Fighting fire with fire: How AI and Generative AI can defend South Asia against cybercrime

In March 2026, the national carrier, SriLankan Airlines, discovered that AED 974,000 — roughly Rs. 87 million — had been wired to a fraudulent bank account. The method was not a sophisticated hack. A Dubai-based supplier’s email account had been compromised, and the attackers simply altered the bank account details in what appeared to be a routine payment instruction. The airline processed the payment in good faith. The money vanished.

This was not an isolated case. In Sri lanka, over the same period, the Treasury lost $ 2.5 million 

 through an almost identical technique — a Business Email Compromise (BEC) attack that diverted five instalments of a bilateral debt repayment to Australia into a fraudulent account in Delaware. The Department of Posts reportedly lost $ 625,000 the same way. NDB Bank disclosed a Rs. 13.2 billion fraud exposure. People’s Bank flagged a Rs. 656 million remittance system error. The Aswesuma welfare programme issued Rs. 248.79 million in duplicate payments due to a system glitch.(Sources said : officials  media statement)

Sri Lanka is not uniquely vulnerable. It is simply the latest country in South Asia to illustrate, painfully and publicly, that the region’s rapid digital transformation has outpaced its digital defences. India recorded over 2.8 million cybercrime complaints in 2025, a 24% increase from the previous year, with total financial losses reaching Rs. 22,495 crore. Investment scams alone accounted for over 75% of those losses. Deepfake-based impersonation fraud in the Indian banking sector has surged by 550% since 2019, according to industry reports.

The question is no longer whether South Asia has a cybercrime problem. The question is whether the region can use the same technology — artificial intelligence (AI), 

 and specifically generative AI to fight back.

The anatomy of the threat

To understand how AI can help, one must first understand the nature of the attacks now targeting the region.

The most damaging incidents in South Asia in recent months have not involved firewalls being breached or servers being hacked. They have involved emails. Carefully written, patiently timed emails that exploit the gap between how institutions communicate and how they verify what they receive. The Sri Lankan Treasury hack is a textbook case: attackers infiltrated the email system of the External Resources Department and sent payment instructions that looked entirely legitimate, complete with authorised signatures that were later found to have been fraudulently generated. No malware was deployed. No password was cracked. The system trusted email more than it should have.

This pattern — Business Email Compromise (BEC) — is now the single most financially destructive category of cybercrime globally. And it is becoming far more dangerous because generative AI allows attackers to produce convincing correspondence in any language, mimic writing styles, clone voices for phone verification, and even generate synthetic video of executives authorising transactions. Scam centres in Southeast Asia are already deploying multilingual AI chatbots that allow a single operator to run dozens of scam conversations simultaneously, each tailored to the victim’s language and context.

Meanwhile, South Asia’s digital infrastructure remains largely undefended against these threats. Sri Lanka’s Computer Emergency Readiness Team handled over 12,650 cyber complaints in 2025, but the country’s outdated cybercrime laws do not effectively address modern fraud methods. India’s CERT-In requires cyber incidents to be reported within six hours, but enforcement remains inconsistent and conviction rates in many states remain below 20%.

AI as shield: Five practical solutions

The good news is that the same AI technologies being weaponised by criminals offer powerful defensive capabilities. Here are five concrete ways AI and generative AI can be deployed as solutions across South Asia.

Intelligent email and payment verification. The Business Email Compromise (BEC) attacks that devastated Sri Lanka’s Treasury and Sri Lankan Airlines shared a common vulnerability: payment instructions received via email were processed without independent AI-powered verification. Modern AI-driven email security systems use behavioural analysis to learn how an organisation normally communicates — who writes to whom, at what times, using what tone and vocabulary, requesting what types of transactions. 

When something deviates from the pattern — a supplier suddenly requesting a change of bank account, a payment instruction arriving from an unusual IP address, a writing style that subtly differs from the genuine sender — the system flags the anomaly in real time, before money moves. This is not hypothetical. Enterprise platforms using such behavioural AI are already securing over $ 200 billion in B2B payments globally. South Asian governments and state-owned enterprises should adopt these systems as standard infrastructure, not optional upgrades.

AI-powered transaction monitoring and anti-money laundering. Traditional rule-based systems for flagging suspicious transactions generate enormous volumes of false positives — sometimes over 95% — overwhelming compliance teams and allowing genuine fraud to slip through. Machine learning models trained on vast datasets of financial behaviour can detect complex patterns that manual methods would miss: unusual wire transfer sequences, accounts that suddenly begin receiving funds from multiple jurisdictions, transaction volumes that deviate from established customer behaviour. These systems continuously learn and adapt, evolving alongside new fraud tactics rather than relying on static rules written for yesterday’s threats. For South Asian central banks and financial regulators, AI-powered transaction monitoring represents perhaps the single most impactful investment in financial crime prevention.

