sophistication in replicating official communications and the speed of fund extraction indicate a well-resourced operation with specific knowledge of Saudi banking procedures." — Chief Information Security Officer, Major Saudi Bank

Impact on Saudi Organizations

The campaign has affected customers across at least eight major Saudi financial institutions, including retail banks, Islamic banks, and digital payment providers. Financial losses are estimated to exceed SAR 45 million, with individual victims losing between SAR 5,000 and SAR 250,000. Beyond direct financial impact, affected institutions face potential regulatory scrutiny under SAMA's Cyber Security Framework, particularly regarding customer authentication controls and incident response procedures outlined in Domain 5 (Cyber Security Operations Management).

The incident has prompted emergency meetings between SAMA, NCA, and banking sector CISOs to coordinate response efforts and implement enhanced detection mechanisms. Several banks have temporarily suspended SMS-based authentication for high-value transactions and are accelerating the deployment of biometric authentication solutions. The Saudi Banks Media and Awareness Committee has launched an intensive public awareness campaign across social media platforms and traditional media channels.

This attack underscores vulnerabilities in customer education and multi-factor authentication implementations, areas specifically addressed in SAMA CSF's Domain 2 (Cyber Security Defense) and Domain 3 (Third Party and Cloud Computing Cyber Security). Financial institutions that have not fully implemented the framework's requirements for customer authentication and transaction monitoring are experiencing higher compromise rates.

📋 Relevant Frameworks: SAMA CSF NCA ECC PDPL ISO 27001

Recommendations

  • Implement advanced email and SMS filtering solutions that can detect domain spoofing and suspicious sender patterns, aligning with SAMA CSF Domain 5.1 (Cyber Security Event Management)
  • Deploy real-time transaction monitoring systems with behavioral analytics to identify unusual patterns immediately after credential compromise, as required by SAMA CSF Domain 2.7 (Cyber Security Monitoring)
  • Accelerate migration to phishing-resistant multi-factor authentication methods such as FIDO2 hardware tokens or biometric authentication, moving beyond SMS-based OTPs
  • Conduct mandatory quarterly security awareness training for all customers, with specific modules on identifying phishing attempts and verifying official communications
  • Establish direct communication channels with SAMA and NCA for immediate threat intelligence sharing and coordinated incident response
  • Review and enhance customer authentication procedures to ensure compliance with SAMA CSF Domain 2.3 (Identity and Access Management) requirements
  • Implement DMARC, SPF, and DKIM email authentication protocols to prevent domain spoofing of institutional email addresses