Inzamam Nizam
Jul 03, 2026
Executive impersonation, commonly referred to as CEO fraud, executive impersonation attack, or Business Email Compromise (BEC), has emerged as one of the fastest-growing cybercrime threats facing Gulf organisations. The pattern typically begins with a message that appears to come directly from a senior leader, often via WhatsApp, complete with a familiar profile photo and tone, requesting an urgent wire transfer or sensitive action from finance or HR staff.
This is no longer an isolated tactic. Across the UAE, Saudi Arabia, and Qatar, threat actors are combining social engineering with increasingly sophisticated technical methods to exploit the visibility and financial authority that comes with senior executive roles in the region.
Aramco uses spear-phishing emails designed to closely mimic internal communications. Gulf executives occupy a uniquely lucrative position for threat actors, sitting at the intersection of energy wealth, cross-border financial authority, and high political exposure. Sovereign wealth funds such as ADIA, Mubadala, and PIF operate across dozens of international markets, and the executives overseeing them routinely authorise large transactions while maintaining a visible public presence on platforms like LinkedIn.
This visibility attracts both financially motivated criminals and state-sponsored actors. Senior figures at government-linked entities and national oil companies are frequently targeted for espionage as much as fraud, illustrated by attempts to harvest executive credentials at Saudi
LinkedIn Impersonation: Attackers clone executive profiles, including photos, job history, and professional connections, to approach employees or vendors with fraudulent requests. The platform's trusted reputation makes it easier to bypass natural scepticism.
WhatsApp CEO Fraud: Because WhatsApp functions as a primary business communication channel across the Gulf, attackers clone or hijack executive accounts to send urgent, convincing requests to finance and HR teams who have little reason to question them.
Fake Domain Creation: Threat actors register lookalike domains using tweaked letters, swapped top-level domains, and added hyphens to spoof corporate email and portal infrastructure. Cyble tracked dozens of such domains targeting UAE and Saudi entities in 2025 alone, several timed deliberately to coincide with public company announcements.
Deepfake Fraud: Threat actors are increasingly experimenting with AI-generated voice and video content to impersonate senior executives during live financial approval workflows, adding a new layer of realism to traditional impersonation tactics.
For organisations operating within Saudi Arabia's financial sector, the Saudi Arabian Monetary Authority (SAMA) Cybersecurity Framework sets clear expectations around executive-level risk. The framework requires organisations to implement identity and access management controls, establish threat intelligence programmes, and maintain incident detection and reporting capabilities that specifically address impersonation risks at the leadership level.
SAMA's controls require organisations to assess and manage risks associated with social engineering and targeted attacks against key personnel. This includes monitoring for unauthorised use of executive identities, maintaining awareness of digital exposure, and having documented response procedures in place when impersonation attempts are detected or confirmed.
Failure to meet these requirements carries regulatory consequences. More immediately, it leaves financial institutions exposed to the kind of BEC, whaling, and executive fraud schemes that have already cost Gulf organisations tens of millions of dollars in recent years.
The threat is not theoretical. Several high-profile incidents have put Gulf organisations on alert in recent years.
In Qatar, a state-linked organisation was targeted in 2022 as part of a broader campaign attributed to Iranian-nexus threat actors, with spear-phishing attempts specifically designed to harvest credentials from senior personnel. The incident underscored the political dimension of executive targeting in the region.
In Saudi Arabia, threat actors linked to the Lazarus Group, a North Korean state-sponsored actor, have been documented targeting financial institutions and energy sector executives through spear-phishing lures tailored to the Saudi business context, including fake recruitment offers and investment communications.
In the UAE, a 2023 incident involving a Dubai-based financial services firm saw attackers combine LinkedIn reconnaissance with WhatsApp impersonation in an attempted multi-stage BEC fraud.
Executive impersonation cannot be solved with technology alone. Organisations across the Gulf should verify high-value transaction requests through a secondary channel, restrict the amount of executive personal detail shared publicly, monitor for cloned profiles and lookalike domains, and train finance and HR staff to recognise urgency-based social engineering tactics. Documented, tested response procedures for confirmed impersonation attempts are essential, not optional, under frameworks like SAMA's. Also promote cybersecurity courses to train employees.
"This isn't a technology problem, it's a trust problem. Attackers aren't breaking into systems, they're impersonating the people those systems are built to trust. That shift is exactly what security awareness training and identity verification protocols are designed to close."
- Inzamam Nizam, Cyber Security & Security Engineer, Edoxi Training Institute
"The recent warning from the UAE Cyber Security Council that more than 60% of financial attacks begin with stolen login credentials should concern every boardroom in the country. Artificial intelligence has made credential theft easier than ever, allowing criminals to generate tailored, convincing messages that mimic the tone of senior executives in flawless English or Arabic."
- Danny Jenkins, Co-Founder and CEO, ThreatLocker
The techniques behind executive impersonation are not new, but their application across the Gulf's high-value financial and energy sectors has raised both the frequency and the cost of these attacks. Organisations increasingly need professionals who understand social engineering, identity verification, and regional threat intelligence, not just technical controls.
Edoxi's CEH Course covers the social engineering and reconnaissance techniques used in profile cloning and spear-phishing campaigns. The CISSP Course addresses the identity and access management principles central to SAMA's framework requirements.
The CND Course focuses on the network and communication security controls needed to detect spoofed domains and compromised channels. The CSA Course develops the SOC monitoring capabilities required to identify impersonation attempts as they happen. Professionals looking for a suitable starting point can browse the full range of cybersecurity courses.
Cyber Security & Security Engineer
Inzamam Nizam is a Cyber Security & Security Engineer with over six years of experience in offensive cybersecurity, vulnerability research, and application security. His expertise includes mobile (iOS/Android), web, and network penetration testing, secure code review, red teaming, exploit development, and secure architecture assessments. Recognised in the SynAck Hall of Fame for discovering critical security vulnerabilities, he is passionate about helping organisations strengthen their security posture through practical, research-driven approaches. Throughout his career, Inzamam has led security assessments, adversary emulation exercises, and secure development initiatives across diverse industries, including banking and enterprise environments. He has contributed to innovative cybersecurity projects such as SPELL-BOUND, an open-source adversary emulation framework, GHOSTWARE AI, an AI-powered security assessment platform, and KAEDAE, a behaviour-based keylogger detection solution. Through his writing, he shares practical insights, emerging attack techniques, and defensive strategies to help security professionals stay ahead of the evolving threat landscape.