Have you ever received a strange text message from your bank or an urgent phone call about a problem with your account? In today’s connected world, many of us face cybersecurity threats that are as crafty as they are invisible.
These modern con artists lurk online, using emails, social media, and even artificial intelligence to trick people into giving away money or personal data. In 2023, a ransomware attack wiped out four months of government data because malicious links fooled officials, and there were no backups to restore the lost data.
From phishing emails to high-tech deepfake videos, the tactics are getting more sophisticated. The good news is that by understanding how these scams work, we can all learn to spot the red flags and protect ourselves.
Phishing: Don’t take the bait
One of the most common scams is phishing, which is like a digital con game. Scammers send you messages often via email or SMS that look like they’re from a trusted company or person, but they’re fakes.
The goal is to “hook” you into clicking a malicious link or giving away sensitive information. For example, you might get an email that appears to be from your bank asking you to “verify your password” or an SMS saying “your account will be closed unless you click the link immediately.”
These messages often create a sense of urgency or fear, so that you react without thinking. In reality, the link leads to a bogus website that steals your username, password, or credit card number.
Phishing is a global problem; hundreds of thousands of people worldwide fall victim each year, and it’s often the starting point for bigger attacks. The massive cyber-attack on Sri Lanka’s government cloud in 2023 began when attackers sent infected links to officials, leading to a major data breach. It shows that just one careless click can have huge consequences.
Modern phishing messages have become harder to spot. In the old days, you might notice poor grammar or strange email addresses and realise, “this looks suspicious.”
But now scammers can even use AI tools like ChatGPT to write scam emails that read perfectly. The language is so polished that it “may look very real”, eliminating the usual red flags of bad spelling or awkward phrasing.
This means we have to be extra vigilant. Whether it’s an email claiming you’ve won a prize or a text about a “problem” with your bank account, pause and inspect it closely.
Never click links or download attachments from unsolicited messages. If you think it might be genuine, contact the company directly using an official phone number or website (not the one in the message) to double-check. This simple step can save you from walking into a trap.
Phishing scams often use authentic-looking emails and login pages to lure people into entering their passwords or credit card numbers. Always be sceptical of unsolicited messages asking for personal information.
Phishing isn’t limited to email. Scammers also use voice calls (“vishing”) and text messages (“smishing”). You might get a call from someone pretending to be from your bank or a government office. They’ll sound professional and might even already know a bit about you.
The caller could say, “there’s a problem with your account. I need to verify your one-time password.” This is a huge warning sign- no legitimate bank or official will ever ask for your OTP (one-time password) over the phone.
Authorities have repeatedly warned the public not to share these banking verification codes with anyone. Why? Because once scammers have your password or OTP, they can log in to your accounts and drain your money.
Often, they try to log in while keeping you on the line; when the OTP is sent to your phone, they immediately ask you to read it out, claiming it’s needed to “fix” the issue. In reality, they are using it to break into your account.
As the Central Bank of Sri Lanka cautions, giving away such confidential details puts you in “grave financial peril”. The rule here is simple: if someone contacts you out of the blue and asks for passwords, PINs, or OTPs- don’t do it. Hang up and call the institution back on its official hotline to confirm.
Deepfakes and AI scams: When seeing (or hearing) is not believing
Imagine scrolling through Facebook and seeing a video of a well-known figure enthusiastically endorsing a get-rich-quick investment.
In March 2025, Sri Lankans experienced exactly that- a video spread on social media showing Central Bank Governor Nandalal Weerasinghe apparently promoting an “extraordinary” financial scheme. It looked authentic, but it was a lie.
The Central Bank soon warned that fraudsters had created AI-generated deepfake videos of the governor to dupe the public. In these fake clips, the governor’s likeness and voice were manipulated to make it seem like he was vouching for a bogus investment that promised unrealistically high returns.
