Sri Lankan citizens and our digital domain have increasingly become vulnerable and today pose a security risk. This week, the Sri Lanka Computer Emergency Readiness Team (CERT) and the Defence Cyber Command issued warnings about the surge in fake messages being disseminated via social media and communication platforms, particularly WhatsApp. Many Sri Lankans who use WhatsApp platform have become victims of online scams and identity theft. The growing trend, which has also seen fake tourists, who arrive in droves to Sri Lanka to target our vulnerable digital systems and exploit unaware users highlight the need for a consolidated national effort to build awareness, introduce sound regulation and resource law enforcement and state entities to enforce such laws to protect Sri Lankans.

This situation has been growing over the last few years. Last month, concerns were growing about a ‘phishing campaign’ targeting customers of several Sri Lankan banks via social media posts and ads. The risk of a focused campaign against Sri Lanka’s banking sector cannot be understated. The risk to personal wealth and financial stability of the victims can also leave them in a dire situation. As such, the Sri Lankan State, the banking sector and public are well to recognise the growing threat and act on it now. This followed several Sri Lankan banks being targeted with phishing attack campaigns in the last three months, and many have reportedly lost millions of rupees, as a result. While some banks are yet to acknowledge the scale and seriousness of the issue, issuing only warnings regarding access control discipline for its customers, it is heartening to see others have begun to take more long-term action.  

According to SL CERT’s, over 340 complaints involving financial scams have been received as of October, for the year 2024. “Up to September, we’ve received 7,210 complaints regarding online scams, with the majority of these linked to social media platforms. When we focus specifically on online-based fraud, around 20% of the complaints involve financial scams. This highlights a growing trend of internet fraud targeting online banking users,” a senior CERT official said, adding that many victims fall prey to scams due to a lack of attention to security measures, particularly with one-time passwords (OTPs). “Many users do not take proper care in safeguarding their OTPs or fail to recognise fraudulent websites. This often results in them being caught in these online banking scams,” he added.

Over the last few months, local authorities have arrested more than 200 Chinese nationals and dozens of other nationalities who they say overstayed their visit visas and engaged in large-scale financial scam operations targeting victims across Asia. Law enforcement authorities are of the view that they mainly target middle-age or elderly citizens. According to the United Nations Office of Drugs and Crime (UNODC) recent report,  "highly sophisticated" Asian crime syndicates ran large-scale scam operations to steal up to $ 37 billion in 2023 in the Asian region. One challenge which law enforcement officials face in combating the issue is that most incidents of such scams go unreported.

Sri Lanka is vulnerable to such cybercrime for multiple reasons. Firstly, there is a significant lack of awareness about cybercrime, scams and identity theft in the digital domain.  Secondly, Sri Lankan authorities did not view cybercrime and cyber security as ‘credible’ and serious threats, until recently and are desperately trying to catch up. This is evident in the appalling manner State institutions, even State financial and some law enforcement agencies operate their digital spaces, public services online and route their communications. More importantly, Sri Lanka is yet to formulate, and equip with effective personnel and resources a high-level working group to address such cybercrimes and coordinate effectively with regional and international partners, who can help Sri Lanka in such matters. This, despite successive governments and political will to transform Sri Lanka to a ‘digital economy’ and ‘digitise the State services’. It is indeed a shame, that even though Sri Lanka became a signatory to the 2001 Budapest Cybercrime Convention and ratified in May 2015, Sri Lanka still has not got our act together, even nearly after the convention entered our legal system. As such, it is prudent for the Government and private sector to move quickly to establish well-resourced anti-cyber-crime and cyber security apparatus, as the island nation moves ahead with our digitisation.  

Meanwhile, the State must commit to a robust and enduring programme to build awareness about such crimes and information security discipline, especially while in the ‘online’ or digital domain for its citizenry. Such critical matters are taught in school curriculum in many countries, which also includes awareness drives for senior citizens and State sector and bank employees. It is high time that Sri Lanka took the threat seriously.