A about a Dubai-based surgeon whose credit card was misused while she was in the operating room has opened the floodgates.

Since the article was published, dozens of UAE residents have come forward with similar stories: Credit cards used without consent, , and little to no help from their banks. Several say they were left not only footing the bill but also facing legal notices, mounting debt, and relentless recovery calls.

One teacher lost Dh35,000 while driving. A cybersecurity consultant was defrauded. A housewife was charged for transactions even after blocking her card. Many victims insist they never clicked suspicious links or shared personal information yet still found themselves defrauded.

‘I don’t know how my family will eat’

Daniel, a schoolteacher, was commuting from Abu Dhabi to Dubai on March 19 when his credit card was hacked. “My son was five days old. I had Dh500 left to my name, and I didn’t know how my family would eat in the next few days. I hadn’t shared anything or clicked any links, but my card kept getting charged,” he told Khaleej Times. “I had to request the bank to block it.”

Cybersecurity consultant Mohammad Asif Batkali said he was tricked by what looked like a routine grocery promotion on Facebook. “The fraudster used what looked like a government payment gateway to defraud me out of Dh18,230. Even after I reported it, the payment went through. The (bogus) site is still active.”

Another resident, Murali, said four back-to-back charges worth Dh41,320 were made through the same gateway on March 14 without a single OTP required. “The bank later claimed the payments were made via Apple Pay. But I never enabled that service.”

In another case, Jayesh Vanza, a technical head at a private firm, lost over Dh18,000 last month while his phone was unattended. “They told me to convert the charges into a 12-month installment plan. I refused. Then they closed the file and passed it to cybercrime.”

‘I’ve never registered for it’

The KT article that sparked this wave of complaints featured Dr Anita Singh (name changed), a Dubai-based surgeon whose credit card was used for 14 transactions worth over Dh120,000 while she was performing surgery. The card never left her possession.

“The bank flagged the second transaction but didn’t block the card or alert me,” she said.

“Later, they claimed the charges were made through Apple Pay. But I’ve never registered for it. Apple confirmed my card was never linked.”

She said she repeatedly tried to escalate the matter but heard nothing back until she posted about it on social media.

‘I was served a legal notice’

For many victims, the financial loss is just the beginning of a long and distressing ordeal.

Ayesha Naseem, a Dubai-based professional, said her credit card was used in Qatar, despite never having left the UAE. “The original amount was Dh15,597. With late fees, interest, and penalties, it’s now around Dh23,000. I’ve been served a legal notice.”

In another case, Indian expat Ajoy Joseph discovered that three credit cards had been fraudulently issued in his name using a forged Emirates ID photocopy, each card maxed out to Dh30,000. Dubai driver Abdul Kader said his bank account was emptied without any OTP or verification process.

“If frauds keep happening, something’s broken,” said one victim.

Cybersecurity experts agreed. “If cards can be charged without OTPs, if banks detect fraud but don’t act, and if recovery agents go after victims instead of fraudsters then who’s protecting the customer?” said Batkali, who works in tech and experienced a fraudulent transaction himself.

Another cybersecurity specialist added: “If our financial institutions are so confident in their anti-fraud systems, then how do you explain the sheer volume of successful attacks?”

The burden of proof, victims say, is often unfairly placed on the customer.

‘I never received any OTP’

M. Singh, a Dubai resident, said his credit card was used for an unauthorised transaction worth Dh17,980 while he was on his way to pick up his son from school. The bank told him the card had been added to Apple Pay a day earlier, something he said he never did. A second transaction worth Dh11,000 was also attempted and blocked.

“I never received any OTP, nor did I approve the transaction. But the bank told me it was done in a ‘secured environment’ and that I was liable,” he said. Despite filing an appeal and submitting a police report, he was told the same thing again or pay Dh500 to escalate the case further.

He said delays in receiving his credit card statement meant he couldn’t file a complete police report until nearly a month later. “I followed every process they asked. But I’m still left with the full amount on my card and no resolution.”

Binoy Abraham, who works for a local airline, shared a similar experience. He said Dh55,500 was wiped from his credit card within seconds while he was on a night shift earlier this year.

“I started getting SMS alerts one after the other. My wallet was with me, and the card was inside. The area is under CCTV. I didn’t touch my card,” he said.

