Online Scams in Sri Lanka

Sri Lanka is experiencing an unprecedented rise in online scams and cybercrime. Sri Lanka CERT recorded more than 12,650 cybersecurity complaints in 2025 alone (a sharp increase from prior years) with fake accounts, financial scams, and digital fraud dominating the reports. Sri Lanka Police logged nearly 2,000 cybercrimes in 2025 and made 318 arrests. Cybercriminals are exploiting social media platforms including Facebook, WhatsApp, Telegram, and Instagram to target victims across all demographics; from first-time internet users and the elderly to engineers and banking professionals.

Summary Statistics Table

The 9 Scam Types (January 2026)

Sri Lanka Police officially listed nine categories of prevalent online financial fraud in January 2026:

Detailed 5W Analysis by Scam Category

Crypto & Forex Investment Scams

WHAT: Fraudulent investment platforms advertised on Facebook, Instagram, and Telegram, promising extraordinary daily returns (e.g., 580,000–880,000 LKR daily on an initial 73,000 LKR investment). Scammers use deepfake videos and AI-generated content featuring prominent public figures to appear legitimate.
WHO:

• Victims: Middle-class individuals, working professionals, and social media users seeking supplementary income.
• Perpetrators: Transnational criminal networks; accounts traced to Lithuania, Russia, Ukraine, and other countries.

WHERE: Primarily on Facebook and Instagram; promoted through sponsored ads and Telegram investment groups.
WHEN: Ongoing since at least 2024; intensifying through 2025–2026. A notable crypto fraud arrest occurred in April 2025.
WHY: Sri Lanka’s economic pressures, high unemployment, and increasing digital penetration create a vulnerable population desperate for additional income. The country’s delayed cybersecurity legislation and fragmented law enforcement response allow criminals to operate with relative impunity.
Notable Case: Rs. 230 Million Crypto Fraud (April 2025): The CID’s Cyber Crimes Division arrested a 40-year-old male and a 35-year-old female from the Pannipitiya area on 1 April 2025. They are accused of illegally collecting Bitcoin and Ethereum worth approximately Rs. 230 million via social media platforms. Both were released on bail of Rs. 5 million each with a travel ban imposed.
Notable Case: Deepfake CBSL Governor Scam (March 2025): AI-generated deepfake videos falsely depicted Central Bank Governor Nandalal Weerasinghe endorsing a high-risk financial scheme. CBSL issued an urgent warning and confirmed it has no involvement in any investment scheme. Similar scams used deepfakes of Prime Minister Dr. Harini Amarasuriya and Foreign Minister Vijitha Herath, with the fraudulent ad accounts traced to Lithuania.

Phishing Attacks on Banks & Financial Institutions

WHAT: Criminals create fake websites and social media pages that closely mimic legitimate Sri Lankan banks — particularly Sampath Bank and Nations Trust Bank — to steal login credentials, OTPs, and card details. Some fake sites now feature valid SSL certificates, making them visually indistinguishable from official bank websites.
WHO:

• Victims: Bank customers across all demographics; rural residents, engineers, and upper-middle-class consumers have all been defrauded.
• Perpetrators: Foreign and transnational actors; accounts with links to Russia, Ukraine, Pakistan, and broader South Asia.

WHERE: Instagram and Facebook (sponsored ads), WhatsApp, SMS messages. Over 9,218 financial phishing incidents were detected in Sri Lanka in 2024 alone.
WHEN: 2024 saw an unprecedented escalation; 8.6 million web-based threats and 12.5 million local malware incidents were recorded that year.
WHY: Sri Lanka’s financial institutions lack coordinated incident response planning. The Central Bank only mandated two-hour breach reporting to licensed banks in May 2025 — several years after the threat became acute. Banks place the reporting burden on customers without providing accessible reporting channels.
Notable Case: Cargills Bank Cyberattack (March 2025): The ransomware group Hunters International conducted a cyberattack on Cargills Bank in March 2025, exfiltrating approximately 1.9 terabytes of data across over 1.1 million files. The stolen data includes NIC numbers, passport details, specimen staff signatures, and personal information of job applicants from as far back as 2015. Cargills Bank filed legal action at the Chief Magistrate’s Court of Colombo on April 4, 2025, under the Online Safety Act No. 9 of 2024.

Online Job Scams & Task-Based Fraud

WHAT: Victims are recruited via WhatsApp or Telegram groups with promises of easy income for simple tasks such as rating videos, writing IMDB reviews, or taking screenshots. Initial small payments (400–2,000 LKR) are made to build trust, after which victims are pressured to deposit large sums (often in the hundreds of thousands of rupees) for “advanced tasks” or “commissions.” Once money is transferred, the scammers disappear.
WHO:

• Victims: Youth, unemployed graduates, homemakers, and anyone seeking supplementary income.
• Perpetrators: Organized criminal syndicates, often with foreign involvement. The Negombo ring involved nationals from Pakistan, India, Bangladesh, and Indonesia.

