Emile Abou Saleh, Regional Director, MEA at Proofpoint, says AI-powered tools like Lovable are enabling cybercriminals to scale phishing attacks to new heights. He urges Middle East enterprises to adopt a human-centric security approach to mitigate these evolving risks.
How is the emergence of AI-powered website builders like Lovable changing the threat landscape in the Middle East compared to traditional phishing methods?
Our latest research shows that AI-powered website builders are drastically lowering the barrier for cybercriminals to launch phishing, fraud, and malware campaigns. These tools allow threat actors to scale more quickly and convincingly than ever before.
Historically, it would take time and knowledge about website development to create believable landing pages. While it has always been possible to clone the HTML and CSS of existing websites, typically creating something new to either impersonate a known brand or masquerade as a legitimate business took time and effort from the adversary. With automatic web creation tools, threat actors can spend more time on the attack chain and tooling capabilities and incorporate AI-generated social engineering into their toolkit.
Cybercriminals have used Lovable to target MFA tokens, cryptocurrency wallets, and HR/email communications. Which attack vectors are most concerning for Middle Eastern enterprises?
For Middle Eastern enterprises, the most concerning attack vectors are those targeting MFA tokens and HR/email communications. Attacks on MFA tokens are particularly dangerous because they bypass a critical layer of security, allowing criminals to gain access to corporate networks and data.
Similarly, phishing campaigns impersonating HR departments are a significant threat, as they leverage internal trust to trick employees into revealing sensitive information or downloading malware, which can lead to widespread data breaches. HR-related email scams are a common tactic within Business Email Compromise (BEC) and phishing attacks, which often leverage tactics like display name spoofing, lookalike domains, and malicious attachments to trick recipients into sending money, submitting personal data, or clicking harmful links.
Many AI tools lower the barrier to entry for attackers. What proactive steps can Middle Eastern businesses take to mitigate the risks of AI-generated phishing attacks?
Middle Eastern businesses can proactively mitigate the risks by focusing on a human-centric security approach. This involves a combination of technology and training.
They can do this by investing in advanced email security solutions that can detect and block malicious URLs in real-time and by implementing robust security awareness training for all employees, teaching them how to recognize sophisticated phishing attempts, including those with realistic design elements. They should also consider enforcing allow-listing policies to control access to frequently abused platforms and consider using multi-layered authentications for all critical systems. These steps empower employees and leverage technology to create a strong defense against AI-driven social engineering.
Given the rapid rise of AI-enabled attacks, what role should governments and regulators in the Middle East play in mandating safeguards or responsible AI usage?
Governments and regulators in the Middle East should play a proactive role in mandating safeguards for AI tools to prevent their malicious use. They should work with AI developers to enforce security standards, requiring platforms to implement guardrails that prevent the generation of fraudulent content and the cloning of websites. Regulations could also require companies to build in accountability mechanisms to trace the origin of malicious content. By creating clear legal and ethical frameworks, regulators can hold AI providers accountable for the misuse of their platforms, ensuring that these powerful tools are developed and deployed responsibly, thereby protecting both citizens and businesses from emerging threats.
Beyond website builders like Lovable, which emerging AI technologies or platforms do you see as potential vectors for large-scale fraud and social engineering attacks in the near future?
As generative AI tools become more accessible, language and culture are no longer the deterrents they once were for cybercriminals. Threat actors are now able to create personalized phishing and impersonation scams in multiple languages, including Arabic.
A recent study revealed that this shift is already being felt in the region. 85% of organizations in the UAE were targeted by Business Email Compromise (BEC) attacks last year, up from 66% the year before. While global reports of email fraud dropped, the UAE saw a 29% rise in attack volume. One reason for this could be that attackers are now utilising AI to overcome the language and cultural barriers that may have previously hindered them.
How can organizations leverage Proofpoint’s intelligence to detect and block malicious AI-generated websites before they compromise credentials or sensitive data?
While AI-generated websites have lowered the bar for cybercriminals to create believable websites, it doesn’t change how threats get detected. We protect against malicious URLs regardless of whether they’re created using GenAI or not. We do this in a number of ways. Our Core Email Protection solution leverages threat intelligence and sandboxing to detect malicious URLs delivered via email. It also rewrites URLs in messages to provide click-time protection for URLs that are poisoned after delivery. If the URL is shared through other collaboration and messaging channels (e.g., Teams, Slack, WhatsApp), Collab Protection provides real-time URL reputation inspection and blocks malicious URLs in real-time.
Are organizations in the Middle East seeing similar spikes, and which sectors are most at risk?
While formal “spike” numbers for the Middle East aren’t detailed, recent Proofpoint research highlights that security leaders across the region are facing heightened risks and are actively investing in AI-powered defenses. In the UAE, a staggering 77% of CISOs reported that their organization experienced a material data loss in the past year (up from 45% in 2024), and 58% are exploring AI-powered defenses. In Saudi Arabia, 61% experienced a material data loss in the past year (up from 31% in 2024) and 61% are investing in AI-led defenses.