This is a new breed of scam: Criminals use artificial intelligence to create deepfakes- hyper-realistic fake videos or audio- to impersonate trusted individuals. It’s like a hi-tech puppet show where someone wears a digital mask of another person.
Deepfakes are not just a problem for public figures; they can be used to target regular people like us too. Scammers have started using AI to clone voices and create fake phone calls.
A shocking example from the United States shows how frightening this can be: An Arizona mother received a call and heard her teenage daughter’s voice sobbing that she’d been kidnapped and needed ransom money.
It was every parent’s worst nightmare- except it wasn’t real. In minutes, she confirmed her daughter was safe and realised the kidnappers had used an AI voice generator to mimic her child’s voice. With just a short recording (maybe from a social media video or a voicemail), today’s technology can produce a voice copy that fools even a parent.
Experts warn that “anyone with the right software can clone voices in just a matter of seconds”. So if you get an alarming call from a loved one that doesn’t quite make sense, be cautious- it could be a high-tech hoax.
Businesses aren’t immune either. In 2024, an employee at a company in Hong Kong got a video call that seemed to be from a Senior Officer, instructing her to urgently transfer funds. The video showed the boss’s face and even had his voice- nothing unusual for a company video conference.
Trusting what she saw, she followed the orders and wired 200 million Hong Kong dollars (about $ 25 million) to various accounts. Only after the call did she realise something was off: The real Senior Officer had never made that call.
It turned out to be a deepfake video conference scam, where fraudsters used AI to impersonate the Senior Officer in a live call. Hong Kong police noted that the scammers even populated the fake meeting with multiple familiar faces to make it believable.
This international case shows the lengths to which criminals will go- and how convincing AI fakes can be. The lesson for all of us, whether at home or work, is “don’t trust your eyes and ears alone.” If an unexpected request comes, even in a video meeting, double-check through other channels.
Mobile banking scams and identity theft: Guarding your personal data
With nearly everyone using smartphone applications for banking and payments, mobile banking scams have become rampant. Many of us in Sri Lanka rely on mobile applications or online banking for convenience.
Cybercriminals know this and try to exploit any opportunity. Apart from OTP tricks we discussed, they set up fake banking applications or websites that look identical to the real ones.
For instance, you might search for your banking application and accidentally download a counterfeit version that secretly steals your login details. Or you might get a text saying “Your account has a security issue, tap this link to secure it”, which leads to a fake login page. Once you enter your username and password, the scammers have it- and they may use it along with an OTP (if they trick you into giving that as well) to rob your account.
Always make sure you download banking applications from official app stores and verify the publisher, and never install applications sent by random links or WhatsApp messages.
Another big risk is identity theft- when criminals steal your personal information and use it to impersonate you. In the digital age, our personal data (name, National ID number, date of birth, phone numbers, and more) is stored in many places, from government databases to bank records and even on our own phones.
If that data gets exposed, scammers can do serious damage. A recent example in Sri Lanka was the massive data breach at a private bank in early 2025. Hackers broke into Cargills Bank’s systems and stole about 1.9 terabytes of data, including sensitive customer information- National Identity Card numbers, passport details, even copies of signatures.
It was one of the largest data breaches in Sri Lankan history, and the stolen files were published online for other criminals to exploit. Think about what someone could do with those details: Open credit lines in your name, take over your accounts, or create very convincing scams targeted at you.
When such breaches happen, experts advise affected people to immediately change their passwords, watch their bank statements, and be extra alert for any unusual activity.
Even if you weren’t part of a breach, it’s wise to assume that some of your personal data might already be floating around the dark web due to past leaks somewhere.
Stolen personal data also fuels social engineering attacks- that is, cons where the scammer knows enough about you to gain your trust. They might call citing your NIC number or mention your utility bill details (possibly leaked from a hacked system) to sound legitimate, then trick you into revealing more info or making a payment.
In one common ploy, fraudsters call people and pretend to be from the electricity board or water board, claiming you’re overdue on payments and that your service will be cut off in an hour unless you pay immediately via an online method.
