Police special unit springs into action to curb rising cybercrimes amid multiple challenges
Cybercrime is rising exponentially in Sri Lanka while internet usage and device accessibility are also rising disproportionately in relation to the growth in ICT literacy rate.
The number of Sri Lanka’s internet users increased by 800,000 between 2020 and 2021 while the country’s social media population increased by 1.5 million during the same period.
Since the Computer Crimes Investigation Division (CCID) was set up in March this year, it has received more than 2,900 complaints. A majority of the cases relate to financial frauds, hacking, defamation, and identity theft.
“Nothing compromises cyber security more than carelessness and ignorance,” noted cyber- security expert Rukmal Fernando.
He said modern applications invest heavily in privacy protection and therefore most breaches come from personal negligence due to something called “social engineering”.
Perpetrators target the user, the weakest link in cyberspace, and then manipulate emotional leverage and a sense of urgency to commit crimes, the expert said.
When a privacy breach happens the information is usually tricked out of the owners themselves often trough phishing emails and ‘trend creations’, said Mr. Fernando, urging internet users to practise caution and use commonsense to stay safe. Misspelled domain names are the most common indicator of a fraudulent email. “If you get an email claiming that your social media has been compromised and the URL they provide for a password change is misspelled – chances are you have been targeted for phishing,” Mr. Fernando noted.
According to CCID Director Senior Superintendent Ashoka Dharmasena, a rising number of online financial scams have targeted mostly housewives through social engineering.
“The suspects we have arrested include several Nigerians who have made many women their victims.”
Explaining their modus operandi, the SSP said, “The fraudsters obtain the victim’s name and search for their likes and dislikes through their social media profile, and then manufacture a character that would appeal to the victim. Most claim to be from Europe. Once the relationship is formed, the perpetrator then informs the victim that they will be sending them valuable gifts from abroad and request that they merely handle the courier fare.
“A local courier company then calls the victim for the payment information. Once this payment is made the perpetrator then claims that the money they were sending was confiscated by customs officials and then suggests that a small fee, much less in value than the contents in the gifts, be paid to a particular official to ‘persuade’ them to release the goods.
“At this point, they even intimidate the victim with a risk of litigation since the sender is abroad claiming that this makes the receiver responsible.”
Of the 339 cases of online financial fraud, 150 were about the Nigerian scam.
Another local scam involved the misuse of online shopping platforms like ikman.lk. In this racket, scammers obtain payments for goods they never deliver. The complaints received so far indicate that the money the victims had lost amount to as much as Rs 150 million. Investigations indicate that the victims are often the more affluent members of society. “The manipulation that takes place is such that even educated people such as doctors have become victims,” SSP Dharmasena said.
Blackmail and sexual coercion were also on the rise with virtual love affairs going wrong, as the pandemic pushed people indoors and further into their devices and the internet. A common tactic used was the screenshot option available on most devices.
During an intimate video call, the culprit will use the screenshot option to grab a shot and then weaponise the picture to obtain sexual favours or extort money, the senior police officer explained.
Another common cybercrime involves sharing of intimate images with an ex-partner’s new significant other and their family. In instances like this, perpetrators are arrested under the Obscene Publications Act and produced before a magistrate.
But if someone is arrested for a computer crime, there are multiple laws to deal with the culprit. For instance, the suspect can be charged under the Penal Code if the cybercrime involves blackmail.
“We handle cybercrime cases of sexual victimisation with the utmost respect to the victim’s privacy and confidentiality,” the CCID chief said. He, however, noted the rate of complaints in relation to sexual victimisation is low due to social stigma and taboos.
Social media platforms such as Facebook assist local law enforcement via a whitelist email which enables Sri Lanka Police to communicate directly with the social media companies and obtain their assistance.
The only other organisation in Sri Lanka with access to a whitelist email is the Telecommunication Re g u l at o r y Commission of Sri Lanka (TRCSL). “Their response obviously depends on the priority level of the request we make,” SSP Ashoka Dharmasena said.
If the request involves something like the removal of child pornography from a local page, Facebook will do so immediately.
The SSP said the CCID now has resources and authority to make arrests faster than before. However, most complaints relating to children are handled by the Bureau for the Prevention of Abuse against Women and Children.
There has been a spike in uploads of pornographic images, advertising the services of sex workers on multiple sites, the Director pointed out and added they recently arrested five people in connection with such postings. Most perpetrators come from an ICT background but repeat offenders were not common.
As regards the 2,900 cases recorded between March and September this year, seventy arrests have been made but no convictions have taken place yet as the cases are ongoing, the Sunday Times learns.
A serious issue the CCID faces is about recruitment of ICT professionals. “Most trained professionals don’t like to join the force because of poor salaries and the Police Department does not have enough money to pay those who conduct technical training and carry out upgrading,” the SSP said.
Software engineers and hackers earn more than a police cybercrime division officer earns. More foreign training is also necessary so that cybercrime detectives can meet cybercriminals at their level of expertise or beyond. Furthermore, the software required for investigative purposes such as phone analysis were extremely expensive.
“Some of these software programmes would allow us to find a cybercriminal’s real location with just some device information,” SSP Dharmasena said, adding that the lack of such resources undermined law enforcement capacity.
The lack of inter-governmental institutional coordination and cooperation also has severely slowed down investigative procedures. Ideally when the CCID obtains someone’s identity, its officers should be able to connect with institutions such as the Registrar of Persons Office and the Registrar of Motor Vehicles to obtain more details, the CCID Chief noted.
The CCID was set up in March 2021. Prior to this, all cybercrimes investigations were carried out by a sub unit that operated under the Director of the Criminal Investigation Department. As most records were not digitised at the time, a web-based record-keeping system was created by the unit.
The system, which is protected and only permits authorised logins on internal servers, now allows the CCID to calibrate and analyse records faster.
The division receives about 50 complaints a day and victims of cybercrime can make their complaints via dir. ccid@ police.lk or 011 581 1930.