Threat Intelligence · Phishing · Social Engineering
Quick Answer
The four most prevalent phishing attack types targeting Saudi employees are: fake Absher / government portal credential harvesting, Business Email Compromise (BEC) targeting finance teams with fraudulent wire transfer requests, GOSI / HRDF smishing stealing banking details via SMS, and AI voice cloning (vishing) using synthetic executive voices.
All four rely on urgency, authority impersonation, and Saudi-specific context to bypass employee skepticism. The single most effective defense is a culture of verification — always confirm out-of-process requests through a known, independent channel.
Phishing remains the most common initial access vector for cyberattacks in Saudi Arabia. Threat actors have moved well beyond generic "reset your password" emails — today's campaigns are Arabic-language, deeply contextual, and Saudi-specific, referencing real government portals, legitimate business events, and local compliance deadlines.
The following attack patterns are based on campaign activity observed across the Saudi private and public sector. Specific names and organizations are anonymized, but the techniques are real and active.
⚠ Spear Phishing · Government Portal Impersonation
Employees receive an email in Arabic claiming their Absher account has been flagged for unusual activity and must be verified within 48 hours. The link leads to a pixel-perfect clone of the Absher login page hosted on a domain such as absher-verify[.]sa or absher-secure[.]net. Harvested credentials are used to access government services and enable corporate account takeover.
🚩 Red flags: Non-.gov.sa domain, artificial urgency, generic salutation, no official reference number
⚠ Business Email Compromise (BEC) · Finance Targeting
An email appearing to come from the CEO's personal Gmail or a spoofed corporate domain asks the finance team to process an urgent, confidential wire transfer — often timed to coincide with real M&A activity, Ramadan, or end-of-quarter periods. The attacker has researched the company via LinkedIn and public announcements to craft a convincing, contextually plausible message. BEC fraud costs Saudi organizations hundreds of millions of riyals annually.
🚩 Red flags: Personal email for internal corporate requests, demands for secrecy, bypassing normal approval channels, unusual payment destination
⚠ Smishing · HR & Payroll Impersonation
SMS messages claiming to be from GOSI, HRDF, or the Ministry of Human Resources instruct employees to update banking details or lose their social insurance benefits. The link leads to a spoofed portal designed to collect national ID numbers, IBAN details, and passwords. Campaigns spike during salary cycles, Eid periods, and benefit renewal deadlines — when employees are most likely to act quickly.
🚩 Red flags: SMS from unknown short code or mobile number, link to non-official domain, requests for IBAN or national ID via mobile link
⚠ Vishing · AI Voice Synthesis
Attackers scrape audio from public interviews, investor calls, or YouTube videos and use AI voice synthesis tools to clone an executive's voice. The synthetic voice calls an employee directly, instructing them to share a one-time password, purchase gift cards, or disable a security control. This technique is increasingly accessible, difficult to detect aurally, and growing in Saudi Arabia's executive-heavy corporate culture.
🚩 Red flags: Unexpected call requesting out-of-process actions, refusal to use official channels, subtle robotic pauses, urgency preventing callback
Saudi Aramco <noreply@aramco-verify[.]com> is not Saudi Aramco. Display names are trivial to spoof.⚠ Critical Reminder for Saudi Employees
Absher, GOSI, HRDF, and all Saudi government services will never ask you to verify credentials or update banking details via an email or SMS link. When in doubt, open a new browser window and navigate directly to the official portal at its known .gov.sa address.
A layered technical and human defense is the only reliable protection against phishing campaigns:
GHS runs Arabic-language phishing simulations using Saudi-specific lures — government portal spoofs, BEC scenarios, and GOSI smishing — to benchmark and improve your human firewall.