2 days ago
AI is blurring language barriers in email fraud, and cybercriminals are expanding their targets
Looking back a few years ago, cultural or language barriers were enough to deter cybercriminals from targeting Arabic-speaking regions. But today, threat actors are now using AI to tailor attacks more effectively to local audiences.
According to the first volume of Proofpoint Inc's latest Human Factor 2025 report, language and culture are no longer the deterrent they once were for cybercriminals. As generative AI tools become more accessible, cybercriminals are now able to create personalised phishing and impersonation scams in multiple languages, including Arabic.
Proofpoint's research shows that while most tracked email fraud remains in English, there is a growing wave of non-English attempts. For example, a scammer known as TA2900 sends French-language emails on rental payment themes to targets in France and Canada. This trend raises an important question for regional organisations — does the Arabic language still offer a barrier for cybercriminals in today's AI-driven threat landscape?
What is enabling this shift is not just language flexibility, it is the fundamental transformation in how social engineering works. Artificial Intelligence is no longer just a tool; it has become the engine powering the next generation of cyber threats. Attackers can collect large volumes of conversation data from platforms like social media, messaging apps, and chat logs, and feeding it into natural language models. These models learn how to mimic tone and context, making the interaction feel even more human. The end goal is manipulation - convincing someone to make a call, click a link, or download a file without realising they have been targeted. And the more realistic the email, the higher the chance the victim will fall for it.
Middle East is firmly in the crosshairs of fast-evolving social engineering
A recent study revealed that this shift is already being felt in the region. 85 per cent of organisations in the UAE were targeted by Business Email Compromise (BEC) attacks, up from 66 per cent the year before. While global reports of email fraud dropped, the UAE saw a 29 per cent rise in attack volume. One reason for this could be that attackers are now using AI to overcome the language and cultural barriers that may have previously held them back.
The truth is that the broader landscape of social engineering is evolving. In the past, cybercriminals had to choose between sending generic mass phishing emails or spending time crafting highly targeted messages. With automation and AI, that trade-off no longer exists. Today, attackers can launch complex, convincing attacks at scale, making the threat harder to contain and easier to miss.
The tools used by cybercriminals are also now more varied. With many businesses using collaboration platforms like Microsoft Teams, Slack, and WhatsApp alongside email, attackers are using multiple entry points. They may start with an email and follow up with a message through another channel. This multichannel approach increases the likelihood of success, especially when an employee lets their guard down outside their inbox. Proofpoint's research found that 84 per cent of CISOs in Saudi Arabia now see human error as their biggest cybersecurity risk, up from 48 per cent in 2023.
Another growing tactic is the use of benign conversations to build trust. Attackers start with a friendly or neutral message, perhaps asking for a quote or following up on a simple task, to see if the target will respond. Once that trust is established, they introduce a malicious link or request. These softer tactics are harder to detect because they do not look dangerous at first glance, but over time, they open the door to more serious breaches.
A proactive approach to cyber resilience is now non-negotiable
Despite the challenges, there is strong momentum in the region when it comes to building cyber resilience. Both the UAE and Saudi Arabia are making visible investments in cybersecurity, smart infrastructure, and public education campaigns. These efforts are part of a broader push to futureproof digital ecosystems while continuing to drive digital transformation.
To stay ahead of these threats, organisations will need to build more layered strategies. Security systems that use behavioral analytics, machine learning, and AI can help detect unusual communication patterns and flag potential threats early. Technology like sender authentication can also play a key role, blocking attacks that rely on identity spoofing or lookalike domains.
But technology alone is not enough. Employees must also be part of the solution. Ongoing training and awareness initiatives will be crucial to help people recognise emerging threats and stay alert - not just on email, but across all the tools they use to communicate.
As generative AI becomes more embedded in the threat landscape, it is clear that no region or language is off-limits. For the Middle East, this means moving beyond the assumption that linguistic or cultural nuances are enough to keep cyber threats at bay. A more proactive, people-focused approach will be essential to stay protected in an increasingly intelligent and personalised threat environment.
