- The growing threat of AI deepfake financial scams
The Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT) recently warned the public about a rise in Artificial Intelligence (AI)-generated deepfake videos being used to promote fraudulent investment schemes, with cyber-related financial fraud complaints reaching 360 so far this year.
The scams have involved fake videos featuring President Anura Kumara Dissanayake, Prime Minister Dr. Harini Amarasuriya, the Governor of the Central Bank of Sri Lanka, and other well-known public figures, with fraudsters using manipulated content to persuade victims to invest in schemes promising unrealistic returns.
The warning has drawn attention to a rapidly changing threat landscape in which AI-generated videos, images, and cloned voices are becoming increasingly difficult to distinguish from real content. While financial scams are not new, experts say the use of AI has changed how these schemes are carried out, creating new challenges for regulators, institutions, technology platforms, and the public.
According to the Interpol’s March 2026 Global Financial Fraud Threat Assessment, impersonation fraud is one of the leading contributors to over $ 400 billion in global losses and is growing worldwide. Easily accessible AI deepfake technology is contributing heavily to this at present.
Speaking to The Sunday Morning Business, cybersecurity experts shared their views on how deepfake scams were being used in Sri Lanka and the practical steps individuals could take to protect themselves.
Growing use of deepfakes in financial scams
Sri Lanka CERT Lead Information Security Engineer Charuka Damunupola told The Sunday Morning Business that the organisation had identified several deepfake scams circulating on social media platforms.
According to Damunupola, Facebook remains the primary platform where such content is being detected, although some cases have also appeared on Instagram, where many of the videos impersonate celebrities and high-profile public figures.
“The main purpose of these videos is to encourage the public to invest in fraudulent investment schemes. Ultimately, these scams are intended to steal sensitive information and money from users,” he said.
Damunupola added that while AI may be involved in generating the content, online platforms generally treated such material as malicious content that violated existing community guidelines.
He explained that most deepfake scam videos fell under categories such as impersonation, misinformation, or disinformation, which already constitute violations of platform policies.
“In most cases, these videos involve impersonation or the spread of misinformation and disinformation. Therefore, they can be reported through the normal reporting mechanisms available on these platforms,” he said.
Damunupola noted that Sri Lanka CERT also addressed certain cases through dedicated communication channels where necessary.
Clarifying recent fraud figures, he said that the 360 complaints reported by Sri Lanka CERT this year represented a range of online scams rather than deepfake-related incidents alone.
“The total number of online scams comprises several types of scams, including romance scams, parcel scams, impersonation scams, and OTP scams,” he explained.
He emphasised that vigilance remained the most effective defence for the public. “If parties are sending a message or asking people to invest, they should verify the information through a trusted and verified source before sharing any sensitive information,” he added.
A financial security issue
Cybersecurity strategist Asela Waidyalankara said that AI deepfake investment scams worked by creating a false sense of trust.
According to him, scammers are increasingly using AI-generated videos, cloned voices, and manipulated images of political leaders, public officials, business figures, celebrities, and financial personalities to promote fake investment opportunities. Victims are then directed to websites, messaging groups, or supposed investment advisers who then persuade them to deposit money into fraudulent platforms.
“The danger is that these scams do not look like the old, badly written fraud messages we were used to seeing. They are more polished, localised, emotionally persuasive, and sometimes use familiar Sri Lankan faces or institutions to appear credible.
“This is why public awareness alone is not enough. People should pause before investing, verify information only through official websites or verified channels, avoid clicking sponsored investment links on social media, and be especially suspicious of guaranteed returns, urgency, secrecy, or requests to transfer money quickly,” he said.
From a national perspective, Waidyalankara noted that Sri Lanka needed to treat this as a financial security issue, not merely a cyber awareness issue, adding that various institutions such as banks, fintech companies, telecom operators, social media platforms, regulators, law enforcement, and Sri Lanka CERT all needed stronger coordination.
He also noted the need for faster takedown mechanisms; better fraud reporting channels; stronger digital identity verification; transaction monitoring; public advisories in Sinhala, Tamil, and English; and a clearer framework for responding to AI-enabled fraud.
Responding to whether Sri Lanka had learnt from recent mistakes, he highlighted that the country was learning, although not fast enough. He explained that the threat had moved from basic phishing to highly targeted, AI-assisted social engineering.
“Our financial security frameworks must therefore evolve from compliance-focused controls to intelligence-led, real-time fraud prevention. This includes customer education, stronger incident reporting, better information sharing between institutions, and regular updates to cyber and financial risk frameworks,” he said.
According to Waidyalankara, the key message to the public is simple: do not trust a video, voice note, or online advertisement merely because it appears to feature a known person. In the age of AI, seeing is no longer believing. Always verify before you invest.
Verification as the first line of defence
Explaining how these scams were evolving, Digital Trust Alliance (DTA) President Lakmal Embuldeniya said that Sri Lanka had already witnessed several high-profile deepfake investment campaigns.
Although Sri Lanka has not yet reported many cases involving cloned voices or real-time impersonation, Embuldeniya said that the technology already existed and could be used to imitate friends, colleagues, or trusted contacts. He noted that the challenge was that deepfakes were becoming increasingly difficult to distinguish from genuine content.
“In order to prevent falling for these, the best option is to verify and validate. There is really no other reliable way to identify these deepfakes as they are becoming extremely close to reality. If you receive such communications, you should check whether the video, voice recording, or message is available through the original source. If it claims to come from the Central Bank, then verify it through the Central Bank’s website, official YouTube channel, or another official platform,” he said.
