Financial Phishing in the Middle East Has Shifted — E-Commerce Is Now the Primary Target
Kaspersky's 2025 Financial Threat Report reveals 85.8% of Middle East financial phishing now targets e-commerce platforms — as infostealer detections in the region surged 26% year-on-year.

Cybercriminal targeting online shoppers through fake e-commerce phishing platforms in the Middle East, illustrated by data streams and a glowing mobile screen
Financial Phishing in the Middle East Has Shifted — E-Commerce Is Now the Primary Target
The profile of financial cybercrime in the Middle East is changing. According to Kaspersky's 2025 Financial Threat Report, the dominant target for phishing attacks in the region is no longer the bank login page — it's the online shopping cart. An overwhelming 85.8 per cent of financial phishing activity across the Middle East is now concentrated on fake e-commerce platforms, a figure that significantly outpaces the global average and signals a deliberate strategic shift by cybercriminal networks.
For enterprise security teams, fraud prevention leads, and CISOs operating across GCC markets, this data demands a recalibration of where financial fraud risk is being managed — and where defences may have gaps.
From Banking Malware to Shopping Scams
Globally, phishing pages mimicking online stores accounted for 48.5 per cent of all financial phishing attacks in 2025, an increase of 10.3 percentage points from the prior year. Meanwhile, phishing pages impersonating banks fell to just 26.1 per cent of global cases — a clear inversion of the traditional threat model that most financial crime controls were built to address.
The message is unambiguous: attackers are following the money, and the money is increasingly moving through e-commerce and digital payment channels rather than traditional banking portals. In the GCC, where e-commerce adoption has accelerated sharply over the past three years — driven by high smartphone penetration, government-backed digital economy initiatives, and post-pandemic shifts in consumer behaviour — this trend is particularly acute.
The UAE market exemplifies the exposure. With one of the highest e-commerce penetration rates in the region and a rapidly maturing digital payments ecosystem, UAE consumers and the platforms serving them represent a concentrated and high-value target for credential harvesting operations.
The Infostealer Surge: A 26% Rise in the Middle East
Alongside the phishing shift, Kaspersky's report documents a significant escalation in infostealer malware — malicious software engineered to harvest passwords, banking credentials, payment card data, and cryptocurrency wallet information from infected devices.
Globally, infostealer detections rose by 59 per cent between 2024 and 2025. In the Middle East specifically, that figure stands at 26 per cent — still a substantial year-on-year increase that reflects a region increasingly within scope for credential-focused threat actors.
The scale of downstream impact is considerable. Kaspersky's Digital Footprint Intelligence unit identified that more than one million online banking accounts from the world's 100 largest banks were compromised by infostealers in 2025. Critically, 74 per cent of compromised payment cards identified on underground platforms as of March 2026 were still valid — meaning that stolen data harvested months earlier continues to represent active fraud risk.
This extended validity window is a defining characteristic of infostealer-driven fraud: the attack and the financial crime it enables are often separated by significant time, making attribution and incident response considerably more complex.
The Dark Web as a Self-Sustaining Fraud Ecosystem
A key insight from the Kaspersky report is how the dark web has matured into a structured financial crime marketplace — one that lowers the barrier to entry for less sophisticated threat actors while scaling the reach of established criminal operations.
Stolen credentials and payment card data harvested by infostealers are aggregated, categorised, and sold on underground platforms alongside ready-to-use phishing kits targeting users of specific financial products and regional e-commerce platforms. This infrastructure means that fraud-as-a-service is now accessible to actors with minimal technical capability — provided they have access to the right marketplaces.
For enterprise fraud and security teams, this has a direct operational implication: compromised credentials may enter circulation and be exploited by multiple actors across different timeframes, long after the original breach. Continuous monitoring of dark web exposure for organisational and customer credentials is no longer optional for financial institutions operating at scale in the GCC.
Mobile: The Rising Attack Surface
As Gulf consumers increasingly manage their finances through mobile devices, the threat landscape is adapting in parallel. Mobile banking malware attacks rose by 1.5 times in 2025, even as traditional PC-based financial malware continued its multi-year decline.
This shift requires enterprise security strategies to extend beyond endpoint and network perimeters to encompass mobile application security, device posture assessment, and the integrity of the mobile payment stack — particularly as GCC governments and financial regulators accelerate the rollout of national digital payment infrastructure.
GCC financial institutions and retailers building out their digital channels should be evaluating their exposure against this evolving mobile threat profile as a core component of their security architecture reviews.
What GCC Security Teams Should Be Doing Now
The Kaspersky findings reinforce several priorities for enterprise security and fraud prevention functions across the region:
Expand phishing monitoring beyond banking. If threat intelligence feeds and phishing detection tools are calibrated primarily around bank impersonation, they are now misaligned with where the volume of attacks is concentrated. E-commerce brand monitoring and fake storefront detection should be integrated into digital risk protection programmes.
Treat infostealer exposure as an ongoing risk, not a one-time event. Credential compromise via infostealer may not surface immediately. Organisations should implement continuous dark web monitoring for employee and customer credentials, and build response workflows that account for delayed exploitation patterns.
Reassess mobile threat models. As mobile banking malware grows, mobile application security testing, runtime application self-protection (RASP), and mobile fraud analytics warrant higher prioritisation in 2026 security roadmaps.
Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA RegionOmar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.