News
Thousands fall prey to massive SMS fraud using Postal Dept. as a front
View(s):By Dilushi Wijesinghe
A serious fraud using Sri Lanka’s Postal Department as a front is victimising unsuspecting people, with the Computer Crime Investigation Division (CCID) of the Criminal Investigation Department (CID) struggling to catch the masterminds behind the scam.
The scam is in the form of a general SMS sent to mobile phone owners, notifying them of “unpaid customs fees” or an “invalid delivery address” for a package that is meant for them. It contains a link which, when clicked, redirects them to a duplicate (identical) website of the government’s Department of Posts. They are then required to enter personal and credit or debit card details and to pay Rs. 99.
While the message is suspected to have gone out to thousands of people, a majority of those who got caught—and input their details—were those who had been expecting deliveries, including packages, national identity cards, or passports via post or police clearance reports. Some lost substantial sums of money from their bank accounts, the CCID said.
Based on the evidence of one victim who spoke to the Sunday Times, it appears that the scammers are also having a laugh. Speaking on condition of anonymity, he said he had been expecting a certificate that he had applied for online to arrive by post. On September 9, he received an SMS that his delivery address was incorrect.
Believing it to be genuine, he clicked a link, entered his details, and paid the required amount, giving out his card information and even receiving a one-time password. “Suddenly, the link directed me to the government’s legitimate Postal Department website, where I read a notice warning us to be careful of this very scam,” he said.
When he checked his bank account, two unauthorised withdrawals of Rs. 108,000 each (a total of Rs. 216,000) had been made before the bank froze his account.
As of Friday, the CCID had received around 60 complaints but warned that these were only from people who knew how to raise the issue with the authorities. They suspect many more are affected.
The fraud was first reported to the CCIID in August 2023. An official said the links initially diverted to legitimate international websites like AliExpress and AliPay before redirecting the user to the fake website.
The number of complaints dropped after police conducted an inquiry, but they’re seeing a spike again. This time, the gateway redirects the user to a foreign gaming site before reaching the fake postal website. These redirections are an obstacle to the CCID getting into direct contact with the scam artists.
The CCID contacted these global websites, including AliExpress. Apart from responses being tardy, miscommunication issues have complicated the securing of information. Therefore, people who get caught to this fraud are advised to immediately contact their banks in addition to lodging a complaint with the CCID.
Information was provided to the Sunday Times about two ongoing inquiries. One complaint was from a doctor in the Mahiyangana area. He was expecting his renewed passport by snail mail. As he was not home at the time he received the SMS, he made the payment of Rs. 99 and was scammed out of Rs. 40,000.
Another victim was a student who was due to sit for his O/Level examination and was expecting his national identity card. As he had received the message, he made the payment from his mother’s debit card and was scammed 297 Euros (Rs. 95,722.50).
Deputy Postmaster General (Development) Thusitha Hulangamuwa stressed that the Postal Department did not solicit such payments. “The current system is cash-on-delivery, where the package is delivered by the department or the customer may physically collect the package, which is the only time we require a fee.”
If an individual receives a suspicious message, Mr. Hulagamuwa directed him or her to lodge a complaint and to refrain from engaging in any manner. “The official website of Sri Lanka Post is www.slpost.gov.lk,” he said.
Around 200 to 250 complaints regarding online fraud are reported to them monthly, Sri Lanka Computer Emergency Readiness Team (SLCERT) Senior Information Security Engineer Charuka Damunupola said, adding that there has been a surge of postal scams in the past few months.
He referred to two incidents. One was where a student fresh after his A/Level examination was awaiting a response from a university and received a message notifying him that his address was incorrect. He was asked to pay a postal fee of Rs. 99. Upon providing his information, he lost Rs. 80,000 from his bank account.
Another person engaging in an online revenue scheme received several one-time passwords (OTPs) and, upon suspicion, lodged a police complaint and also informed his bank. By the time his account was frozen, he had lost Rs. 10,000.
Mr. Damunupola added that SLCERT had so far taken down five domains in relation to postal scams. He also said they tracked the country of registration and coordinated with CERTs abroad to take the domains down. “They keep changing the domain,” he complained.
Around 60 percent of the victims were unaware of the security status of their phones and requested SLCERT to intervene, highlighting the need to raise public awareness about the importance of and how to secure their devices.
“Even out of curiosity, don’t click on such links, as malware and viruses get downloaded once they are opened,” he said, warning that personal information gets stolen in this manner.
Complaints can be made to the following agencies:
Police cybercrime division: dir.cybercrime@police.gov.lk
CERT: hotline: 101 or email: report@cert.gov.lk
The best way to say that you found the home of your dreams is by finding it on Hitad.lk. We have listings for apartments for sale or rent in Sri Lanka, no matter what locale you're looking for! Whether you live in Colombo, Galle, Kandy, Matara, Jaffna and more - we've got them all!