Cyber Experts Warn Against New Phishing Wave Targeting Saudi ”Nafadh” Platform via Government Impersonation
Cybersecurity specialists in the Kingdom of Saudi Arabia have issued urgent warnings over an escalating wave of sophisticated phone and electronic fraud. The new cyber campaign relies on voice phishing (vishing) tactics, where attackers impersonate government officials or official technical support teams to target users of the Nafadh national single sign-on platform, attempting to harvest their sensitive credentials.
These highly organized operations follow a calculated sequence, starting with an official-sounding phone call. The caller claims to be a government employee or an IT specialist tasked with system updates, security enhancement, or account reactivation for the Nafadh network. The fraudsters utilize formal vocabulary and a calm, authoritative tone to convince the victim that urgent action is required, implying that access to essential public services will be suspended if they fail to cooperate.
During the call, the interaction shifts toward demanding high-risk credentials—primarily One-Time Passwords (OTPs) or Nafadh login details—under the guise of executing a mandatory security patch or identity verification. This phase represents the most critical vulnerability; sharing these temporary verification codes instantly grants threat actors full administrative access to the user's unified digital identity.
The gravity of these breaches stems from Nafadh’s architecture as the centralized gateway for all governmental, financial, and corporate digital services in Saudi Arabia. Consequently, compromising a single user account unlocks extensive personal profiles and multiple services, enabling attackers to conduct fraudulent electronic transactions in the victim's name without their knowledge.
Threat actors leverage social engineering strategies that exploit human psychology through persuasion, psychological manipulation, and false trust-building, rather than targeting technical system flaws. These fraudulent calls are frequently fortified with public data or spoofing methods to simulate legitimate authority.
In response, Saudi cybersecurity and regulatory authorities have reiterated that no official entity will ever request confidential data—such as passwords or Nafadh OTPs—via phone calls or text messages, clarifying that all profile updates are processed strictly through authorized official applications. Experts emphasize that user awareness remains the primary line of defense against these schemes, urging individuals to terminate suspicious calls immediately, withhold all Nafadh credentials, and verify any request solely through official state channels.