Sri Lanka’s December has its own tempo: faster shopping, transfers, approvals and replies. The glow of a phone screen becomes a kind of seasonal background light — used to pay bills, confirm deliveries, send money to relatives and keep families connected across distances. Convenience feels like progress, right up to the moment that it becomes a trap.
That trap rarely looks like a cyberattack. It looks like an electronic mail that appears to be from a bank, a courier, a telecommunications company or a platform that you already trust. It sounds professional. It carries urgency like a public service: Unusual access detected — verify within 24 hours. And, it arrives when attention is already diluted by work deadlines, school holidays, travel planning and year-end fatigue. The scam is not the link; the scam is the hurry.
Sri Lanka’s risk is not merely anecdotal. At an Asian Development Bank (ADB) Serendipity Knowledge Program event in Colombo in October, ADB Digital Sector Office Director Antonio Zaballos was reported as estimating that the annual cost of cybercrime to Sri Lanka could range between US $ 450 million and $ one billion — using a rough estimate of about 0.5 per cent to 1% of the gross domestic product as a reference point. Even treated strictly as an estimate rather than an audited national total, the signal is unmistakable: Cybercrime has become a national economic leak that begins with individual moments of trust.
And, the public picture is almost certainly incomplete. When people don’t report fraud and cyber incidents, official numbers inevitably understate what families actually endure, and that silence makes it easier for criminals to repeat the same scripts on the next household. Shame is understandable — but, it’s also expensive, because it turns a personal loss into a reusable business model for someone else.
The mechanics of deception are predictable, which is exactly why they work. One scam sells aspiration: a side income promise supported by screenshots, dashboards and friendly coaching, until escalating fees drain savings and the page disappears. Another borrows institutional authority: Banks and service providers are impersonated to harvest passwords and one-time codes, turning security features into a scripted handover. A third recruits ordinary people as infrastructure by offering commissions to route funds through personal accounts — an arrangement that can carry serious legal consequences even when the intent was innocent. A fourth takes advantage of seasonal e-commerce with lookalike pages and fake storefronts promoted through ads and urgency, where the loss may be the payment, the card data or both.
Behind all of it sits the accelerant that makes fraud feel personal: leaked or overshared identity information that helps criminals craft messages that sounds specifically for you. When an attacker knows a name, a number, a recent purchase or a familiar service provider, the lie no longer feels like a lie. It feels like routine.
The protective pathway is neither exotic nor expensive — but, it must be deliberate. Enable two-factor authentication on banking, email and social media accounts. Use passwords at least 12 characters long, completely different for each account, and store them in a reputable password manager. Before any online financial transaction, verify legitimacy through an independent call using contact details from official materials, never using numbers provided in messages.
When shopping online, look for the HyperText Transfer Protocol Secure, examine seller histories and use cash-on-delivery when possible. Most effectively, create a family norm that asking a second person before sending money is not paranoid behaviour; it is responsible behaviour. Many successful scams depend on speed and isolation, and a 30-second pause is often enough to break the script.
If something goes wrong, speed matters — and so does reporting. The Sri Lanka Computer Emergency Readiness Team (CERT) publishes official reporting channels including hotline 101 and incident reporting via incidents@cert.gov.lk, with social-media-related complaints via report@cert.gov.lk, alongside an online reporting portal. These channels are published by CERT. The Telecommunications Regulatory Commission’s short code list also assigns 101 to CERT as the emergency cybersecurity coordination centre for cyber incidents reported by the public. These pathways exist. They function. But they only protect families at scale if victims report.
Before reporting, do one small thing that makes a big difference: Preserve evidence before it disappears. Take screenshots of the message, the number or account name, the web link and any transaction reference, and write down the time that it happened — because the first hours are often the most recoverable.
The Police also provide a digital complaint channel through the Tell the Inspector General of Police service at https://telligp.police.lk via the Police e-services portal. If a complaint lodged at a Police station is not being properly investigated, Police note that it can be forwarded through this service. This channel exists around the clock, but it becomes meaningful only when people use it.
Victims will only report if communities create environments where reporting feels safe, supported and consequential rather than shameful. That cultural shift is as important as any technical control.
For Government authorities and regulators, this season should sharpen a simple truth: Cybersecurity is not optional; it is national risk management. Sri Lanka’s national incident response capacity and public trust depend on clear policy, capable enforcement and coordination that match the pace of digitisation. For financial institutions, the responsibility is even more direct: They hold personal data and financial access for millions of families, and security failures are breaches of public trust. For business leaders, the message is the same: The data collected and systems operated are national assets held in private custody, and treating security as a cost to minimise eventually forces a response far more expensive than doing it right now.
Yet, at the heart of this conversation, especially at Christmas, are not systems and strategies, but people — parents who want to send money safely to children abroad, young adults building their first savings and seniors navigating unfamiliar alerts. The most meaningful gift that we can offer each other this season is permission to talk openly about digital risk without blame, to ask “Does this look right to you?” before acting, and to seek help quickly when something feels wrong.
Awareness is not a guarantee that nothing bad will ever happen. It is a way of shifting probability in favour of families rather than criminals. If this holiday season ends with more Sri Lankans pausing before they click, more victims reporting without shame and more institutions treating cyber risk as a present-tense priority rather than a future project, then, something profound will have been achieved. In a year when so much of life flows through screens, the gift of awareness may be one of the most valuable presents that Sri Lanka can give itself.
The writer is a Cybersecurity Advisor, Partner – Technology Advisory and Chief Information Officer at HLB Lanka
------
The views and opinions expressed in this column are those of the author, and do not necessarily reflect those of this publication