- Explores proactive countermeasures in place of traditional reactive responses
- Transnational jurisdictional challenges plague quick legal action
- Experts call for awareness building
Online scams are surging across Sri Lanka at an alarming pace, pushing the Government to roll out a controversial new malware and threat hunting unit in a bid to curb the growing wave of digital fraud.
As many fall victim to increasingly sophisticated schemes, authorities say the unit will serve as a proactive defence system. However, industry experts warn it could also open the door to expanded State monitoring under the guise of cybersecurity.
Govt. approach
Speaking to The Sunday Morning, Ministry of Digital Economy Acting Secretary Waruna Sri Dhanapala said that the Government recognised the severity of the threat landscape and was taking steps to safeguard the public.
“We will soon be establishing a malware and threat hunting unit. This represents a proactive engagement to counter all kinds of cyberthreats,” he said.
The unit will function as an early warning mechanism, actively scanning for emerging malicious activity rather than responding only after victims come forward.
The ministry is also pushing for wider adoption of the National Cyber Security Operations Centre (NCSOC), which was opened in September.
According to Dhanapala, more Government agencies will be encouraged to join the platform to ensure a coordinated national response to digital threats.
These moves come against the backdrop of a surge in online scams that have victimised thousands of Sri Lankans over the past year. Authorities have issued multiple public notices warning that cybercriminals are exploiting economic hardship, low digital awareness, and trust in official-looking messages to steal personal data, hijack accounts, and drain bank funds.
Dhanapala acknowledged that calls for stronger Government intervention had intensified in recent months.
“The Government has issued public notices to raise awareness and warn people not to fall for these scams,” he said, noting that the Central Bank of Sri Lanka (CBSL) had also started discussions with commercial banks after receiving reports of emails and SMS messages impersonating major State banks.
“I myself received a fraudulent email impersonating the Bank of Ceylon, so I know firsthand how convincing these attempts can appear,” he added.
Tech alone won’t solve problem
Yet, despite repeated advisories, citizens continue to fall victim.
When asked what additional measures the ministry could take, Dhanapala said that Sri Lanka was committed to deploying all necessary mechanisms. “For all online-related matters, Sri Lanka has asserted its commitment to deploying suitable systems and protections. We have instructed the relevant authorities to do so.”
However, he stressed that technological solutions alone could not solve the problem. “These scams evolve very quickly. While machine security is important, human behaviour is also responsible,” he said. “People are simply not guided well enough either by their organisations or on their own.”
In order to address this, the ministry is consulting local experts to design systems that would alert the public when suspicious activity is detected.
One of the biggest obstacles, Dhanapala noted, was that many operators behind these scams were based overseas. “International cybercrime requires a long legal process to apprehend offenders,” he said.
Jurisdictional and technical barriers
While Sri Lankan law enforcement works closely with foreign agencies, when possible, jurisdictional and technical barriers slow down investigations.
The ratification of the United Nations (UN) Convention against Cybercrime is expected to improve international cooperation. Sri Lanka signed the Convention on 25 October, during the official signing ceremony in Hanoi, Vietnam, making it one of the initial 72 signatory states.
According to Dhanapala, the convention will take effect in local law within 90 days of signing. “This will give us diplomatic support across the world,” he said. “It will allow us to professionally engage with major players, platforms, and service providers who will be obligated to comply with Government alerts and investigations.”
Dhanapala believes this will significantly improve cross-border enforcement related to cyber fraud, although challenges involving unregulated cryptocurrency networks remain.
“Cryptocurrency networks are not currently regulated,” he noted. While fraudulent transfers connected to the banking system are detected through existing surveillance, he said that matters relating to crypto fell primarily within the CBSL’s oversight.
Tackling the daily wave
As the ministry focuses on national-level policy, frontline cybersecurity experts at the Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT) have been tackling the daily wave of complaints from citizens.
According to Sri Lanka CERT Lead Information Security Engineer Charuka Damunupola, the scams currently circulating in Sri Lanka are becoming increasingly deceptive and technically advanced.
“These operations come in many forms, but the goal behind almost all of them is the same. They aim to steal personal information or financial credentials that can be used for identity theft or unauthorised transactions,” he said.
Sri Lanka CERT has recorded a marked rise in scams involving identity theft, fraudulent payment links, phishing messages, and WhatsApp account hijacking. Many of these scams imitate Government agencies, banks, courier companies, and employers, exploiting the trust people place in familiar institutions.
One of the most common scams reported this year involves fraudulent job offers sent through WhatsApp and other messaging apps.
Damunupola explained that these messages promised high-paying online jobs, often in foreign countries, and directed victims to professional-looking websites.
“Victims are asked to upload their NIC, passport, or birth certificate as part of the application. People think they are applying for a real job, but what actually happens is that their identity is stolen,” he said.
Criminals then use the stolen documents to create bank accounts, acquire SIM cards, or register services that can later be used for money laundering or digital fraud.
Sri Lanka CERT has issued repeated warnings about fraudulent parcel delivery messages that claim a delivery failed due to incorrect address information. Victims are instructed to follow a link and pay a small fee, sometimes as low as Rs. 99, to reattempt the delivery.
