- 300–400 scam reports filed with Sri Lanka CERT each month
In an era where economic recovery is on everyone’s mind, Sri Lankans are increasingly turning to digital solutions for banking, shopping, and alternative means of income.
While ease of access and several other benefits are reaped from such services, this digital leap has come with a predatory shadow: online scams run rampant across the country, preying on citizens of all ages by adopting the likeness of reputable institutions.
A more recent scam is also sweeping Sri Lanka, with voice phishing (also known as ‘vishing’) scams pressuring victims into sending money under the guise of trusted personnel – all with the use of generative Artificial Intelligence (AI) technology.
The situation at present
According to the Information Communication Technology Agency (ICTA), voice phishing is a form of cyberattack leveraging voice and telephony technologies to deceive targeted individuals into disclosing sensitive information to unauthorised parties.
When contacted by The Sunday Morning, Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT) Lead Information Security Engineer Charuka Damunupola noted that several different internet-related scams had been reported over the past few months, averaging around 300–400 monthly. Such cases span a variety of categories, from parcel to One-Time Password (OTP) to phishing scams and more.
Damunupola explained: “The scams are relatively similar to previous years, but we see a number of different scams on the rise. They are mainly taking place through social media platforms like Facebook and Instagram, and messaging apps such as Messenger and WhatsApp as well.”
Criminal Investigation Department (CID) Computer Crime Investigation Division Woman Superintendent of Police (WSP) Chandima Arumaperuma stated that reports regarding online scams such as vishing were still being processed, with over 25 incidents having been reported within the past four to five months.
“By now, about 25 complaints have come to us. There must be several being filed at Police stations too. When financial scams involve relatively small amounts, we advise victims to report them to Police stations, and for larger amounts, to the Computer Crime Investigation Division,” she said, noting that several investigations and inquiries were being made into such complaints at present.
How scams operate
Although several different online scams have been identified, thus far, vishing seems to follow a standard of scammers impersonating official personnel, such as bank and Police officers, and intimidating or frightening victims into fulfilling their bidding.
According to Damunupola, scammers have generally been targeting personal identifiable and sensitive information such as full names, dates of birth, National Identity Card (NIC) numbers, passport numbers, and more. Financial information, such as credit card or debit card details, and other details that allow them to look into an individual’s online banking accounts and steal money from them, are also a type of data predominantly sought out by scammers. “They are looking for crucial things, such as passwords and OTPs as well,” he said.
He added that different techniques were being used by such scammers, especially during significant events such as Independence Day or New Year’s celebrations.
“For instance, scammers circulate messages pretending to be different organisations, especially Government organisations, and state that the user or victim has violated traffic rules. The messages direct victims to pay the particular fine by navigating and logging into a website that has been created to resemble the official GovPay site,” Damunupola explained.
Another strategy implemented by such scammers has been to weaponise an individual’s psychology by introducing urgency into the scam; this is typically done by either pretending an accident has happened to a loved one, or even that an unbelievable discount has been granted for an item or service.
Damunupola noted that such situations often exploited psychological factors, prompting victims to expose sensitive information without thinking clearly. “They might call and pretend to be your child’s teacher, saying that your child has been involved in an accident; they create an emergency situation in order to get you to act quickly.”
Digital Trust Alliance Founder Lakmal Embuldeniya noted: “Urgency is the most commonly used technique.” Fraudsters impose tight deadlines, using the high-pressure environment to strip their targets of their critical thinking, leaving them highly vulnerable to exploitation.
WSP Arumaperuma also explained that scammers had been appearing as Inspectors of Police (IPs) or Superintendents of Police (SPs) using generative AI.
“Uniforms, caps, etc. are created with AI. Even the Police environment is shown when video scam calls take place,” she said. “Fraudsters also initially present themselves as bank officers, telling victims that they have to make an overdue credit card payment or something similar. Thereafter they say that the matter has been referred to the Police as a case of financial fraud, money laundering, or links to organised crimes. Basically, they frighten them.”
Using fear as a tactic, such scammers also threaten victims into depositing money by using their assets and even family members as collateral.
Vulnerable groups
While most people are equally vulnerable to the schemes being conducted by online scammers, there are specific groups being targeted. Beyond data leaks, local vulnerability is heavily driven by consumer digital habits and a cultural desire for ‘free’ digital commodities. Many smartphone users routinely download unverified applications or casually click on pop-up ads, unknowingly granting intrusive permissions to their devices.
Damunupola noted that scammers used different tactics based on the types of accounts and audience. Different strategies are used based on whether they are targeting a bank account belonging to younger individuals or older citizens, frequently using strategies such as work-from-home opportunities or overseas employment.
“It is important that everyone is aware of these schemes, regardless of their profession, education levels, or age,” he stressed.
Embuldeniya also stressed the need for greater awareness on such topics, noting that a lack of knowledge on such dealings contributed to individuals being victimised by online scams. “One reason why phone scams are more prominent is that as soon as you receive a call, the scammer is using the urgency tactic; you have very little time to think,” he said.
Pensions Dept. data leak: Is there a connection?