Deepfake detection for identity verification. As banking and government services increasingly move online, the verification of identity through video and voice has become both essential and vulnerable. AI-generated deepfakes can now produce realistic facial movements synchronised to speech, clone voices from short audio samples, and create synthetic identities that combine real documents with fabricated biometric data. The defence must be equally sophisticated. 

Advanced AI liveness detection systems now analyse facial micro-signals, detect artefacts produced by generative adversarial networks (GANs), and verify that video feeds genuinely come from a device camera rather than a pre-rendered injection. Indian developers have already built platforms achieving 99% accuracy in detecting synthetic media through heatmap analysis, metadata verification, and confidence scoring. These tools should be integrated into banking KYC processes, government identity verification systems, and law enforcement workflows across the region.

Natural language processing for scam detection at scale. Generative AI can analyse the content of messages, social media posts, and online advertisements to identify scam patterns at a scale impossible for human reviewers. An AI system trained on the linguistic patterns of investment scams, romance frauds, “digital arrest” schemes, and phishing campaigns can scan millions of communications and flag likely fraudulent content before victims engage. This approach is particularly relevant for South Asia, where the explosion of vernacular-language internet use means scams now operate in dozens of languages and dialects. Large language models capable of understanding Sinhala, Tamil, Hindi, Bengali, and Urdu can extend protective coverage to populations that traditional English-centric security tools have left exposed.

Predictive threat intelligence and network analysis. AI excels at identifying connections across large datasets — tracing financial flows between seemingly unrelated accounts, mapping communication networks between suspected scam operators, and predicting likely targets based on emerging patterns. When Sri Lankan authorities raided scam centres across Colombo, Negombo, and other districts in early 2026, they found operations run by nationals from China, Vietnam, Indonesia, Malaysia, Cambodia, India, and Taiwan. Mapping these transnational networks and predicting their next moves requires the kind of pattern recognition that AI performs far more effectively than manual investigation.

What South Asian governments should do

Technology alone will not solve this problem. The region needs a coordinated approach combining AI deployment with institutional reform.

First, governments should mandate AI-powered payment verification for all state institutions processing international transfers. The fact that Sri Lanka’s Treasury was processing multi-million-dollar payments based on email instructions without automated anomaly detection is an institutional failure, not merely a technological one.

Second, South Asian nations should establish a shared regional cybercrime intelligence platform, using AI to aggregate and analyse threat data across borders. Cybercriminals do not respect national boundaries. The scam centres discovered in Sri Lanka were staffed by nationals of seven different countries. India’s I4C coordination centre offers a model that could be extended regionally.

Third, the region needs investment in AI literacy and cybersecurity training at every level — from government treasury officials to village-level digital service users. India’s 1930 cybercrime helpline and the “Pause, Verify, Report” model promoted by some state police forces represent a start, but digital hygiene education must keep pace with digital adoption.

Fourth, regulatory frameworks must be updated to address AI-enabled crime specifically. Laws written for an era of simple phishing cannot adequately address deepfake impersonation, AI-generated synthetic identities, or autonomous attack campaigns.

The race that matters

Trend Micro has predicted that 2026 will mark the year AI-powered cybercrime becomes fully autonomous — capable of independently conducting reconnaissance, discovering vulnerabilities, exploiting weaknesses, and monetising attacks without human intervention. If that prediction holds, the window for South Asia to build its AI defences is narrowing rapidly.

The incidents documented in this article — the Sri Lankan Treasury heist, the Sri Lankan Airlines payment diversion, the explosion of scam centres, the surge in deepfake banking fraud across India — are not aberrations. They are the early symptoms of a systemic vulnerability that will only deepen as the region digitises further.

The same generative AI that allows criminals to craft perfect phishing emails in Sinhala or clone a CFO’s voice from a YouTube clip can also detect those emails before they reach an inbox and flag that voice as synthetic before a payment is authorised. The technology exists. The question is whether South Asia’s institutions will deploy it in time.

The race between AI-powered attack and AI-powered defence is the defining cybersecurity challenge of our era. For South Asia, it is also an economic survival question. With over a billion people now transacting digitally across the region, getting this right is not optional. It is urgent.

(The author is an Associate Professor in Generative AI and Machine Learning and leader of the AI for Climate & Disaster Resilience Research Group (AICDRG) at York St John University, UK. He is at the forefront of South Asia’s regional transformation in AI research and application. The views expressed are personal).