Oman is no longer a silent witness to global cybercrime; it is standing right in the center of it.
According to the Royal Oman Police (ROP), cybercrime and fraud incidents increased by 50% in the first half of 2025. Criminals are quick to adapt as digital payments increase and more companies operate online. Still, as more sophisticated, harder-to-track criminals emerge, they are much smarter than most organizations expect.
And most security attacks do not start with a compromise in your firewall. They start with a human. A rogue employee clicking on the wrong link, answering the wrong call, or trusting the wrong face on a video call will be the entry point for an entire breach. That is why most people focus on security as the most important layer for every organization in Oman.
Brig Jamal bin Habib Al Quraishi, Director-General of Inquiries and Criminal Investigation Police Department (ROP), attributed the increase to the rapid growth of digital portals and, not least, the fast skills of attackers. He pointed out the use of various Artificial Intelligence-aided tools, deepfake videos, and automation processes.
Banks, health care, energy, and government networks have all been attacked. Oman is a prime target for both profit-motivated criminal attacks and long-term state-sponsored operations due to its position in the Gulf oil and gas infrastructure.
Discover how Threatcop protects your workforce from modern cyber threats.
Understanding the most common types of cybercrime reported in Oman is the first step toward building defenses that actually work.
This is the largest-volume category in 2025. Con artists upload phony advertisements, sometimes featuring fake animals, on shopping sites, expecting buyers to pay a deposit or pay in full, and then abscond with the money. More sophisticated scams use deepfake videos to impersonate government workers, gain their targets’ trust, and obtain OTPs and account info before transferring the missive across tiered accounts into crypto.
Phishing remains the number one entry point for breaches in Oman and, indeed, anywhere else. The attacker will send a message claiming it is from the bank, government portal, or telecoms provider. The link takes you to a ‘clone’ site that harvests your login details and OTPs sent to your phone in real time.
AI has made it even harder to detect a phishing attack. Poor grammar was the giveaway previously. Now, threat actors are creating flowing text in both Arabic and English.
Threatcop’s phishing simulation platform launches live phishing campaigns against your employees to find out precisely who will be targeted by an actual adversary.
Criminals will call victims pretending to be a bank official, a tax official, or a government official, etc. They create a sense of urgency to ask for the OTP or account number before the victim can think. They use deepfake audio and video to make that call look and sound like someone the victim already knows.
Vishing simulation training from Threatcop tests employees’ responses and builds the reflex to verify before proceeding.
Takes the form of a text message purporting to be from a courier, bank, government agency, etc., asking them to click a link or call a number they didn’t previously have. When they do, their credentials or cash are on the line.
Threatcop’s Smishing Awareness Training develops the habit of questioning SMS links even when they purport to be from a trusted source.
The WhatsApp scams are a very specific, rapidly growing type of scam in the Gulf. Due to the high levels of trust most customers have in the system, attackers can exploit it to the fullest. Fake payment requests are sent, suppliers are impersonated, and impostors pose as HR and finance personnel to gain access to account details or initiate fraudulent transfers.
Threatcop’s WhatsApp phishing simulation tests how employees react and trains them to check before they act.
In accordance with the Oman cybercrime law, hacking is defined as intentional unauthorized access to any website, system, or network. The punishment is very harsh if cybercriminals crash systems, install malware, or attack banks or government institutions.
Two Omani energy companies were publicly named as victims in 2024. OQ, formerly Oman Oil Company, was named by the Termite ransomware group in November. Special Oilfield Services Co. LLC was named by the Meow group in August. Critical infrastructure is a current, not a future target.
Along comes ransomware-as-a-service, an attack is becoming easy and even affordable. Criminal gangs are now renting out pre-packaged solutions, encrypting data, and demanding ransom in cryptocurrencies. Oman-based companies dealing in healthcare, logistics, and energy are the most vulnerable. An incident on a critical system could take days to recover.
Threatcop’s Ransomware awareness and simulation measures how employees interact with real-time ransomware scenarios and guides them on identifying the signs.
QR codes are trusted by default. Attackers take advantage of this by embedding malicious QR codes in hard copies of materials, e-mails, or on black-hat websites. When the code is scanned, it directs the user to a malicious site designed to capture credentials or install malware.
Threatcop’s QR code phishing simulation mirrors real-world experience, preparing users to think twice before scanning.
Stolen information is used for identity theft well beyond the initial breach. A post on a criminal forum in August 2025 leaked an estimated 6.3 million records from multiple countries, including PII linked to Oman. Criminals use this information to target individuals and run tailored scams, often without the victim realizing until the scam is complete.
The main legislation is the Law on Combating Information Technology Crimes (Royal Decree No. 12/2011). The Oman cybercrime law covers hacking and unauthorized access, creating and spreading malware, phishing and online scams, cyberbullying and defamation, and privacy violations. Sentences range from one month to 15 years imprisonment.
A second layer is added by the Personal Data Protection Law (Royal Decree No. 6/2022), which came into force in February 2023. Organizations that fail to safeguard personal data face administrative fines up to OMR 2,000 per violation. Criminal fines rise to OMR 500,000 for unlawful data transfers outside Oman. Corporate liability can reach OMR 100,000 where a crime is committed in the organization’s name or with its approval.
Compliance is more than having good controls in place. It requires people who understand the threats and act on them.
Threatcop’s security awareness training platform, TSAT, conducts simulated real-world attack campaigns across eight vectors, including email phishing, vishing, smishing, WhatsApp phishing, QR code attacks, ransomware, and deepfakes. It assigns each employee their own risk score and starts an automated training program accordingly.
For organizations in Oman, the priority actions are:
The most reported forms of cybercrime in Oman range from straightforward marketplace phishing scams to large-scale attacks on a country’s infrastructure, and a 50% increase in H1 2025 suggests the threat is mounting.
Oman‘s cybercrime law certainly provides good enforcement powers. However, it‘s not the law that prevents the attack. Preparation does. Organizations with trained staff, established processes, and a platform to measure human risk will be less vulnerable and recover more quickly.
Take a look at how Threatcop‘s security awareness training is helping businesses in Oman to develop a workforce that simply can‘t be conned.
Call the Royal Oman Police toll-free on 80077444, visit the nearest police station, or use the ROP's official online channels. Save all screenshots, messages, and transaction records before reporting.
Yes. Phishing is a criminal offense under the Law on Combating Information Technology Crimes (Royal Decree No. 12/2011) and financial fraud provisions, carrying prison time and fines.
Train employees to recognize phishing, vishing, and social engineering attacks. Run regular simulations, enforce multi-factor authentication, and use a platform like Threatcop TSAT to measure and reduce human risk across all attack vectors.
Cybersecurity in Bahrain is no longer a secondary concern. Government systems, financial services, healthcare, and energy sectors are becoming...
The digital landscape in Oman is growing fast, but greater connectivity is also increasing cybersecurity risks. With the issuance...
Kuwait’s cloud computing market is growing rapidly, but the rules are also becoming stricter. The Communications and Information Technology...