WHERE: WhatsApp groups, Telegram channels, Facebook.
WHEN: Escalated sharply in 2024. In June 2024, a major scam compound was unearthed in Negombo.
WHY: The promise of quick money during an economic crisis with high cost-of-living pressures makes this scam extremely effective. Many victims do not report incidents due to embarrassment.
Notable Case: Negombo Scam Compound (June 2024): A Sri Lankan woman reported being lured into a WhatsApp group promising cash for simple tasks. She was eventually coerced into depositing Rs. 5.4 million. Police traced bank accounts to a father-son duo from Kandy, leading to the arrest of 33 suspects — including foreign nationals from Pakistan, India, Bangladesh, and Indonesia — at a luxury house in Negombo. Authorities seized 57 mobile phones, 13 computers, and 3 laptops. The operation had bases in Dubai and Afghanistan.
Notable Case: Kalpitiya Chinese Nationals (July 2024): Police arrested 54 Chinese nationals and 1 Japanese woman at a hotel in Kalpitiya, Puttalam, on suspicion of running online fraud operations. Over Rs. 10 million in cash and 98 mobile phones, 44 laptops, and numerous SIM cards were recovered.
Notable Case: STX Entertainment Telegram Scam: A Leo volunteer was recruited into a Telegram group under the brand “STX Entertainment.” After completing ticketing tasks and being paid Rs. 5,800, he was demanded Rs. 40,000 as a deposit to continue. When he refused, scammers threatened him in Sinhala using his real name.

Romance Scams & Human Trafficking for Online Fraud

WHAT: Scammers create fake social media profiles on Facebook, Instagram, WhatsApp, and dating apps (Hinge, Boo), cultivate romantic relationships over weeks or months, then request money for fabricated emergencies. A darker dimension involves Sri Lankans being physically trafficked to Southeast Asian scam compounds and forced to run romance scams under threat of violence.
WHO:

• Victims of the scam: Predominantly women, emotionally vulnerable individuals, and the elderly seeking companionship online.
• Forced perpetrators: Sri Lankan young men and graduates lured with fake job offers to Laos, Myanmar, Cambodia; their passports confiscated and forced to scam others.
• Criminal networks: Organized Southeast Asian criminal syndicates operating large-scale compounds.

WHERE: Facebook, Instagram, dating apps, Telegram; physical scam centres in Myanmar, Laos, Cambodia, and the Philippines.
WHEN: From at least 2022 onwards, with a major BBC investigation in April 2024. The UN Human Rights update in March 2026 confirmed Sri Lankan victims remained in these camps through 2025.
WHY: Sri Lanka’s economic crisis drove many young people to seek overseas work, making them easy targets for traffickers promising legitimate IT jobs or data entry positions abroad.
Notable Case: Sri Lankans Trapped in Myanmar (2024): A 24-year-old Sri Lankan was trafficked to Myanmar, stripped, and subjected to electric shocks for refusing to participate in romance scams. Sri Lankan authorities confirmed at least 56 citizens were trapped in four different locations in Myanmar. A 2026 UN OHCHR report confirmed a victim from Sri Lanka described being placed in “water prisons” (immersion in water containers for hours) for failing to meet scamming targets.
Notable Case: Sri Lankan Graduates Trafficked to Laos (2022–2023): A Sri Lankan graduate identified as “Jay” was lured to Bangkok by a friend (paid US$500 commission) and then transported to Laos. His passport was confiscated. He was given eight iPhones, SIM cards, and instructions to create fake profiles on Hinge and Boo to run romance scams targeting US victims via the TextMe app. Daily targets of five phone numbers were set; failure resulted in 20-hour workdays and physical punishment including electric shocks. The SLBFE arrested the main recruiter, who had allegedly defrauded victims of Rs. 1.9 million.

Government & Institutional Cyber Attacks

WHAT: Large-scale ransomware and data breach attacks targeting government infrastructure and state institutions, resulting in permanent loss of sensitive data and public-sector disruption.
WHO:

• Victims: Sri Lanka’s Government Cloud users (5,000 email accounts), Cabinet ministers, and public officials.
• Perpetrators: Unknown hacking group in the 2023 attack (exploited an unpatched Microsoft Exchange vulnerability); Hunters International in the Cargills Bank attack.

WHERE: Lanka Government Cloud (LGC) — gov.lk domain; Cargills Bank digital infrastructure.
WHEN: August–September 2023 (government cloud); March 2025 (Cargills Bank).
WHY: Outdated software (unpatched Microsoft Exchange), delayed upgrade plans due to budget constraints, and lack of daily offline backups allowed the 2023 attack to cause irreversible damage. Inadequate ISO 27001 compliance and insufficient incident response planning enabled the Cargills Bank breach.
Notable Case: Lanka Government Cloud Ransomware (August 2023): A ransomware attack encrypted the Lanka Government Cloud and its backups. All 5,000 gov.lk email accounts permanently lost four months of data (17 May to 26 August 2023). The attack likely began after a government employee clicked a malicious link. The Sri Lankan government refused to pay the ransom.