Under pressure, some victims rush to comply, not realising it’s fake. Always remember, official agencies don’t threaten instant disconnection over the phone and demand instant online payment- those are tell-tale signs of a scam.
Take a moment to breathe, look up the official customer service line, and verify the story. Nine times out of ten, you’ll find there is no such emergency.
Finally, be cautious on social media. Many of us love sharing updates, but oversharing can expose you to fraud. Posting your birthday, your new phone number, or your mother’s maiden name might seem harmless- until you realise those are common security verification questions.
Scammers also create fake profiles to befriend people and extract personal info over time (a practice called “social phishing” or even romance scams in some cases).
Tips to stay safe online
It can feel overwhelming to face these digital dangers, but a few practical habits will go a long way in keeping you safe. Here are some simple steps to make yourself a harder target for cyber scams:
- Think before you click: Treat any unsolicited email, message, or call with caution. If a message creates panic or urgency, that can be a red flag. Verify through official channels instead of clicking links or calling back numbers provided in the message.
- Protect your login info: Never share passwords or OTPs with anyone. Banks, government offices, and reputable companies will never ask for your full password or an OTP over the phone or via email. If someone does, it can be a scam- no matter how convincing their story is.
- Use strong passwords and 2FA: Use unique, hard-to-guess passwords for each account (or a reputable password manager to help you). Enable two-factor authentication (2FA) wherever possible- this adds an extra layer of security by requiring a code sent to your phone or email.
- Update and secure your devices: Keep your smartphone and computer updated with the latest software patches. Updates often fix security issues that hackers exploit. Also, install a trusted antivirus app on your devices and only download applications from official app stores.
- Limit personal data sharing: Be mindful of what personal details you share on social media or public forums. The less you reveal publicly, the less fuel you provide for identity thieves. And remember to review privacy settings on your social profiles so strangers can’t see sensitive info.
- Stay informed and teach others: Cyber threats evolve, so staying informed is key. Keep an eye on news about new scams targeting Sri Lankans. Share what you learn with your family, friends, and colleagues- you might save someone from falling victim. Even a quick chat with your parents or children about a new scam can make a big difference.
Staying vigilant in a digital world
In Sri Lanka’s fast-paced society, it’s easy to get caught up in work and family responsibilities and assume that cybercrime is something that happens to “other people.” But as we’ve seen, anyone with a phone or internet connection can be targeted- from a young adult banking through a mobile app to a retired senior scrolling Facebook.
The key defence is awareness. By knowing how phishing works or recognising that a “too-good-to-be-true” investment video is likely a deepfake, you empower yourself to slam the door in scammers’ faces. It’s a bit like learning to drive defensively on chaotic roads: you hope for the best but watch out for the unexpected.
Perhaps the most important advice is to trust your instincts. If something feels off or too perfect, take a moment to question it. That pause can prevent a costly mistake. Cyber criminals often prey on our autopilot reactions- clicking without thinking, rushing to resolve a fake crisis, or being too polite to hang up on a stranger.
Give yourself permission to slow down. It’s better to double-check and be safe than to be hurried into a scam. Remember, staying safe online doesn’t require technical expertise; it requires a bit of scepticism and a willingness to verify things. Just as you’d lock your front door at night, learn to lock down your digital life by staying alert.
In the end, combating these digital deceivers is a shared responsibility. Companies and authorities in Sri Lanka are stepping up cybersecurity, but each of us has a role to play by staying informed and cautious. By spreading the word and practicing these safety habits, we can build a community that’s one step ahead of the scammers.
In this digital age, awareness is our best armour- and it ensures that we can enjoy the benefits of technology without falling victim to its risks. Stay safe out there, and don’t let the cyber con artists win.
(The writer is a Software Architect with over 15 years of experience in software development (Sri Lanka, Singapore, and the UK).)
------------------------------
(The views and opinions expressed in this article are those of the author, and do not necessarily reflect those of this publication.)