Sri Lanka is increasingly vulnerable to online scams and identity theft, with more citizens using digital services. Last week, concerns were growing about a ‘phishing campaign’ targeting customers of several Sri Lankan banks via social media posts and ads.
The risk of a focused campaign against Sri Lanka’s banking sector cannot be understated. The risk to personal wealth and financial stability of the victims can also leave them in a dire situation. As such, the Sri Lankan State, the banking sector and public are well to recognise the growing threat and act on it now.
Over the last few weeks, several Sri Lankan banks have been targeted with phishing attack campaigns, and many have reportedly lost millions of rupees, as a result. However, the banks are yet to acknowledge the scale and seriousness of the issue, issuing only warnings regarding access control discipline for its customers.
A phishing attack is an illegal practice of sending fraudulent communications that appear to come from a legitimate and reputable source, usually through email and text messaging. The attacker's goal is to steal money, gain access to sensitive data and login information, or to install malware on the victim's device. This is done to make the would-be victim inadvertently handover their financial information, account details and secret data used to authenticate the account holder to cyber criminals, who then move to rob you of your life savings in a matter of minutes. This could be done remotely, from another country or even on the other side of the world, with little possibility of remedy.
Over the last few weeks, cyber criminals have been posting advertisements on social media platforms such as Facebook and Instagram posing as various reward schemes or lotteries linked to several local private banks, trying to lure unsuspecting customers of the banks to ‘give up’ their financial information and access information through the fraudulent scheme. One such advertisement enticed customers of one bank to join an ‘online survey’ which was designed to steal the username, password of the account holder, and also to record the security feature known as the ‘One Time Password’ commonly referred to as the OTP which the bank dispatched to the customer as a unique authentication number when you access your account or make a bank transfer. Such occurrences in the recent past prompted some banks and local law enforcement authorities to issue warnings about not sharing OTP details with anyone.
Such incidents, many of which likely go unreported, points to a weak approach to the risk that such cyber activities pose in Sri Lanka. Sri Lanka is vulnerable to such cybercrime for multiple reasons; firstly, there is a significant lack of awareness about cybercrime, scams and identity theft in the digital domain, secondly Sri Lankan authorities still do not view cybercrime and cyber security as ‘credible’ and serious threats. This is evident in the appalling manner State institutions, even State financial, law enforcement and security agencies maintain and operate their digital spaces and communications. Lastly, Sri Lanka is yet to formulate, and equip with effective personnel and resources a high-level working group to address such cybercrimes and coordinate effectively with regional and international partners, who can help Sri Lanka in such matters. This, despite successive governments and political will to transform Sri Lanka to a ‘digital economy’ and ‘digitise the State services’. It is indeed a shame, that even though Sri Lanka became a signatory to the 2001 Budapest Cybercrime Convention and ratified in May 2015, our nation still has not got our act together, even nearly after the convention entered our legal system.
It is prudent for Sri Lanka to move quickly to establish well-resourced anti-cyber-crime and cyber security apparatus, as the island nation moves ahead with our digitisation.
Meanwhile, the State must commit to a robust and enduring programme to build awareness about such crimes and information security discipline, especially while in the ‘online’ or digital domain for its citizenry. Such critical matters are taught in school curriculum in many countries, which also includes awareness drives for senior citizens and State sector and bank employees. It is high time that Sri Lanka took the threat seriously.