Online Loan Scams

WHAT: Fraudulent loan advertisements promoted on Facebook, WhatsApp, Instagram, and Google promising “5-minute loans” or “no-repayment loans.” Victims are asked to pay an upfront “service fee” or “registration charge.” In some cases, a small loan is initially disbursed to establish credibility, followed by demands for excessive interest and harassment of the victim’s family.
WHO:

• Victims: Financially distressed individuals, small business owners, and those with limited access to formal banking.
• Perpetrators: Local and overseas criminal operators; SMS spam senders identified as EasyMoneyLK, GoLoanLK, LKR_Quick, Credit_LKR, and others.

WHERE: Facebook, Instagram, WhatsApp, Google Search sponsored results, and via SMS.
WHEN: Active since at least 2021 (CBSL warning issued January 2021); dramatically escalated through 2024–2025.
WHY: Sri Lanka’s post-economic-crisis environment left many citizens with urgent cash needs, while formal loan access remained difficult. Scammers exploit this vulnerability with sophisticated, localized advertising in Sinhala and Singlish.

Online Shopping Fraud

WHAT: Fake Facebook pages and groups advertise products (electronics, clothing, household goods, properties for rent) at attractive prices. Payment is collected via direct bank transfer or cash-on-delivery; products are never delivered. Sellers then block all communication.
WHO:
• Victims: Online shoppers, particularly those purchasing second-hand electronics or rental properties via Facebook Marketplace.
• Perpetrators: Local Sri Lankan sellers as well as organized groups.
WHERE: Facebook Marketplace, Facebook Groups, WhatsApp.
WHEN: Ongoing; widely reported and discussed throughout 2023–2025.
WHY: Lack of buyer protection mechanisms, seller verification, or recourse for victims on Facebook Marketplace enables fraudsters to operate repeatedly.

Foreign Job Scams

WHAT: Unlicensed recruitment agencies advertise fake overseas employment opportunities (factory assistant jobs in Dubai, driver positions in Japan) on Facebook. Victims pay fees, submit personal documents, and may receive forged certificates — but the promised jobs do not exist.
WHO:

• Victims: Job seekers, especially those targeting Middle Eastern and Asian employment markets.
• Perpetrators: Unlicensed agencies, sometimes aided by overseas contacts.

WHERE: Facebook advertisements; physical offices in Colombo suburbs (e.g., Boralesgamuwa).
WHEN: January 2026 arrests highlight continued activity; the problem has been documented for many years.
WHY: High demand for overseas employment combined with limited awareness of SLBFE licensing requirements creates a large pool of vulnerable job seekers.
Notable Case: Boralesgamuwa Raids (January 2026): The SLBFE Special Investigation Division arrested five individuals across two raids on January 8, 2026. “Order Solutions” advertised Dubai factory jobs on Facebook without an SLBFE license. “Samurai Japanese Language Center” advertised Japan driver jobs using forged school principal seals, government revenue officer seals, and fabricated O/L and A/L certificates.

Lottery & Prize Scams

WHAT: Victims receive WhatsApp messages or phone calls informing them they have won a large cash prize (often millions of rupees). To claim the prize, they are told to pay “tax” or “processing fees.” The promised prize never materializes.
WHO:

• Victims: Elderly individuals and those unfamiliar with online scam tactics.
• Perpetrators: Call-centre-style operations; some linked to overseas networks.

WHERE: WhatsApp, phone calls, SMS.
WHEN: Ongoing and reported consistently in police advisories through 2025–2026.
WHY: The promise of sudden wealth and the perceived legitimacy created by official-sounding “prize officers” exploit cognitive biases, particularly in less digitally literate demographics.

Master Scam Case Reference Table

2026 Scam Cases

Regulatory & Institutional Response

Sri Lanka’s response to cybercrime has been reactive and fragmented. Sri Lanka CERT (cert.gov.lk) handles reporting but lacks accessible pathways for ordinary users via WhatsApp, Facebook, or SMS; the very platforms where scams proliferate most. FinCSIRT is focused on hardware and infrastructure issues rather than phishing campaigns and social engineering fraud.
The Central Bank of Sri Lanka mandated that licensed banks report IT incidents, cybersecurity breaches, and online scams within two hours of detection — a directive issued in May 2025 following the Cargills Bank breach. The Online Safety Act No. 9 of 2024 has been invoked in legal proceedings, but comprehensive enforcement remains limited.
Sri Lanka Police’s CID Cyber Crimes Division (CCID) handles cybercrime investigations, with contact numbers: Deputy Director: 011-2300638; Officer in charge: 011-2381058.

Key Protective Measures

Sri Lanka Police advise the public as follows:

• Never share OTPs, passwords, PINs, or bank details with anyone under any circumstances
• Do not transfer money to unknown individuals based on social media promises
• Verify official pages for verified badges before engaging
• Avoid downloading apps or browser extensions from unknown sources
• Do not click on suspicious links received via SMS, Messenger, or WhatsApp
• For overseas job offers, verify agency licensing through SLBFE
• If you suspect fraud, immediately report to the CID Cyber Crimes Division