Protecting yourself from online banking frauds in Sri Lanka

The use of digital banking services in Sri Lanka has increased rapidly over the past few years. Today, thousands of customers use mobile banking apps, internet banking platforms, QR payments, and online fund transfer facilities for their daily financial activities. While these services offer convenience and speed, there has also been a noticeable increase in online financial fraud targeting banking customers across the country.

It is important for the public to understand that, in most cases, these frauds do not occur because a bank’s system has been hacked. Instead, fraudsters succeed by deceiving customers into voluntarily providing confidential information such as usernames, passwords, PIN numbers, credit/debit card details, or One-Time Passwords (OTPs).

One of the most common scams currently seen in Sri Lanka involves fake SMS messages, WhatsApp messages, Facebook advertisements, emails, or phone calls claiming to be from a bank or financial institution. Customers are often informed that:

• their account has been suspended,
• a security update is required,
• a refund or reward is pending,
• their ATM card will be blocked, or
• an urgent verification is needed.

These messages usually contain a link directing customers to a fraudulent website designed to closely resemble the official online banking page of a Sri Lankan bank. Once the customer enters their login credentials or OTP, fraudsters immediately gain access to the account and may transfer funds within minutes.

In some cases, fraudsters impersonate bank officers, Central Bank representatives, police officers, or even officials from government institutions. They attempt to create fear or urgency so that customers act without properly verifying the authenticity of the request.

Customers should remember one important fact: no bank in Sri Lanka will ask for your internet banking password, PIN number, CVV number, or OTP over the phone, through SMS, WhatsApp, email, or social media.

To reduce the risk of becoming a victim of fraud, customers are strongly advised to follow several important safety practices.

Use only official banking channels

Always access internet banking through the official mobile banking app of your bank or by manually typing the bank’s official website address into your browser. Avoid clicking on links received through SMS, email, WhatsApp, or social media advertisements.

Even when using search engines such as Google, customers should exercise caution, as fraudsters sometimes create fake advertisements or misleading links that appear above genuine search results.

Verify website addresses carefully

Before entering any banking credentials, carefully check the website address. Official banking websites usually begin with “https://” and display a secure padlock symbol in the browser. However, fraudsters can sometimes imitate these features, so customers should pay close attention to spelling variations and unusual website names.

Never share OTPs

One-Time Passwords (OTPs) are meant strictly for the account holder. Sharing an OTP with another person is effectively authorising a transaction. Fraudsters often call customers pretending to “assist” with a problem while requesting the OTP sent to the customer’s phone. Once disclosed, funds can be transferred immediately.

Protect your mobile device

Since many Sri Lankan customers now rely heavily on mobile banking apps, securing mobile devices is essential. Customers should:

• keep phones updated with the latest software,
• avoid downloading applications from unknown sources,
• use screen locks and biometric security features,
• avoid using public Wi-Fi for banking transactions, and
• install trusted antivirus or security applications where possible.

Be careful on Social Media

Fraudsters increasingly use Facebook pages, Instagram advertisements, TikTok promotions, and WhatsApp groups to promote fake investment opportunities, loan schemes, or banking-related promotions. Customers should verify such offers directly with the relevant bank or financial institution before responding.

Immediate action can minimise losses

If you suspect that your banking credentials have been exposed or that unauthorised access has occurred, immediately:

• contact your bank’s hotline,
• request temporary blocking of online banking or cards if necessary,
• change passwords immediately, and
• report the incident to the relevant authorities.

Many Sri Lankan banks now operate 24-hour customer support lines specifically to handle urgent fraud-related matters.

Public awareness Is the strongest defence

Banks in Sri Lanka continue to invest heavily in cybersecurity systems and fraud monitoring technologies. However, customer awareness remains the most effective protection against online financial fraud.

In today’s digital environment, cybercriminals rely more on human error than technological weakness. A few seconds of caution before clicking a link or sharing information can prevent severe financial loss and emotional distress.

As digital banking continues to grow in Sri Lanka, the responsibility for maintaining security must be shared by both banks and customers. Staying informed, alert, and cautious is the best defence against online fraud.

(The author is Past President and Advisory Council Member - Association of Professional Bankers Sri Lanka)