The Sri Lanka Computer Emergency Readiness Team, known as Sri Lanka CERT, issued a public warning on 7th April 2026 regarding a significant and documented increase in online scams and financial fraud attempts circulating across social media platforms during the Sinhala and Tamil New Year festive period. The advisory reflects a pattern that Sri Lanka CERT has observed with growing concern: cybercriminals are not operating opportunistically, but strategically, timing their schemes to coincide with the moments when public trust is highest and vigilance is most likely to be lowered.
The festive season creates conditions that are, from a fraudster’s perspective, close to ideal. Online engagement surges as families connect, communities celebrate, and consumers seek out seasonal offers. It is precisely this environment, characterised by goodwill, urgency, and heightened digital interaction, that organised criminal actors have learned to exploit with increasing sophistication.
Impersonation at Scale
Among the most concerning trends identified in Sri Lanka CERT’s advisory is the deliberate impersonation of trusted institutions. Scammers have been found posing as government bodies, public service departments, well-known supermarket chains, and established business entities, using the credibility of these organisations to lend legitimacy to fraudulent promotions. Fake offers, fictitious discounts, fabricated financial rewards, and counterfeit prize giveaways are being circulated widely, each designed to create a sense of urgency that overrides the caution a recipient might otherwise exercise.
This form of impersonation is particularly damaging because it does not merely defraud individuals financially. It erodes public trust in legitimate institutions, making it harder for genuine communications from those organisations to be received with the confidence they deserve. When a government department or a reputable business must contend with the existence of convincing fraudulent imitations of its own identity, the reputational cost extends well beyond any single scam campaign.
The Avurudu Kumari Fraud and the Harvesting of Personal Data
Sri Lanka CERT has also drawn specific attention to a rise in scams connected to online Avurudu Kumari competitions and similar festive promotions. These schemes, which present themselves as seasonal celebrations of culture and community, are being used as vehicles for the collection of personal data, including photographs and other sensitive identifying information. The implications of this kind of data harvesting are serious and long-lasting. Information gathered through such schemes can be used for identity fraud, targeted phishing, or sold within criminal networks, exposing victims to consequences that extend far beyond the immediate interaction.
The calculated use of culturally meaningful occasions as cover for data extraction is a development that merits serious public attention. It reflects a growing sophistication in how online fraud is designed, moving beyond blunt financial theft toward the patient accumulation of personal information that can be monetised in multiple ways over time.
Financial Losses Already Being Reported
The advisory is not precautionary in the abstract. Sri Lanka CERT has confirmed that a growing number of complaints have been received involving direct financial harm. Victims who followed deceptive links, made payments to fraudulent platforms, or disclosed banking credentials and One-Time Passwords to unknown parties have reported unauthorised bank transactions and measurable financial losses. These are not near-misses. They are documented outcomes affecting real individuals and families.
Sri Lanka CERT’s guidance in response is clear and practical. The public is advised to avoid engaging with suspicious or unfamiliar links, regardless of how credible or attractive they appear. Personal information such as National Identity Card numbers and banking details should never be entered on unverified platforms. Banking credentials and One-Time Passwords must not be shared with any unknown individual or untrusted website under any circumstances.
Underpinning all of this guidance is a principle that Sri Lanka CERT has stated explicitly: legitimate government institutions and reputable organisations do not request sensitive personal or financial information through unsolicited messages, social media posts, or unknown links. If a communication arrives through those channels and asks for that kind of information, it should be treated as fraudulent until proven otherwise.
A Broader Lesson for Digital Sri Lanka
While the immediate trigger for this advisory is the festive season, the vulnerabilities it addresses are permanent features of the current digital environment. Social media platforms remain largely open channels through which criminal actors can reach millions of users with minimal friction. The festive period amplifies the risk, but the underlying conditions that enable these scams do not disappear when the celebrations end.
Sri Lanka CERT’s intervention is a reminder that cybersecurity awareness is not a specialist concern. It is a basic requirement of safe participation in digital life, and one that affects individuals, families, businesses, and public institutions alike. The tools available to scammers are becoming more convincing and more targeted. The most effective defence remains an informed and sceptical public that pauses before clicking, questions before sharing, and verifies before acting.
Any member of the public who encounters suspicious activity or believes they have been targeted is encouraged to report the matter to Sri Lanka CERT through official channels and to contact their financial institution immediately if banking credentials may have been compromised.
