Do cybercriminals speak your language?

by Black Hat Middle East and Africa
on
Do cybercriminals speak your language?

Explore our weekly delivery of inspiration, insights, and exclusive interviews from the global BHMEA community of cybersecurity leaders.

Keep up with our weekly newsletters on LinkedIn — subscribe here. 


Build cyber resilience with the global Black Hat MEA community – in your inbox every week. 

This week we’re focused on…

When cybercrime goes local. 

Why? 

Because we’ve been looking into the latest Sniper Dz campaign targeting users across the Middle East and North Africa – and it’s part of a broader trend. 

Cybercriminals are moving beyond generic phishing tactics and investing in campaigns built around regional brands, local context and cultural familiarity.

Until recently, one of the clearest indicators of a phishing email was that it felt like it came from somewhere else – the language was awkward, the branding looked slightly wrong. Maybe the message referenced services that nobody in the region actually used. 

But recent reporting on the Sniper Dz campaign revealed a fraud operation targeting users across the Middle East and North Africa through fake websites, social engineering and credential theft. The campaign used fraudulent Facebook pages impersonating politicians, public figures and trusted organisations, while luring victims with offers such as free mobile internet packages, financial assistance and government subsidy programmes. 

One attack chain even impersonated Algérie Télécom to harvest payment card information and personal data.

And this localised approach isn’t unique. It’s happening across the cybercrime ecosystem. 

From translation to localisation

There is a significant difference between translating a scam and localising one.

Translation changes the language. Localisation changes the experience.

Researchers have been tracking this trend for several years. In 2023, Group-IB uncovered more than 2,400 fraudulent pages impersonating over 40 major enterprises across the Middle East and Africa. The operation used fake job advertisements and recruitment portals to target Arabic-speaking users across 13 countries, directing victims through a network of convincing websites designed to mimic legitimate employers. 

The objective was to appear familiar – and, as a result, more convincing. 

Rather than imitating global technology brands, many campaigns now impersonate local employers, telecom providers, banks and services that users interact with every day. The closer a scam resembles a genuine part of daily life, the harder it becomes to distinguish from legitimate activity.

Cybercriminals have learned the same lesson as marketers

The psychology behind this shift is widely known.

People are more likely to engage with messages that feel credible and relevant to their lives.

You know this – successful social engineering campaigns exploit authority, scarcity and social proof to influence behaviour and encourage action. 

And in many respects, cybercriminals are applying the same localisation principles used by marketers.

  • A fake login page carrying the branding of a familiar local service is more convincing than one impersonating an unfamiliar overseas company.
  • A recruitment scam referencing a regional employer is likely to attract more attention than a generic job offer.
  • Messages that reflect local language, expectations and behaviour create fewer warning signs for potential victims.

Attackers are investing more effort because localisation works.

Local events, local brands, local victims

The trend extends beyond phishing and credential theft.

Researchers at Zscaler observed threat actors exploiting Middle East geopolitical events through fake donation campaigns, fraudulent websites, fake news portals and malicious content designed to capitalise on regional news cycles and public sentiment. 

And Group-IB has documented ‘quick cash’ scams targeting users across Arab markets through fake remote-work opportunities and online earning schemes. According to the researchers, these campaigns were tailored to specific countries using local dialects, familiar terminology and regionally relevant messaging designed to maximise trust and engagement.

Localisation is the common thread that runs through these campaigns. 

The attackers understand which brands people trust, which stories dominate headlines and which economic pressures influence behaviour – and that understanding becomes part of the attack chain.

A regional challenge

You can see the scale of the problem by looking at recent law enforcement activity. 

Earlier this year, INTERPOL's Operation Ramz resulted in the arrest of 201 individuals across 13 countries in the Middle East and North Africa. The operation targeted phishing schemes, malware distribution and various forms of cyber-enabled fraud.

It also reinforced an important reality: cyber-enabled fraud is no longer simply a global problem affecting the region. Now, it’s a regional challenge requiring regional responses.

What does this mean for security teams? 

Traditional awareness programmes tend to focus on obvious warning signs – think poor spelling or suspicious services. 

But as cybercriminals invest in localised content, organisations need to make sure that awareness training reflects the threats employees actually encounter.

Brand monitoring, phishing simulations based on regional attack patterns, and local threat intelligence are becoming critical components of defence.

Because the most effective scams are the ones that look familiar.

Share your perspective 

Does localisation increase the risk of exploitation? Open this newsletter on LinkedIn and tell us what you think in the comments.

Share on

Join newsletter

Join the newsletter to receive the latest updates in your inbox.


Follow us


Topics

Sign up for more like this.

Join the newsletter to receive the latest updates in your inbox.

Related articles