In early 2024, phones across Sri Lanka started buzzing with the same message: a parcel was waiting, but there was a problem — an unpaid customs fee, or an invalid delivery address. A link offered to fix it.
The link led to a near-perfect copy of the Department of Posts website. Enter your card details to pay the "fee" — usually a small, believable amount — and the scammers had everything they needed to empty the card.
What actually happened
The Sunday Times reported that thousands fell prey to the SMS fraud using the Postal Department as a front. The Computer Crime Investigation Division had received around 60 formal complaints at the time — while acknowledging many victims likely never reported — against a baseline of 200 to 250 online-fraud complaints reaching the division every month.
The Department of Posts itself warned the public twice in the space of a month, after scammers operated under at least three names — "Sri Lanka Post", "Sri Lanka Postal Department" and "SL Post" — each linked to its own counterfeit website. Its statement is the only sentence you need to remember: Sri Lanka Post does not request bank card details via SMS.
Sri Lanka CERT eventually took down five fake postal websites in a single action, with 35 confirmed cases of monetary fraud already traced to them. Five sites, running simultaneously, for one scam.
Why this scam works so well
It attacks people who are expecting a parcel — which, if you shop on Instagram, Facebook or ikman, is most of the time. The message arrives mid-wait, names a plausible problem, and asks for a small amount. Nothing about it feels like the classic "you have won a prize" scam. That's the point.
And it hasn't stayed confined to the post office. ikman, Sri Lanka's biggest marketplace, now publishes a ten-category safety guide covering fake payment links dressed up as ikman itself, edited bank-transfer screenshots, QR-code tricks, and advance-payment demands — with its own version of the same rule: it will never ask for passwords, PINs or OTPs by phone, SMS, WhatsApp or social media.
The defence, in three habits
- Never tap payment links in SMS messages about deliveries. If a parcel genuinely has a fee, the courier or post office can take payment on delivery or at the counter. Go to the official site by typing the address yourself — for the post office, that's
slpost.gov.lk. - Treat "small fee to release your parcel" as the scam signature. The amount is kept small precisely so you'll pay without checking. The card details are the real prize.
- Know what real organisations never do. Sri Lanka Post says it doesn't request card details by SMS. ikman says it never asks for OTPs. Your bank says the same. Any message that breaks these rules has answered its own question.
Where TrustPay fits
A protected purchase removes the anxiety this scam feeds on. When you pay through TrustPay, there are no surprise fees mid-delivery — the price is agreed up front, the money is held until your order arrives as described, and nobody legitimate will ever SMS you asking for more. If something goes wrong with the delivery itself, the dispute process — not your bank card — is where it gets resolved. See how it works.