Embuldeniya also expressed concern that misleading content in the media could sometimes gain further visibility when reproduced without proper verification. In his view, relying only on secondary sources may not always be sufficient.
“It is critical to trace the original source. Other than that, it is very difficult to identify a deepfake even for an expert,” he said.
The challenge of detection
When asked whether deepfake financial fraud could be effectively regulated or detected, Embuldeniya said the issue was becoming increasingly complex due to the rapid advancement of AI tools. He explained that while technology companies and industry groups were working on methods to identify AI-generated content, limitations remained.
One area receiving attention internationally is the use of metadata that can be embedded into AI-generated images, videos, and audio files.
“If content is created through recognised platforms, there is a possibility of attaching information such as certificates or other forms of verification. However, there is also a darker side since content created through unofficial or underground tools may not contain such markers,” he explained.
While such initiatives may improve transparency, he noted that they were not a complete solution.
AI lowers barriers to deception
Providing a research perspective, LIRNEasia Data Science Researcher Amanda Ariyaratne said that AI had fundamentally changed the scale of the deepfake problem. She explained that manipulated content had existed before the rise of generative AI, but producing convincing fakes had previously required specialised technical skills.
“Before AI, deepfakes were still possible, but creating them required a certain level of technical knowledge. People needed to know how to use specialised software and editing tools. Today, these generative AI models are widely available, and they are capable of producing highly realistic images, voices, and videos. That has made the problem significantly larger,” she said.
Ariyaratne noted that examples of fabricated investment videos in Sri Lanka tended to feature prominent individuals promoting investment schemes that never existed. At the same time, she outlined developments in many other countries where AI-generated impersonation was becoming increasingly sophisticated.
“In other countries, there have been cases where people receive video calls or participate in online meetings where the person appearing on screen is actually AI-generated in real time. They can respond to questions and interact naturally, making the deception much more convincing,” she said.
Usually, spotting AI deepfakes visually requires scanning for physical and digital inconsistencies such as mismatched lighting/shadows, unnatural blinking patterns or lip sync errors, and blurry or warped facial features, among other features.
However, according to Ariyaratne, much of traditional advice about looking for visual inconsistencies may no longer be entirely sufficient since the technology is advancing rapidly. She said that while awareness remained important, people should also focus more on behavioural warning signs associated with scams.
“I think people need to be aware that these things are happening. Otherwise, when it happens to them, there will be no suspicion at all. In many of these scams, there is urgency, emotional pressure, secrecy, or requests to transfer money quickly. Paying attention to those warning signs can be more practical than trying to identify technical flaws in the content itself,” she said.
She also encouraged individuals to independently verify unusual requests. “A lot of these messages appear to come from people you know. That is why people trust them. If there is a request involving money or sensitive information, use another communication channel to verify it. Call the person directly and confirm whether the request is genuine,” she said.
Public awareness and institutional preparedness
Ariyaratne explained that there was currently no universal technical solution capable of detecting every deepfake across every platform. While social media companies are introducing detection tools, these systems are not instantaneous and may require time before suspicious content is identified and flagged. By that stage, substantial damage may already have occurred, making continuous awareness important.
She also noted that researchers globally were working on methods to improve the identification of AI-generated content, including the use of metadata attached to AI-generated images, videos, and audio files. However, adoption remains inconsistent.
According to her, there is no universal enforcement mechanism requiring all platforms to adopt the same standards, which makes automatic detection difficult.
As a result, Ariyaratne believes public awareness remains one of the most important measures available today.
“People need to know that these scams are taking place and understand the steps they can take to verify their suspicions when an unusual incident occurs,” she added.
A paradigm shift in cyber fraud
Cybersecurity adviser and HLB Lanka Partner and Chief Information Officer (CIO) Lahiru Livera noted that AI deepfake scams indicated a paradigm shift in cyber fraud, as they weaponised trust, not just technology.
“Sri Lanka must strengthen public awareness, but more critically, the Banking, Financial Services and Insurance (BFSI) sector must urgently modernise electronic Know Your Customer (eKYC) frameworks, online verification protocols, and fraud detection systems to counter AI-enabled impersonation at scale. These scams no longer look obviously fake and they can use AI-generated videos or cloned voices of trusted public figures to make fraudulent investment schemes look legitimate,” he said.
Livera opined that deepfakes were turning trust itself into the attack surface, especially given that when people recognised a face, voice, or brand, they lowered their guard. He noted that the public should never validate an investment through a video, social media post, or WhatsApp message alone. Verification must happen through official websites, licensed institutions, and direct callbacks to known numbers.
For the BFSI sector, he explained that this was also a serious eKYC and online verification challenge, because AI could be used to spoof facial biometrics, voice checks, and parts of the liveness process used in digital onboarding.
“Have we learnt from recent mistakes? Not enough. My concern is that many controls are still reactive, while fraudsters are moving faster with AI-enabled impersonation and social engineering. Our financial security frameworks need to move beyond phishing-era thinking. Banks and finance companies need layered identity verification, device and behavioural analytics, stronger fraud monitoring, and governance models that are updated continuously, not just reviewed once a year,” he added.
According to him, digital convenience cannot come at the cost of digital trust, highlighting the urgent need to modernise verification and fraud controls, without which deepfake-led financial crime will scale faster than public awareness.