Eid Al Fitr and Eid Al Adha Cyber Scams: How Criminals Exploit Festive Seasons in the UAE

Eid Al Fitr and Eid Al Adha are among the most significant occasions in the UAE's cultural and religious calendar. They are also, consistently, among the most active periods for cybercriminal activity targeting UAE residents, employees, and organizations. The pattern is not coincidental.

Festive seasons create a perfect storm of conditions that sophisticated attackers actively exploit: heightened online spending, increased charitable giving, organizational skeleton crews during the holiday period, emotionally driven decision-making, and employees who are distracted, busy, and less likely to pause and verify before clicking. UAE organizations that fail to prepare their employees for Eid-specific cyber threats leave a significant and predictable vulnerability open every year.

---

Why Eid Creates Elevated Cyber Risk in the UAE

The UAE Cyber Security Council and the country's Computer Emergency Response Team (aeCERT) have repeatedly warned residents about seasonal spikes in cyber fraud around major holidays. Understanding the specific risk factors helps security teams design targeted training and controls.

Reduced staffing and oversight. Both Eid Al Fitr and Eid Al Adha are accompanied by multi-day public holidays in the UAE. Many organizations operate with skeleton crews during these periods, with senior staff unavailable and approval chains compressed or bypassed. This is precisely the scenario that business email compromise attackers target — the window when a finance manager might authorize an unusual payment without being able to reach their supervisor.

Surge in online transactions. UAE consumers dramatically increase their online shopping activity in the weeks surrounding Eid, purchasing gifts, clothing, food, and electronics. Counterfeit brand websites, fake delivery notifications, and fraudulent e-commerce platforms proliferate to intercept this payment traffic.

Increased charitable giving. Zakat Al Fitr during Eid Al Fitr and the tradition of charitable giving during Eid Al Adha create fertile ground for fake charity scams. Criminals create convincing fake donation platforms, WhatsApp charity appeals, and fraudulent links claiming to collect for humanitarian causes.

Travel and movement. Many UAE residents travel during Eid — both internationally and within the GCC. This increases exposure to rogue Wi-Fi networks, cross-border payment fraud, and travel-themed phishing.

Emotional and time pressure. The festive atmosphere, combined with last-minute preparations, creates conditions where people are less likely to slow down and verify before acting. Attackers use this urgency deliberately.

---

Common Eid-Specific Cyber Attack Types in the UAE

Fake e-commerce sites and counterfeit brand stores. In the weeks before Eid, attackers register domain names that closely mimic well-known UAE retailers, including Noon, Amazon.ae, Sharaf DG, and high-end fashion brands that see Eid gift purchasing spikes. These sites accept payment, deliver nothing, and harvest card details for onward fraud.

Eid greeting card phishing. Attackers send messages — via WhatsApp, SMS, or email — containing what appear to be digital Eid greeting cards. The links redirect to credential harvesting pages or malware download sites. These campaigns are particularly effective because recipients genuinely expect digital greetings from contacts during Eid.

Fake charity and Zakat appeals. Fraudulent charity appeals targeting UAE Muslims seeking to fulfill religious obligations during Eid have become increasingly sophisticated. These appeals appear via WhatsApp broadcasts, social media, and email — often using the names and visual branding of legitimate UAE charities and humanitarian organizations.

Gift card scams targeting businesses. The tradition of Eid gifting creates a vector for gift card fraud. Attackers impersonating senior executives or HR departments send internal emails requesting employees purchase gift cards for "Eid employee appreciation" with the promise of reimbursement.

Fake delivery notification attacks. The surge in Eid online shopping means employees receive large numbers of delivery notifications from Emirates Post, Aramex, DHL, and other carriers. Attackers inject fake delivery notifications into this flow, directing recipients to fake tracking pages that harvest credentials or install malware.

Travel booking fraud. Attackers create fake hotel booking sites and airline ticket platforms targeting UAE residents booking Eid travel. These sites mimic legitimate booking platforms and harvest both payment data and passport information.

WhatsApp Eid offer scams. "Eid special" offers circulate extensively on WhatsApp during the festive season — fake competitions, prize draws, exclusive discounts from major brands, and free gift promotions — all designed to harvest personal information or redirect to payment fraud pages. Smishing and messaging-app fraud follow patterns we cover in detail in our guide to vishing and smishing simulation training.

---

The Reduced-Staffing BEC Window: A Critical Organizational Risk

Business email compromise attacks timed to Eid holidays deserve specific attention from UAE security teams. The pattern is well established: attackers monitor an organization's communication patterns, identify when senior staff are on leave, and time fraudulent payment authorization requests to coincide with their absence. The financial scale of these attacks — captured in our BEC attack success rate benchmarks by industry — makes the Eid window one of the highest-risk periods of the year.

