Cyber scams on Google, SMS, and Instagram targeting Sri Lankan victims

From New Zealand to the United States, people are losing their life savings to cyber-scams. RNZ reported recently about the tragic case of a pensioner who lost hundreds of thousands of dollars to a scam involving a deep fake of New Zealand's PM. This is not an exception - losses are likely much higher given the scale of operations targeting the vulnerable in that country alone. The New York Times reports that (gift link),

Americans lost an estimated $12.5 billion to online criminals in 2023, according to the Federal Bureau of Investigation’s Internet Crime Complaint Center, including $652 million in losses tied to romance and confidence scams. Many more go unreported. Technology has put just about everyone in scammers’ cross hairs, but older Americans are disproportionately targeted for some of the costliest cons, often because they are perceived to have more money, to have less familiarity with technology and to be potentially experiencing cognitive decline. Still, fully competent people fall for scams, too.

In Sri Lanka, if SMSs sent to me every week, the targeted ads on my Instagram newsfeed, and sponsored ads on my Google search results are anything to go by, similar phishing, crypto, financial fraud, and cyber scams are going from bad to worse at pace.

Unprecedented level of cyber-scams

I've already written about this at some length twice over this year. In Phishing attempts over Instagram and email targeting Sri Lanka I flagged how phishing attempts in 2024 showcased, as never before, localisation including in the use of Sinhala, domestic figures, names of officials, and local institutions. Trace data indicated a concert of accounts with links to, or locations in Russia, Ukraine, the US, and elsewhere. Clearly, some of these operations are transnational, and target Sri Lankan victims.

In Phishing campaigns: A looming crisis for Sri Lanka's banking, and financial sector, I looked at how Sri Lanka's financial institutions were being targeted, and especially, customers of Sampath Bank. Yet again, there were clear data signals that the phishing accounts, and related websites were foreign, and transnational in nature. In that article I noted,

The volume, sophistication, targeted nature, and localisation of the material targeting Sampath Bank customers in particular, but also Nations Trust Bank, and other FIs was unlike anything I've seen on Instagram. I approached what I saw on my newsfeed from my own subject-domain expertise in influence operations, and information integrity. The production, and promotion of phishing ads, and fraudulent financial campaigns are no different to the malevolent, insidious content, and commentary I study on social media, designed to perniciously shape public perceptions, behaviours, and responses.

This is clearly a systemic, and structural issue in Sri Lanka, showcasing cascading failures from the Central Bank downwards or outwards, including oversight mechanisms at Meta. Responses by respective banks are reactive, and show significant variance, suggesting either a complete ignorance of threats, and risks or siloed approaches between marketing, social media, IT, and cybersecurity teams. FIs in Sri Lanka do not demonstrate any fit-for-purpose incident response planning in the face of heightened phishing, and other harmful campaigns over social media vectors.

Even more worryingly, and for the first time, some of the phishing sites I encountered since writing that post have even featured legitimate SSL certificates (from Let's Encrypt ) in sites that not just look indistinguishable from official websites of financial institutions, but also seamlessly connect to them - meaning that when some links are clicked, the victim's taken to the actual/official bank website, establishing visual markers of trust that's then used in the promotion of fraudulent products, schemes, and phishing attempts.

Advice to potential victims to double-check if a website is secure goes out the window.

In the same article I shared a link to a Google Photos folder I created, and continue to actively curate with the ads that appear on my Instagram newsfeed. These ads continue to appear.

Fake loan, lotteries, and cash withdrawal schemes on Instagram, and Google

The Sunday Times 3 November reported that "...5-minute loans and lotteries have also been promoted on websites as well as WhatsApp groups. “These must be immediately reported to us.” The FinCSIRT Chief said that despite popular belief, most who get caught are from the rural areas, engineers, bankers and many upper middle-class gullible consumers have also been defrauded."

On Monday, I shared a post on LinkedIn with screenshots of ads on Instagram with ads for quick loans, cash withdrawal, and lotteries. On Tuesday I followed up with another post noting "Tsunami of ads on Instagram claiming 5 minute/quick loan approvals, linked to dubious websites, and now featuring actors, and video continues on my newsfeed. This is the second day I've been inundated with these ads."

I've now created a separate Google Photos album to capture these ads.

