Rising cyber threats in digital payment networks: A global crisis and Sri Lanka’s path to resilience

The global transition to digital payments has redefined financial transactions, delivering speed and convenience. However, this shift has also created a fertile ground for cybercriminals exploiting digital infrastructure worldwide. 

In 2024, phishing attacks on digital payment systems surged dramatically, impacting both institutions and individuals. While the developed nations have deployed robust defences, countries like Sri Lanka face unique challenges in securing their financial systems. 

This article explores the global rise in cyber threats, Sri Lanka’s vulnerabilities and key strategies to strengthen resilience.

Global phishing epidemic

Cybercriminals increasingly leverage artificial intelligence (AI) to launch sophisticated phishing attacks. In early 2024, phishing sites targeting financial platforms increased by 48.3 percent, enabled by AI tools that generate highly convincing scams. Since ChatGPT’s release in 2022, phishing attempts have grown over 4,000 percent, utilising fake websites, deepfake audio and grammatically flawless phishing emails that bypass traditional filters.

One alarming trend involves AI-generated voice deepfakes, imitating company executives to authorise fund transfers. As fraud evolves, the global cost of digital payment scams is expected to surpass US $ 40 billion annually by 2027, with developing economies hit hardest due to weaker defences.

Sri Lanka’s growing vulnerability

Sri Lanka’s rapid adoption of mobile banking and QR code payments has introduced new risks. In 2024, over 9,200 phishing cases were reported, many spreading via Facebook, WhatsApp and other social platforms. Fraudsters use these channels to distribute fake loan offers, bogus investment opportunities and urgent bank verification messages—often impersonating trusted financial institutions.

A notable case involved a fraudulent Facebook page mimicking a top bank, which scammed more than 1,200 small business owners. Despite the awareness campaigns by the banks and regulators, major knowledge gaps persist, especially around emerging threats like SIM-swapping and QR code manipulation.

AI’s double-edged sword

While AI empowers fraudsters, it also offers powerful defence mechanisms. Global players like Visa have invested billions in AI-driven security tools that scan the dark web, flag suspicious activity and detect fraudulent merchants. Machine learning systems can recognise anomalies—like sudden high-value transactions from unusual locations—allowing real-time intervention.

Advanced tools such as Microsoft’s Security Copilot help cybersecurity teams prioritise threats and document incidents more efficiently. For Sri Lanka, such tools could be transformative—but high costs and limited access to skilled personnel leave many institutions reliant on outdated, rule-based systems.

Gaps in cybersecurity: Sri Lanka vs. global best practices

A comparison with global standards highlights key shortcomings in Sri Lanka’s cybersecurity ecosystem:

1. Regulatory deficiencies:

In countries like Australia, the banks are mandated to reimburse victims unless gross negligence is proven, encouraging proactive investment in fraud prevention. In contrast, Sri Lanka lacks consumer protection laws that require restitution and the existing cybersecurity guidelines for fintechs are not legally enforceable.

2. Intelligence sharing:

The UK’s National Cyber Security Centre works closely with financial institutions to share real-time threat intelligence. Sri Lanka’s Financial Sector Computer Security Incident Response Team (FinCSIRT), though established in 2023, remains in early stages and lacks strong international partnerships.

3. Public awareness:

Singapore runs nationwide phishing simulations to educate citizens. While Sri Lanka has launched digital awareness campaigns, they often miss rural communities with low digital literacy.

Building resilience: Strategic recommendations

To protect its expanding digital finance ecosystem, Sri Lanka must adopt a multi-pronged cybersecurity strategy:

Invest in AI-based defences:

The government and Central Bank should support the banks and fintechs—especially smaller players—in accessing AI-driven fraud detection tools, through shared infrastructure or public-private partnerships.

Strengthen legal frameworks:

Introduce the mandatory consumer protection laws requiring financial institutions to reimburse verified fraud victims. Enforce regular audits and impose penalties for non-compliance among the fintech providers.

Expand grassroots education:

Use platforms like TikTok, local radio and community centres to deliver cybersecurity messages in local languages. Train ‘cyber ambassadors’ in schools and local governments to promote digital hygiene.

Enhance global collaboration:

Establish stronger links with the ASEAN cybersecurity programmes and international crime-fighting bodies to access real-time threat intelligence and coordinate responses to cross-border attacks.

Launch rapid response units:

Set up a 24/7 national cyber hotline and deploy mobile response teams to investigate and mitigate fraud incidents promptly.

Conclusion: Securing digital frontier

As digital threats escalate, Sri Lanka must treat cybersecurity as a national imperative. A significant breach could disrupt financial systems, erode public trust and stall economic growth. Learning from international success stories while tailoring solutions to local realities is key to building a secure, inclusive digital economy.

As echoed by leaders and experts alike, ‘Cybersecurity is no longer an IT issue; it’s a national priority.’ Securing digital payment networks is essential to protecting national progress, economic stability and public trust in the digital age.

(Rajkumar Kanagasingam is a founding member of Hong Kong-based International Digital Economies Association and founding President of the Fintech Association of Sri Lanka)