C-Suite Impersonation in the Gulf How Threat Actors Are Targeting UAE & Saudi Executives in 2026
C-Suite Impersonation in the Gulf: How Threat Actors Are Targeting UAE & Saudi Executives in 2026
When a senior executive at a Dubai-based energy conglomerate receives a WhatsApp message that appears to come directly from their CEO – complete with the right profile photo, a familiar tone, and an urgent wire transfer request – this type of CEO fraud is becoming one of the most effective forms of financial cybercrime targeting Gulf organizations. 🚨
According to Cyble’s Middle East & Africa Threat Landscape Report: Q1 2026, executive impersonation has emerged as one of the most targeted and financially damaging attack vectors facing organizations in the UAE, Saudi Arabia, and Qatar in 2026. Gulf executives sit at a uniquely lucrative intersection for threat actors: energy wealth, cross-border financial authority, and high political exposure. The UAE and Saudi Arabia’s sovereign wealth funds – ADIA, Mubadala, PIF – operate across dozens of markets, and the executives overseeing them routinely authorize large international transactions while maintaining visible digital footprints on platforms like LinkedIn. This visibility draws both financially motivated attackers and state-sponsored actors.
For organizations operating in Saudi Arabia’s financial sector, the Saudi Arabian Monetary Authority (SAMA) Cybersecurity Framework sets direct expectations around executive-level risk. The framework mandates that organizations implement identity and access management controls, establish threat intelligence programs, and maintain incident detection and reporting capabilities – including those that address impersonation risks at the leadership level. 📊
Failure to meet these requirements carries regulatory consequences, but more immediately, it leaves financial institutions open to the kind of Business Email Compromise (BEC) CEO fraud, whaling attacks, and executive fraud schemes that have cost Gulf organizations tens of millions of dollars in recent years.
Attack Methods
Attack methods specific to this region include LinkedIn Impersonation, where attackers clone executive profiles on LinkedIn – photos, job history, connections – to approach employees or vendors with fraudulent requests, exploiting the platform’s trusted reputation to bypass skepticism. WhatsApp CEO Fraud is also used; because WhatsApp doubles as a primary business channel across the Gulf, attackers clone or hijack executive accounts to send urgent, convincing requests to finance and HR staff with little reason to question them.
Threat actors also engage in Fake Domain Creation, registering lookalike domains to spoof corporate email and portal infrastructure. Additionally, Deepfake Fraud involves threat actors experimenting with AI-generated voice and video content to impersonate senior executives during financial approval workflows.
Real Threats
The threat is not theoretical. Several high-profile incidents have put Gulf organizations on alert in recent years. In Qatar, a state-linked organization was targeted in 2022 as part of a broader campaign attributed to Iranian-nexus threat actors. In Saudi Arabia, threat actors linked to the Lazarus Group have been documented targeting financial institutions and energy sector executives through spear-phishing lures tailored to the Saudi business context.
Most executive impersonation attacks succeed not because defenses fail at the moment of attack, but because organizations have no visibility into the reconnaissance phase that precedes it. By the time a fraudulent LinkedIn profile is being used to approach employees, or a lookalike domain is sending phishing emails, the attacker has already completed weeks or months of preparation.