Embuldeniya also noted that while anyone could fall victim to these tactics when caught off guard, the sudden surge in successful scams targeting Sri Lanka’s elderly population was not accidental. According to him, it is directly linked to a dark underworld of historical data breaches, with one such major security failure having taken place more than a year ago, involving a massive leak from the Department of Pensions database.
He warned: “When it comes to any pensioners who are beyond the age of 65, the Pensions Department’s database that was leaked contained extensive information, including details of the pensioners, as well as their spouses and children. It also included bank details, phone numbers, and other contact details. This data is still available for access.”
By harvesting names, NIC details, and direct contact numbers from persistent data breaches, scammers are able to construct highly personalised, high-trust psychological traps. Embuldeniya emphasised that this created a compounding, dangerous ripple effect across the country. “These things don’t happen out of the blue. They happen because there was a leak previously, and using that leaked information, scammers access phones, contact lists, etc.”
The incident referred to by Embuldeniya was first reported in April 2025 to Sri Lanka CERT, where the Pensions Department experienced a ransomware attack on its computer system that compromised pensioner data. The attack was later linked to Cloak Ransomware, a cybercrime group that first emerged in late 2022 and has since been linked to more than 100 attacks globally.
Improving cyber awareness
At present, experts argue that Sri Lanka’s current approach to public cyber education is fundamentally flawed because it is reactive rather than continuous. State institutions and law enforcement routinely roll out warning campaigns only after a massive wave of fraud has already claimed victims and filled Police blotters.
Embuldeniya said: “It is only when the Police or relevant authorities step into the picture and talk about such things that they start receiving complaints. However, awareness is something that has to be ongoing.”
According to him, the lack of consistent, daily engagement creates a dangerous vulnerability gap; when an engineered crisis hits a distracted consumer, even technical training offers little defence.
Embuldeniya noted that the situation extended directly into Sri Lankan households through unmonitored digital habits, where parents frequently handed smartphones to children who unknowingly granted system access to malicious applications by simply tapping brightly coloured, deceptive pop-up advertisements.
Damunupola emphasised that users must verify sources that offered services or items before engaging with them. “Whether they claim to be an organisation, whether Government or otherwise, you can contact them directly and verify the story behind a particular message,” he said. He stressed the importance of investigating links to any website sent by unknown numbers.
Damunupola also drew attention to the privacy and security settings available on social media apps that helped safeguard personal photos and information.
“Although people use smartphones and most of the population is on social media, the number of cases is rising. The main reason behind this is the lack of awareness, especially on online safety,” he noted. As such, online safety practices such as using strong passwords for online accounts, enabling two-step verification, and properly configuring privacy and security settings on social media are crucial in today’s digital context.
WSP Arumaperuma further advised the public to remain vigilant, urging citizens to treat all unsolicited digital banking communications with absolute scepticism. “Even if they claim that they are from the Police, do not be deceived. Go to the nearest Police station or law enforcement unit and make a complaint,” she said.
Box:
A victim’s report
Sriyani, 49, from Horana, described how she and her husband narrowly escaped being victims of an online scam involving a fraudulent traffic fine notification that appeared highly convincing due to the amount of personal information it contained.
According to Sriyani, her husband had received a message stating that their car had been caught speeding in Colombo and that a fine of around Rs. 7,000 had to be paid within two days. The notice further stated that the fee would triple if payment was not made by the deadline.
“When we saw it, we honestly panicked. We thought we had to pay Rs. 7,000 within two days,” she said.
However, Sriyani added that her son became suspicious and had begun to investigate further. “He checked the date mentioned in the message, and then we realised that we had not even been to Colombo on that date,” she said.
“Otherwise, we honestly would have believed it was real. It had our phone number and vehicle registration number, and everything else matched up. We naturally thought, ‘Why wouldn’t it be real?’” Sriyani said.
She stressed that the message appeared legitimate because it included detailed personal information such as the vehicle registration number, phone number, and name of the registered owner.
“It had everything, which is exactly why we thought it was real. That information is only with the Department of Motor Traffic. We didn’t think it could be fake,” she said.
She added that if they had actually travelled to Colombo on the date specified, they would undoubtedly have made the payment.
“If we had been to Colombo that day, we would have assumed that we had been driving too fast at some point and would have made the payment. It was only because we had not gone there that we became suspicious,” Sriyani said.
Upon checking further, her son had discovered that the account to which the payment was to be made was linked to Morocco. “He was the one who figured out it was a scam. If we hadn’t had a child at home who knew how to check these things, we definitely would have paid the money,” she said.
The family had also contacted a local Police officer attached to the traffic division for clarification.
“We called him and asked about it. He told us that, as far as he knew, there was no such system in place and that he would check. Then he confirmed that no such messaging system existed,” she said.
Sriyani further noted that warnings about the same scam were broadcast on television the next day.
“Later we saw the news advising people not to pay these fines. That is how we confirmed it was a scam. We received the message before it was even mentioned on the news,” she added.
She called for stronger safeguards for the public, particularly for older citizens who may be unfamiliar with online scams, warning that many others may easily fall prey to similar schemes.
“There must be so many others falling for this. We certainly would have fallen for it too if our son had not checked. There should be some kind of system in place to protect people like us from such things,” she said.