Sampath Vishwa Scam SEP 2024
Kanishka Abeykoon
Security Practitioner | Co-Host Aprender Podcast | Specializing in Secure Software Design
During the prep prior to the latest episode in Aprender Podcast I thought I should do some digging into this Sampath Vishwa scam took place last month. Even though we assume the criminals behind this scam have been apprehended, they are NOT. - I’ll address this statement later. Most of the media talked about the ‘how’ behind this scam and the amount of money criminals were able to get away with, which leads to increase awareness in that, these type of scams can be successfully executed without being noticed. And can get away with lot of money because we live among idiotic and greedy people, who does not think twice when it comes to making money with too good to be true deals. so yeah, criminals will increase their ability to execute these types of activities successfully.
Let me address the WHY behind these scams are happening in Sri Lanka.
Skimpy awareness and superfluous greed.
below evidence shows that the reason behind why this so called scam was a success. lot of existing Sampath customers took the bait, hoping for a reward.
Additional protection means pain in the arse!
common folks’ point of view stems from extra effort that they need to put into when typing a two/multi-factor authentication code or a one time password (OTP). Most of them are unaware of the reason behind why this process is there in the first place, which leads to sharing that information with anyone. confirmation bias at play.
Trust is crucial but only on Sundays.
There is a huge gap in trust in Sri Lanka. when an opportunity present itself without doing any due diligence they go for it. there must be a limit to that idiocy but reaching its extremes by depositing hundred thousand of hard earned money to a stranger who just met. WOW!
Oh we need your personal information, but don’t expect us to treat them that way!
I just don’t even want to get started with this. I have encountered multiple times marketing agencies reaching out to me via direct calls, text messages, and emails. I don’t even know where they got my contact information. Every time I asked, ‘Who gave you my number, and how do you know my name?’ all I got was a scripted answer (probably they have been trained), ‘We got it from a promotional campaign.’ I mean, what the heck is a promotional campaign? Nobody asks how someone got their contact information in a situation like this, and nobody cares who they’re sharing their information with. It might be signing up for a loyalty programme, participating in a survey, or filling out forms in your hospital or at work. Do not expect these organisations to protect your privacy and your information. Let’s see how the Sri Lankan government is going to enforce PDPA in the coming years, and then I’ll revisit my comments and provide you with an update. Until then, data protection in Sri Lanka sucks, and it is one of the root causes for a lot of scams taking place here.
领英推荐
Sri Lanka is a playground for cyber criminal activities!
Criminal opportunity is defined in one of two ways - “either as easy opportunities with low risk, or those that are created by motivated offenders.” as per the Routine Activity Theory, a crime will only be committed if following elements are present -
I don’t have to go into details on this one because there are offenders in Sri Lanka (either citizens or foreigners), ton of suitable targets and no capable guardians. Based on the environment with easy opportunities with low risk, criminal behaviour can take place.
Conclusion
Revisiting my statement where the criminals have NOT been apprehended by the authorities, from what I gathered, whoever was arrested was not charged for these specific scams and thefts. And even if they were, without addressing the ‘why,’ these types of scams will happen again and again. This time it was Sampath Vishwa, next time, it will be HSBC, HNB, BOC, or any other bank operating in Sri Lanka. It’s just a matter of time and a different tactic.
References
The Real Security Doctor - The Surgery: "Intro to Criminology"
Cohen and Felson (1979) - Routine Activity Theory
Digital Marketer | Co-Founder at Lankan League | Emcee, Shoutcaster and avid Gamer
1 个月A very insightful read, while this article is specific to the scam attacks on financial institutions, the threat of even data leaks feel far greater especially with the implementation of the TIN. it felt rushed and unplanned, to the point this didnt even have an SSL certificate yes it does seem trivial but it all starts with a tiny crack on the wall. we seem to be in a rush to "digitize" without informing the public on safe practices and only making it the problem of financial institutions (private sector) in this case to educate them. Very little public awareness was done from the government.