Sri Lanka has encountered an increasing number of cases of cyber fraud lately, with many financial bodies releasing public statements focusing on digital financial literacy. It is evident that alongside digital transformation, the country faces an alarming rise in cybercrime as well. 

Some of the most common cybercrimes involving finances include phishing, identity theft, intrusion/hacking, and cryptocurrency scams, most of which lead to a breach in sensitive personal information. 

Ranking 83rd in the Global Cybersecurity Index (GCI), Sri Lanka’s digital landscape is growing increasingly vulnerable. This surge indicates a critical need for not just urgent action against cyber threats but also increased public awareness.

Rise in financial cybercrimes

Police Spokesman DIG Nihal Thalduwa told The Sunday Morning Business that there was an increasing number of cybercrime cases, specifically involving pyramid schemes and scams. “We are awaiting records from the Criminal Investigation Department (CID) regarding arrests, but there is an upward trend.”

Speaking to The Sunday Morning Business, Sri Lanka Computer Emergency Readiness Team (SLCERT) Lead Information Security Engineer Charuka Damunupola underscored the serious threats posed by cybercrimes to both personal data security and the economy at large. 

“There is a significant risk of leakages and data breaches, especially concerning finances, due to online scams. These crimes not only affect individual finances but also have a broader impact on future developments in digitisation,” he said.

One pressing concern is the rise in investment scams, particularly involving cryptocurrency. Damunupola noted: “People invest in virtual assets thinking they are legitimate, but many scammers use cryptocurrency platforms to deceive customers. They believe they are investing but are instead falling into pyramid schemes. This is a considerable risk, especially for the banking sector, where these funds are being invested in fraudulent schemes.”

According to Damunupola, so far this year, nearly 1,100 internet scam-related incidents have been reported, with a sharp increase in financial scams over recent months. A major cause of these incidents is the unauthorised sharing of personal information, such as One-Time Passwords (OTPs), with third parties. Damunupola added that identity theft was also on the rise, with many individuals unknowingly providing sensitive information on unsecured websites.

“This lack of awareness leads to a mistrust in online banking. People should be more cautious when accessing their accounts, especially since many are unaware of the legitimacy of the websites they use. The increase in cyber scams can also be linked to international scamming operations, with recent arrests of foreign nationals concerning the use of Sri Lankan registered numbers and local IP addresses to commit identity theft and other fraud.”

Damunupola emphasised the importance of financial literacy in combating these crimes. “Raising public awareness is crucial, especially since these scams primarily target those lacking in digital financial literacy. We need to establish a cybersecurity regulatory body to overcome these technical challenges.”

He stressed that citizens needed to understand what constituted Personally Identifiable Information (PII). “Many users don’t realise that details like their National Identity Card (NIC) number, date of birth, and even their full name and address can be used for identity theft. Disclosing this information to unsecured websites can lead to illegal bank accounts being opened in their names.

“When engaging in online banking, people should always ensure they are accessing the correct URL and use only the mobile applications recommended by their banks. This simple step can go a long way in protecting one’s banking information.”

Urgent need for increased public awareness

Speaking to The Sunday Morning Business, Federation of Information Technology Industry Sri Lanka (FITIS) Chairman Indika De Zoysa highlighted similar concerns. 

“When people perceive a risk, they naturally hesitate. The rise in news about cybersecurity threats such as hacked bank accounts and the misuse of OTPs impacts digital banking,” he explained.

He stressed that awareness was tied to the increasing adoption of digital services. “As digital banking continues to grow, awareness about digital safety must grow alongside it. Without proper precautions, there could be a significant setback in adaptation, leaving a gap in the digital economy,” he said.

De Zoysa highlighted the importance of cybersecurity in national policy, noting: “One of the six pillars in the proposed National Digital Economy Strategy is cybersecurity, safety, and privacy, which underscores the need for public awareness and necessary policy changes to scale up protection in the digital landscape.”

While Sri Lankan banks and financial institutions are incorporating technological solutions to address cybersecurity concerns, De Zoysa pointed out that digital financial literacy remained a key challenge. “Creating awareness is critical, and it will be an ongoing process as more people engage in the digital economy,” he pointed out.

Progressive reliance on digital financial services

The global trend of widespread adoption of Bring-Your-Own-Device (BYOD) policies leaves corporate networks vulnerable. Phishing and impersonation remain common in the banking sector, prompting calls for stricter Know-Your-Customer (KYC) protocols and enhanced protocols. 

Moreover, financial scams have risen amid economic instability, with the Central Bank of Sri Lanka (CBSL) reporting numerous cases of scammers impersonating legitimate institutions to steal sensitive information. Recently, two Ukrainian nationals were arrested for defrauding over Rs. 10 million by tricking victims into sharing OTPs.