A typical Eid-timed BEC scenario works like this. An attacker who has previously compromised or spoofed a senior executive's email account — a tactic detailed in our CEO fraud and whaling attack prevention guide — sends a payment instruction to the finance team shortly before the holiday begins. The message explains that the CEO or CFO is traveling for Eid, has limited availability, and needs an urgent payment processed before the holiday. The recipient, knowing that senior staff are indeed unavailable and feeling pressure to accommodate a pre-holiday request, processes the payment without the usual verification steps.

Organizations should implement specific controls around this window:

• Mandatory dual authorization for all payments above threshold, regardless of requester seniority
• Pre-Eid communication to finance teams explicitly warning about BEC timing attacks
• Emergency contact protocols that work even when staff are on holiday
• Payment holds on any new payee or changed banking details submitted within 5 business days of the Eid holiday period

---

Building Eid-Specific Security Awareness Training

General security awareness training is necessary but not sufficient. Employees need training that is timely — delivered 2 to 3 weeks before Eid — and contextually specific to the festive season threats they will actually encounter.

Timing matters. Security awareness communications about Eid threats should go out before the rush of pre-Eid activity begins. By the time the holiday is a week away, employees are already distracted. Training delivered three weeks before Eid, when employees are still in their normal work rhythm, is significantly more effective. For broader guidance on cadence, see our analysis of how often to run phishing simulations.

Use culturally resonant examples. Security awareness content that references actual UAE brands, actual UAE charity names, and actual scenarios that match the UAE Eid experience will be absorbed more effectively than generic phishing examples. Employees recognize themselves and their colleagues in scenarios that reflect their real environment.

Address WhatsApp explicitly. Generic email phishing training does not prepare UAE employees for WhatsApp-delivered Eid scams. Training must explicitly address the messaging platforms that UAE residents actually use to communicate during the festive season.

Include personal as well as professional scenarios. Eid scams target employees both in their professional capacity and as private individuals. Training that acknowledges this — that employees' families may receive fake charity appeals or that they personally may encounter counterfeit Eid shopping sites — builds broader vigilance that benefits the organization.

---

Practical Guidance for Employees: Before, During, and After Eid

Before Eid:

• Verify all charity donation links through official UAE charity websites before donating — check with the Community Development Authority (CDA) for registered charities
• Set up pre-departure security measures if traveling — enable two-factor authentication, download authenticator apps, and ensure you have backup access to critical accounts without relying on UAE SIM cards
• Complete any sensitive work tasks before leaving rather than handling them remotely on holiday

During Eid:

• Treat any urgent payment requests received during the holiday with heightened skepticism — verify by calling the requester on a known number, not replying to the message
• Avoid conducting financial transactions on public Wi-Fi at hotels, airports, or malls
• Do not click on links in Eid greeting messages from unknown or unexpected senders

After Eid:

• Review account statements for any unauthorized transactions that occurred during the holiday period
• Check whether any automated systems or email forwarding rules were modified during the period you were away
• Report any suspicious messages received during Eid to your IT security team — even if you didn't click

---

SOC Coverage and Incident Response During Eid

Security teams must plan for reduced SOC staffing during Eid holidays while maintaining adequate monitoring coverage. Key considerations include:

Pre-holiday configuration reviews. Ensure SIEM alert thresholds are calibrated for the reduced staffing period. Consider temporarily lowering thresholds for high-value transaction monitoring and privileged access activity.

On-call escalation clarity. Ensure all SOC staff and IT teams know exactly who to contact during the holiday for different categories of incident, with clear escalation paths that account for who is on leave.

Extended detection windows. Attackers know that response times are slower during holiday periods. Ensure logging retention is sufficient to support retrospective investigation of activity that occurs during Eid.

Employee reporting channels remain active. If employees are suspicious of something during the holiday, they should know how to report it. Ensure that phishing report mailboxes and security hotlines are monitored during the Eid period.

---

Key Takeaways

Eid is a predictable window of elevated cyber risk in the UAE, and predictable risk is manageable risk. Organizations that build Eid-specific security awareness training into their annual calendar — delivered before each festive season, updated with current threat scenarios, and tailored to UAE-specific brands and channels — will significantly reduce their exposure during this consistently exploited period.

The cost of prevention is a fraction of the cost of a successful BEC payment diversion or data breach timed to a holiday period when your defenses are at their lowest. Make Eid preparation a standing item in your security awareness calendar.