“The fake websites are extremely convincing and mimic legitimate postal portals,” Damunupola said.
“But once someone enters their credit card details, scammers use that information to carry out unauthorised major deductions. People do not realise they have been tricked until it is too late.”
Another widespread scheme involves messages impersonating Government ministries or major banks, offering financial assistance or rewards for completing a survey. These requests encourage users to fill out forms containing their name, NIC number, address, mobile phone number, and date of birth.
“What they are collecting is purely personally identifiable information,” he explained. “Once that data is handed over, victims can be impersonated or targeted for more complex fraud.”
Alarming trend
Perhaps the most alarming trend is the sharp rise in WhatsApp hijacking incidents. Scammers convince victims to share their six-digit One-Time Password (OTP) by posing as a friend, a company representative, or even WhatsApp itself.
“People do not understand the criticality of OTPs,” Damunupola said. “Banks and online services have strengthened their security, but if a user gives away their OTP, then it is like giving someone your ATM card and the PIN together.”
Once hijacked, the victim’s WhatsApp account is used to deceive their contacts, multiplying the number of victims.
Despite Government notices and Sri Lanka CERT’s frequent alerts, the number of victims continues to rise. Damunupola said this showed how quickly scammers were adapting.
“We receive a substantial number of scam-related complaints. I cannot disclose the financial losses due to ongoing investigations, but the volume alone shows the severity. Cybercriminals are adapting faster than the public can keep up,” he said.
Sri Lanka CERT conducts awareness programmes across schools, State institutions, the private sector, and law enforcement agencies. It also maintains a public resource portal, onlinesafety.lk, to help citizens identify suspicious activity and improve digital hygiene.
Damunupola emphasised that nearly every scam involved either a fraudulent mobile number or a bank account opened under a false identity. This makes tracking perpetrators extremely difficult.
“Strengthening the Know-Your-Customer (KYC) process for SIM registrations and bank accounts is essential. If we can prevent criminals from creating anonymous accounts, we can dismantle these networks more effectively,” he said.
In such a backdrop, as Sri Lanka prepares to ratify the UN Convention against Cybercrime and launch the malware and threat hunting unit, both the Ministry of Digital Economy and Sri Lanka CERT stress that cybersecurity requires coordinated efforts across institutions and vigilant behaviour from the public.
Urgent shift towards education needed
Sri Lanka’s battle against online scams requires an urgent shift towards education, community engagement, and targeted public awareness, according to Tech One Global Chief Operating Officer (COO) Wasantha Weerakoone, who warns that technology and law enforcement alone cannot stem the rising tide of digital fraud sweeping the country.
Speaking to The Sunday Morning on the surge of scams affecting thousands of Sri Lankans, Weerakoone said the nature of online deception had evolved beyond traditional cybersecurity solutions.
“The real danger lies in the more sophisticated scams. They mimic official emails or appear to come from someone you know, making them incredibly difficult to identify,” he said. “Cheating and stealing are not new. This is simply the new medium.”
Weerakoone described the rapid spread of smartphones as a double-edged sword. While digital connectivity has expanded across the island, user awareness has not kept pace.
“The only real solution is education,” he stressed. “Smartphone penetration has grown faster than our ability to educate users about risk. The scammers are not the problem. The problem is that we are not educating people at the same rate technology is spreading.”
The COO noted that the most vulnerable groups were older and middle-aged citizens who were less familiar with digital manipulation techniques and were more likely to fall for lucrative promises. Citing a recent example, he recalled how his wife had encountered an ‘investment scheme’ claiming to offer returns of Rs. 17,000 per day for a deposit of Rs. 75,000. “If it seems too good to be true, it is,” he said.
While Sri Lanka has recently signed the UN Convention against Cybercrime and established facilities such as the NCSOC, Weerakone argued that regulatory and legal instruments played only a reactive role in tackling cybercrime.
“Law is the last resort for fixing problems. It only comes into effect after a crime has occurred,” he said. “Enforcement is weak, and many victims receive little help. Prevention is far better than trying to handle the aftermath.”
He emphasised that today’s scams relied heavily on social engineering rather than technical exploitation. Scammers craft personalised messages, often using Artificial Intelligence (AI)-generated scripts, fake identities, or even impersonations of public figures to gain trust.
“The nature of the attack has changed. These are human-centric attacks. Technology cannot easily detect personalised conversations on platforms like Facebook or WhatsApp. You can’t read every message,” he said.
According to Weerakoone, empowering young people is a practical and cost-effective way to strengthen nationwide digital literacy. Many youth groups already engage in community-based CSR work, and he believes they can be enlisted to educate older citizens.
“Young, digitally-native people rarely fall for these scams. They can be powerful messengers,” he said. “We should create a campaign where youth tell their parents, aunts, and uncles, ‘This is a scam!’”
He compared this to the once-popular Maliban biscuit road safety advertisement, which became a cultural touchstone. “We need a similar widespread movement,” he said. “Somebody has to do this.”