Abraham said he immediately alerted the bank, but while he was still on the call, two more transactions went through. “They said the transactions would be reversed within 60 to 90 days and I’d get a credit note,” he recalled. “But after that, I hit a wall. My emails were ignored, and I eventually got an SMS saying the dispute was rejected because the payments were made via Apple Pay.”

But Abraham doesn’t use Apple devices. “I told them my phone is Android and registered with the bank. They can see it’s not linked to Apple Pay. I never received an OTP either. The bank insists I did but hasn’t shown any proof.”

Frustrated, he filed a police complaint to contest the charges. “My dues have ballooned and now I’m receiving legal notices,” he said. “But I’ve put my foot down. I won’t pay for something I didn’t authorise.”

‘We are committed to protecting customers’

Khaleej Times reached out to the banks named in the complaints. The institutions said they take fraud concerns seriously, and are committed to protecting customers by conducting thorough investigations in line with due diligence procedures.

Banks added they cannot comment on individual cases due to customer confidentiality. They encouraged customers to remain vigilant with their accounts.

Some of the victims were offered installment plans for fraudulent charges. Others were told to file police complaints.

Legal experts weigh in

Khalifa Abdulla Bin Huwaidan Al Ketbi, a prominent Emirati lawyer, said banks are bound by law to protect consumer data and offer proper redress. “In an era where data privacy is of paramount importance, the protection of consumer data is a significant focus within banking regulations,” he said.

“Banks are required to implement stringent measures to safeguard personal and financial information against unauthorised access, theft, and misuse. This includes the use of advanced encryption technologies, secure communication channels, and regular audits.”

Khalifa Abdulla Bin Huwaidan Al Ketbi

He added the Central Bank of the UAE has laid out clear grievance redressal mechanisms under Federal Law No. 14 of 2018 that says: “If a consumer is not satisfied with the resolution provided by the bank, they can escalate the matter to the Central Bank, which has the authority to investigate complaints, penalise violations, and even order compensation.”

‘There are stringent laws’

Lawyer Mahra Belobaida from Al Rayyami Advocates urged caution against sweeping claims that the system is broken. “There are stringent laws and regulations for all credit and debit card transactions in the UAE. Banks cannot authorise withdrawals or purchases without OTPs, CVVs, and secure PINs. Payment apps require multiple authentication steps, including biometrics.”

Mahra Belobaida

However, she clarified that in cases where a fraudulent transaction occurs without customer consent, the law provides full protection. “If fraud is committed without the customer's knowledge or approval, they have every right to approach the bank and seek recovery.”

She also emphasised the role of technology. “Banks and government agencies have the tools to trace the devices or networks used in a fraudulent transaction. Voice recognition, IP tracking, and digital footprints help identify offenders quickly.”

While she acknowledged that customer education remains key, she added: “If the customer has not given consent, they are legally entitled to a full recovery.”

According to a report released in February by the UAE Cyber Security Council and CPX (an IT managed services provider), the financial sector was the second-most targeted industry in the region, accounting for 21 per cent of cybersecurity incidents.

Dr Mohammed Al Kuwaiti, head of cybersecurity for the UAE Government, recently revealed that the country faces . These include phishing emails, ransomware attacks, denial-of-service attempts, and scanning operations — many targeting interconnected networks of government and financial institutions.

‘Banks must act aggressively’

Rayad Kamal Ayub, cybersecurity expert and managing director of UAE-based Rayyad Group, said banks must overhaul their approach to fraud detection to keep pace with evolving threats.

“To combat the sheer volume, variety, and ferocity of fraud attempts, banks need intelligent AI/ML (artificial intelligence/ machine learning)systems that are regularly updated to validate vendors and flag unusual activity across payment gateways,” he said.

He stressed the importance of a layered framework, including rapid integration of data across adverse media, sanctions, and ownership databases; machine learning models trained on financial and behavioral risk data to detect over 50 fraud types; dynamic thresholds and graph-based analysis to uncover hidden fraud networks; and built-in explainability for compliance teams to swiftly justify alerts to regulators.

“The gap between what scammers can do and what banks are doing to stop them is widening,” he warned. “Without proactive investment and intelligent monitoring, financial institutions will always be playing catch-up.”

“As digital fraud becomes more sophisticated, experts say institutions must evolve not just in terms of technology, but also in customer care, transparency, and accountability.”