When I search for "quick loans sri lanka", the sponsored results I get on the first results page are inundated with fraudulent websites, some of which mirror the accounts sending ads on Instagram.

It's entirely unclear how many (and if any) of these platforms, websites, and services are registered with the Central Bank of Sri Lanka . Screenshots of these websites are also in the Google Photos album.

Phishing over SMS

Additionally, I've been inundated with phishing attempts over SMS, and my mobile provider, Dialog Axiata PLC seems to be unable or unwilling to do anything about it. Parenthetically, if these and other unsolicited spam SMSs continue, I intend to take Dialog Axiata to courts once the Personal Data Protection Act (PDPA) comes into effect fully in March 2025 - and recently tweeted that I strongly suspect I won't be the only one.

Who is sending these? How are numbers harvested? What's the scale at which they are sent out? The localisation, and framing (in Singlish or Sinhala characters) suggests the involvement of a domestic actor, though generative AI capabilities, growing in sophistication at pace, will make even this harder to detect.

I've not had the time to forensically study these links in a sandboxed environment, but the Sunday Times article linked to above also noted,

[FinCSIRT] also warned against fake sites being downloaded with malware on the phones. “These can control your phone from elsewhere, so much so that they can even dim the lights or the screen in the phone.” He advised to never download an app on the phone except from a reputable App Store.

It's highly likely that some of these links contain links to malware, and spyware. In my LinkedIn post yesterday I noted "I've never seen this level of cyber-scams, phishing attempts, fraudulent financial services, and highly sophisticated fake websites (which now include SSL certificates too) all coming at the same time on a single vector (i.e., my Instagram newsfeed). One can only imagine the scale of this, when considering other product, and platform surfaces this content is delivered on, including WhatsApp, Facebook, and even SMS."

Given the scale of losses in the US, New Zealand, and elsewhere in the world, and without laws or regulations that require financial institutions or banks to disclose the impact these malevolent schemes, and scams have on their customer base, it's unclear how much of an impact these schemes are having in Sri Lanka - though it is bound to be very significant.

Thousands are already falling prey. Thousands more will, given how the country is also now a hub for cyber-criminals to conduct their operations.

Responses, or lack thereof

Responses by Sri Lankan banks have mirrored other countries - which is to say, they have placed the burden of reporting on customers, and have washed their hands off whatever losses incurred by those who fall victim to scams. Some banks in the country are better than others, and use push notifications over apps to alert customers of potential fraud etc. But alerts sent over SMS serve to confuse more than they raise educate.

FinCSIRT wants those in Sri Lanka to report potentially fraudulent websites, scams, phishing attempts etc. The issue is, how? This is FinCSIRT's Contact Us page on its website. It's designed with someone like Asela Waidyalankara or a comparable cybersecurity professional in mind. The majority in Sri Lanka won't comprehend what on earth FinCSIRT's talking about here.

There's no WhatsApp, Facebook, Instagram DM or SMS reporting pathway or possibility - which means FinCSIRT's not present in, and doesn't provide a reporting mechanism on platform, and product surfaces where the most sustained, and significant cyber scams, and phishing attempts are taking actively place, and growing at pace in Sri Lanka.

Given the rate at which former MPs are falling prey to scams, policymakers are also victims, and moreover, clearly terrible in their own cyber-hygiene.

Fundamentally, what's clearly a structural, and systemic issue impacting millions of Sri Lanka - requiring a concerted, fit-for-purpose, and iterative industry-wide response led by the Central Bank of Sri Lanka - is instead is presented as, and responded to in a haphazard, un-coordinated, piecemeal manner. Those at risk are told to report on what they may not know or recognise are risks or threats, rendering a systemic issue into something that individuals have to be mindful of. This is also in a context where reporting pathways are grossly deficient, convoluted, confusing or simply non-existent.

Things are going to get worse, and Sri Lanka's banking, and financial sector don't seem to have a coherent response.

On a hunch, as a fitting end to this post, I opened up my Instagram, and scrolled through my newsfeed. Within seconds, I was presented with an ad for a fast loan. When will Sri Lanka's authorities, and industry step up to meaningfully address what's clearly a growing threat that none of us are safe from?

Banner photo courtesy Pakistan's Dawn newspaper.