According to DataReportal – Global Digital Insights, there were 12.34 million internet users in Sri Lanka at the start of 2024, at an internet penetration level of 56.3%. Kepios analysis notes that internet users in Sri Lanka increased by 460,000 (+3.9%) between January 2023 and January 2024, and this number continues to increase. There was a rise in digital banking and payments as well, with credit and debit card transactions growing by 42.1% and 67.4%, respectively, in 2022. 

These data indicate the progressive reliance on digital financial services and online platforms. However, recent news reported that by October, more than 7,000 complaints related to online scams had been filed up until September, 20% involving financial fraud. 

This highlights the need for stronger security measures and increased digital literacy to safeguard against the growing threat of cybercrime.

Addressing cybercrime

Moreover, the country is facing a significant rise in cybercrime targeting individuals. 

Speaking to The Sunday Morning Business, Circulo de CISO Director and cybersecurity practitioner Sujit Christy highlighted that as Sri Lanka accelerated its digital transformation, with widespread adoption of digital payments, e-commerce, and mobile banking, the country was also witnessing a concerning rise in cybercrime targeting individuals. 

From social media scams to banking fraud, cybercriminals are exploiting the gaps in digital literacy across Sri Lanka’s population.

“From identity theft and phishing to ransomware, these crimes not only cause financial loss but also affect the trust in the digital systems essential to our modern lives,” Christy said. 

He highlighted how the consequences of cybercrime in Sri Lanka’s growing digital economy moved beyond their economic impact. He added that there was a psychological impact as victims experienced emotional distress and loss of trust in online platforms, since damaged credit scores could limit life opportunities for many.

Christy also pointed out social consequences that consisted of a growing digital divide, with people avoiding online services due to a fear of scams. Moreover, vulnerable populations, such as the elderly and the less tech-savvy, are especially at risk, with law enforcement and consumer protection agencies facing increased strain to combat these crimes.

“To ensure the nation can thrive in the digital era, a focus on digital and financial literacy is critical. Citizens must be made aware of the risks and equipped with the knowledge to protect themselves. 

“Basic cybersecurity practices, such as recognising phishing emails, safeguarding personal information, and using multi-factor authentication are vital for individual protection. Equally important is financial literacy, which empowers individuals to understand how digital transactions work, recognise fraud, and act quickly if they fall victim to scams,” he said.

Christy highlighted the need for a comprehensive response to address this growing issue. Government agencies, educational institutions, and private sector organisations must work together to promote awareness and education to navigate the digital economy safely, ensuring both personal and national resilience against cyber threats.

“What we are seeing are targets on individuals. It is not a mainstream conversation – we are talking in pockets. For cybersecurity, we can’t just let banks handle this issue; it has to come from every corner,” he stressed.

Christy noted that the current situation was such that it had moved from cybersecurity to cyber safety, with life savings of individuals taken away, and with these crimes becoming a question of survival. He therefore highlighted the need to address this matter beyond individuals.

“Tackling cybercrime requires not just stronger security measures but widespread education on digital and financial safety as well. By equipping individuals with the right knowledge, Sri Lanka can build trust and safeguard its digital future,” he concluded.

Digital trust

Meanwhile, Information Systems Audit and Control Association (ISACA) Sri Lanka Chapter President Lakmal Embuldeniya emphasised the critical role of digital trust in cybersecurity. 

“Digital trust isn’t just about technology; it involves people, processes, technologies, supply chain management, transparency, and customer care. Ultimately, it’s about the relationship with the customer and understanding their needs,” he explained.

Embuldeniya stated that the rise in financial fraud, particularly against banks, was not necessarily due to a lack of technological solutions but rather the absence of sufficient governance over IT-related matters. He pointed out that many recent cases, such as phishing attacks through fake SMS, had happened because customers lacked awareness and financial institutions had not been quick enough in responding to security breaches.

He further stressed the impact on the digital economy, noting that breaches affected digital trust. “If you’re banking with an institution that has been hacked, your first instinct may be to switch to another bank as a matter of trust in the digital infrastructure,” he said.

Embuldeniya highlighted that phishing and social engineering attacks had become more sophisticated, often targeting individuals based on publicly available information from social media and manipulating people in a manner in which even experts could fall victim to such attacks.

Moreover, while precise figures for losses due to cyberattacks are hard to access, as attacks happen off the record unless users complain to the institutions, Embuldeniya noted that such losses could amount to billions of rupees as people often did not even realise they had been hacked until it was too late. 

“The recent global malware attack on Android devices took out nearly Rs. 1.2 billion within about three days, basically converting the industry into crypto,” he said. 

To address this crisis, Embuldeniya outlined two steps. “Firstly, banks must communicate quickly with their customers when a threat is identified. Secondly, from the user’s perspective, it’s essential to implement multiple security layers, such as OTPs and two-factor authentication.”