Threat Intelligence Report · May–July 2026

UAE & India Scam
Threat Landscape

Real scams detected and reported by ScamCheck AI users across the GCC and South Asia.

70 Scams Detected
92.8% Avg Risk Score
94% High Risk
10 Brands Impersonated

Scams by the numbers

49
Message Scams
SMS, WhatsApp, iMessage
8
Phishing Emails
Fake IDs, spoofed senders
6
Scam Phone Calls
Reported by community
4
Malicious URLs
Scanned before clicking
3
APK Malware
Fake govt apps via WhatsApp

Most impersonated brands

Parkin
17
Salik / RTA
7
Dubai Customs
6
Govt of India / Tax
3
Emirates Post
2
India Post
2
ADCB Bank
2
Lulu Hypermarket
2

Top scam campaigns detected

01
Parkin Fake Parking Fine
Scammers impersonate Parkin — UAE's largest parking company — sending bilingual Arabic/English SMS demanding AED 4–6 in unpaid parking fees. Messages include fake reference numbers (AE-SAL-XXXXXX) and threaten AED 150–200 late fees. Links redirect to lookalike domains designed to harvest payment details.
pakin.aesrhi.top parkin.aesfi.top parkin.aerao.top parkin.aeeebr.top +3 more
17
Cases
02
Fake Toll & Traffic Fine Scam
Two overlapping campaigns: (1) Salik/RTA impersonation demanding AED 4 toll settlement with threats of AED 50 fine and vehicle registration restrictions; (2) Generic speeding fine notices using shortened lnk.ink URLs to evade detection. Both use urgent 24-hour deadlines.
salik.ae.tiicky.top salik.ae.tiicya.top lnk.ink dubaipoi.com
13
Cases
03
Dubai Customs & Delivery Phishing
Fake customs clearance notices impersonating Dubai Customs and Emirates Post. Messages claim shipments are held due to "incomplete address details" and direct victims to lookalike portals. Sent via iMessage and email from spoofed addresses, often filtered as spam by carriers.
dubai.custompho.top dubai.customga.top dubaicustomsxz.top emiratespost.tcrak.top
8
Cases
04
APK Malware via WhatsApp
A growing threat: scammers send APK files disguised as official government apps (mParivahan, VAHAN PARIVAHAN, RTO E-Challan) via WhatsApp, claiming traffic violations. Installing the APK grants attackers full device access. Primarily targeting Indian expats and residents.
VAHAN PARIVAHAN.apk mParivahan.apk RTO E-CHALLAN UPDATE.apk
3
Cases
05
Government Tax Impersonation
Emails pretending to be from the Government of India Ministry of Finance, sent from Yahoo.co.jp addresses to UAE-based Indian residents. Include PDF attachments and reference case numbers (TAX/PEN/2026-142). A separate UAE-targeted variant uses a fake corporate tax violation notice.
non1307_e233@yahoo.co.jp jiguang.lol
3
Cases

How scams reach victims

Delivery method
💬
SMS / WhatsApp / iMessage — 70%
📧
Email — 11%
📞
Phone Call — 9%
🔗
Malicious URL — 6%
📦
APK File (WhatsApp) — 4%
Scam tactics used
Urgency / deadline pressure
🏛️
Authority impersonation (govt/police)
💰
Small payment demands (AED 4–6)
🌐
Lookalike .top domains
🌍
Bilingual Arabic/English messages
📱
Fake APK apps with malware

Key findings

🚨
Parkin is the most impersonated brand in UAE — by far
24% of all scams detected impersonated Parkin, with at least 7 different lookalike domains registered by scammers. The pattern is identical across all variants: bilingual message, small AED 4–6 fee, fake reference number, threat of AED 150–200 penalty. The low demand amount is deliberate — it lowers victim suspicion.
⚠️
All scam domains use .top — a red flag to watch for
Every phishing domain detected used the .top TLD (pakin.aesrhi.top, dubai.custompho.top, salik.ae.tiicky.top). The .top extension costs less than $1/year, enabling scammers to spin up and discard domains rapidly. Any message containing a .top link should be treated as highly suspicious.
📱
APK malware via WhatsApp is an emerging and severe threat
Three separate APK-based attacks were detected, all targeting Indian expats with fake traffic challan notifications. Unlike phishing links that require credential entry, APK malware grants full device access upon installation. This vector is significantly more dangerous and remains underreported.
AI correctly distinguishes real from fake — even for edge cases
One Amazon delivery OTP message was correctly scored at 64% (medium risk) rather than flagged as high-risk — because the OTP delivery flow matched a legitimate Amazon pattern. This demonstrates that ScamCheck AI avoids false positives, an important trust factor for everyday users.

How to stay protected

For individuals
🔍
Always verify payment requests through official apps, never links
🚫
Never install APK files received via WhatsApp or SMS
Treat urgency as a red flag — scammers always rush you
🌐
Any link ending in .top is almost certainly fraudulent
🛡️
Use ScamCheck AI to scan suspicious messages before acting
For organizations
📢
Actively communicate your official domain to customers
🔐
Register defensive domains similar to your brand name
👁️
Monitor for lookalike domains impersonating your brand
📋
Partner with scam detection services for early warning
🤝
Report confirmed phishing domains to UAE Cybersecurity Council