Emirates NBD issues alert over WhatsApp Zero-Day voice call attack
Such breaches may give hackers access to photos, private chats and sensitive account data
Dubai: Banking customers in the UAE have been warned to be on high alert for a "zero-day" WhatsApp security breach that allows cybercriminals to compromise smartphones through a single voice call.
In an advisory issued by Emirates NBD, the UAE bank explained that the attack leverages an unidentified vulnerability, or "zero-day," to gain unauthorised access to devices. Unlike typical phishing scams, these attacks can be triggered by a single call from an unknown number—often requiring no interaction from the user to succeed.
Security officials have noted that the timing of the breach is particularly strategic, as the high volume of festive greetings and travel-related messages during the holiday season provides a natural cover for malicious activity.
What is a "Zero-Day" threat?
A zero-day vulnerability is a security flaw that is unknown to the software developer until an attack occurs. In this instance, hackers are using the WhatsApp call function as a gateway. According to the UAE Cybersecurity Council, such breaches can allow attackers to access personal photos, private conversations, and sensitive account data.
How to secure your device
Emirates NBD have outlined six essential steps to protect personal and financial data:
Update software immediately: Ensure both WhatsApp and your phone’s operating system (iOS or Android) are updated to the latest versions via official app stores. These updates often contain the "patches" needed to close security holes.
Enable two-step verification: Add an extra layer of security by setting up a mandatory PIN in WhatsApp settings. This prevents hackers from easily re-registering your account on another device.
Treat unknown calls with caution: Use the WhatsApp privacy setting to silence calls from unknown numbers.
Use official banking channels: Only conduct transactions through the bank’s verified app or website. Never share One-Time Passwords (OTPs), PINs, or login credentials.
Verify before clicking: Be wary of URLs with misspellings or extra characters (e.g., ".xyz" or ".kom" extensions). These are frequently used in "greeting scams" to install malware.
Report suspicious activity: If you suspect your account has been compromised, contact the bank immediately on 600 54 0000 or notify the relevant authorities.
Let's stay 'United Against Fraud'
The bank has reiterated that it will never request personal information, passwords, or authentication codes through messages or phone calls. "If something seems unusual, it possibly is," the advisory stated, urging residents to trust their instincts and remain "United Against Fraud."
Sign up for the Daily Briefing
Get the latest news and updates straight to your inbox
