Cybercrime is rapidly emerging as a major threat in Sri Lanka, with over 5,400 incidents reported in 2025 so far, according to the Sri Lanka Computer Emergency Readiness Team (SLCERT).
Most cases involve social media platforms, particularly Facebook, which accounts for nearly 90% of reported complaints. Other platforms include WhatsApp, Instagram, Snapchat, and TikTok.
A growing number of cases involve misuse of artificial intelligence (AI), with tools being used to generate malware, phishing emails, and deepfake videos for harassment, extortion, and manipulation.
Common types of cybercrime include malware attacks, data theft, phishing scams, and online financial fraud, posing significant risks to Sri Lanka’s over seven million internet users—90% of whom are active on social media.
Recent months have seen a sharp increase in fake profiles, account hacking, and WhatsApp hijackings. Several high-profile cyberattacks have also targeted government institutions.
In June, the SMS gateway of the National Water Supply and Drainage Board (NWSDB) was hacked, resulting in ransom demands being sent to customers via the agency’s official messaging system.
In March, multiple banks were hit by ransomware attacks that leaked 1.9 terabytes of sensitive data, including NIC images, transaction records, and employee details.
There has also been a surge in Telegram and WhatsApp account takeovers using phishing techniques and intercepted OTPs, often leading to identity theft or financial fraud.
Beyond digital threats, cybercrime now includes human trafficking. Victims lured abroad with fake job offers are forced into scam operations involving online fraud and digital extortion.
According to the Sri Lanka Police, two main fraud methods are prevalent: fake investment/work-from-home scams, and fraudulent job offers used to launder stolen funds via victim bank accounts.
Authorities urge the public to avoid clicking suspicious links, never share OTPs or banking information, and activate two-factor authentication to enhance security.
The Criminal Investigation Department (CID) and SLCERT recommend verifying online requests—even from known contacts—and maintaining strict privacy settings on social media platforms.
