Sunday Times (Sri Lanka)

Thousands fall prey to massive SMS fraud using Postal Dept. as a front

-

who had been expecting deliveries, including packages, national identity cards, or passports via post or police clearance reports. Some lost substantia­l sums of money from their bank accounts, the CCID said.

Based on the evidence of one victim who spoke to the Sunday Times, it appears that the scammers are also having a laugh. Speaking on condition of anonymity, he said he had been expecting a certificat­e that he had applied for online to arrive by post. On September 9, he received an SMS that his delivery address was incorrect.

Believing it to be genuine, he clicked a link, entered his details, and paid the required amount, giving out his card informatio­n and even receiving a one-time password. “Suddenly, the link directed me to the government's legitimate Postal Department website, where I read a notice warning us to be careful of this very scam,” he said.

When he checked his bank account, two unauthoris­ed withdrawal­s of Rs. 108,000 each (a total of Rs. 216,000) had been made before the bank froze his account.

As of Friday, the CCID had received around 60 complaints but warned that these were only from people who knew how to raise the issue with the authoritie­s. They suspect many more are affected.

The fraud was first reported to the CCIID in August 2023. An official said the links initially diverted to legitimate internatio­nal websites like AliExpress and AliPay before redirectin­g the user to the fake website.

The number of complaints dropped after police conducted an inquiry, but they’re seeing a spike again. This time, the gateway redirects the user to a foreign gaming site before reaching the fake postal website. These redirectio­ns are an obstacle to the CCID getting into direct contact with the scam artists.

The CCID contacted these global websites, including AliExpress. Apart from responses being tardy, miscommuni­cation issues have complicate­d the securing of informatio­n. Therefore, people who get caught to this fraud are advised to immediatel­y contact their banks in addition to lodging a complaint with the CCID.

Informatio­n was provided to the Sunday Times about two ongoing inquiries. One complaint was from a doctor in the Mahiyangan­a area. He was expecting his renewed passport by snail mail. As he was not home at the time he received the SMS, he made the payment of Rs. 99 and was scammed out of Rs. 40,000.

Another victim was a student who was due to sit for his O/Level examinatio­n and was expecting his national identity card. As he had received the message, he made the payment from his mother's debit card and was scammed 297 Euros (Rs. 95,722.50).

Deputy Postmaster General (Developmen­t) Thusitha Hulangamuw­a stressed that the Postal Department did not solicit such payments. “The current system is cash-on-delivery, where the package is delivered by the department or the customer may physically collect the package, which is the only time we require a fee.”

If an individual receives a suspicious message, Mr. Hulagamuwa directed him or her to lodge a complaint and to refrain from engaging in any manner. "The official website of Sri Lanka Post is www. slpost.gov.lk,” he said.

Around 200 to 250 complaints regarding online fraud are reported to them monthly, Sri Lanka Computer Emergency Readiness Team (SLCERT) Senior Informatio­n Security Engineer Charuka Damunupola said, adding that there has been a surge of postal scams in the past few months.

He referred to two incidents.

One was where a student fresh after his A/Level examinatio­n was awaiting a response from a university and received a message notifying him that his address was incorrect. He was asked to pay a postal fee of Rs. 99. Upon providing his informatio­n, he lost Rs. 80,000 from his bank account.

Another person engaging in an online revenue scheme received several one-time passwords (OTPs) and, upon suspicion, lodged a police complaint and also informed his bank. By the time his account was frozen, he had lost Rs. 10,000.

Mr. Damunupola added that SLCERT had so far taken down five domains in relation to postal scams. He also said they tracked the country of registrati­on and coordinate­d with CERTs abroad to take the domains down. "They keep changing the domain," he complained.

Around 60 percent of the victims were unaware of the security status of their phones and requested SLCERT to intervene, highlighti­ng the need to raise public awareness about the importance of and how to secure their devices.

"Even out of curiosity, don't click on such links, as malware and viruses get downloaded once they are opened," he said, warning that personal informatio­n gets stolen in this manner.

Complaints can be made to the following agencies:

Police cybercrime division: dir. cybercrime@police.gov.lk

CERT: hotline: 101 or email: report@cert.gov.lk

 ?? ??

Newspapers in English

Newspapers from Sri Lanka