In April 2026, something unusual happened: several of Sri Lanka's biggest banks — HNB, Standard Chartered, PanAsia and DFCC among them — issued public warnings at the same time about fake versions of their own websites. Coordinated alerts like that don't happen for small problems.
The attack, step by step
The mechanics were reported in detail: scammers clone a bank's login portal under a near-identical domain and lure customers in by email or SMS. You type your username and password into the fake page. Behind the scenes, the attackers feed those details into the real bank site — which dutifully sends a genuine OTP to your phone. You type that OTP into the fake page too. Now the attackers are inside your real account, and transfers start moving.
The cruel part: every signal you've been taught to trust is present. The page looks right. The OTP really did come from your bank. Nothing feels wrong until the balance is gone.
A documented case shows how victims arrive at these pages: an analysis of a fake Commercial Bank portal found the scammers had bought Google ads on searches like "ComBank login", so the counterfeit site appeared above the real bank in search results. Googling your own bank is no longer a safe way to reach it.
It doesn't even need a website
Sometimes the "fake page" is just a voice. In one widely reported 2024 case, ten Buddhist monks in Ratnapura lost money after sharing OTPs over the phone with callers posing as bank staff. The Central Bank Governor's diagnosis was blunt: most incidents come down to customers sharing the OTP, usually over the telephone. The same article notes the countermeasures that followed — transaction-based OTPs for transfers above Rs. 10,000, and a financial-sector incident response team (FinCSIRT) to coordinate between banks.
The scale is not small. By late 2024, reporting put online scam complaints at 7,210 for the year through September, with multiple banks reporting phishing losses running into millions of rupees.
The habits that beat it
- Type your bank's address yourself, every time. HNB's own advice during the April alert was exactly this. Bookmark it. Never arrive at a bank login from a search ad, an SMS, or an email link.
- The OTP rule has no exceptions. As the CID's Computer Crimes Deputy Director put it: the OTP is only for you — not for bank staff, not for police, not for anyone, "not even people you trust the most." A real bank never needs you to read one out.
- Slow down on "urgent" anything. Account suspended, password expiring, parcel waiting — urgency is the common ingredient. Real institutions give you time.
- If it happens, call the bank's hotline immediately — speed is the only thing that occasionally claws money back, and the receiving accounts can be flagged.
The bigger lesson for shoppers
Bank phishing and shopping scams share one root: an irreversible transfer, sent under pressure, to someone who isn't who they claim to be. You can't always control phishing — but for buying things online, you can simply refuse to play. Pay through TrustPay and there's no transfer to a stranger at all: the money sits in the middle, the seller ships knowing it's secured, and it moves only when you confirm delivery. See how it works.