Listen to the article
Sri Lankan authorities are investigating a sophisticated phishing scam targeting Commercial Bank customers through fake websites, not a security breach within the bank’s systems, officials confirmed this week.
The cybercriminals created convincing replicas of the “ComBank Digital” platform and used Google search advertisements to intercept customers attempting to log into their accounts. When users searched for “Commercial Bank login,” the fraudulent sites would appear as sponsored results above the legitimate bank website.
Victims were also targeted through SMS and WhatsApp messages warning that their “account has been suspended” or requesting them to “update information” via included links. Once customers entered their user IDs and passwords on these fake sites, the information was captured by scammers who then requested one-time passwords (OTPs).
After obtaining the OTP, criminals gained immediate access to victims’ actual accounts through the legitimate banking system and transferred funds to other accounts. The Computer Crimes Investigation Division of the Criminal Investigation Department (CID) is leading the investigation after receiving complaints from customers who collectively lost millions of rupees.
“This was not a fraud committed by hacking the bank’s official website,” a senior CID officer clarified. “Our investigation has found no evidence implicating bank officials in this scheme.” Several suspects allegedly involved in the organized fraud ring have been remanded in custody as investigations continue.
The issue has gained significant public attention after misleading social media posts suggested that Commercial Bank itself was compromised or that bank officials were being questioned as suspects. Posts with titles like “CID investigating another theft through Commercial Bank!” have circulated widely online, creating confusion about the nature of the fraud.
Commercial Bank has responded decisively to the incidents, emphasizing that its internal systems remain secure. “This fraud occurred because customers unknowingly provided their confidential information to external parties,” the bank stated in an official notice. As a precautionary measure, Commercial Bank temporarily reduced daily transaction limits to 100,000 rupees for customers using the website and ComBank Digital system, though mobile app transaction limits remained unchanged.
The bank has also initiated recovery efforts for affected customers and is collaborating with the Criminal Investigation Department and the Computer Emergency Response Team to address the threat. Authorities successfully identified and worked to remove the fraudulent websites.
The Sri Lanka Emergency Response Computer Forum has issued special warnings for the festive season, noting an increase in sophisticated bank-related phishing attempts. They advised customers to exercise particular caution during holiday periods when transaction volumes typically increase.
To protect against such scams, security experts recommend several precautions. Customers should always verify they are using the official bank URLs (https://www.combank.lk or https://www.combankdigital.com) before entering credentials. The bank’s mobile app provides a more secure alternative to website banking. Customers are also advised never to share OTPs or passwords with anyone, including those claiming to be bank officials, and to avoid clicking links in suspicious text messages.
Anyone suspecting they’ve fallen victim to such scams should immediately contact Commercial Bank’s hotline (+94 11 2353353) to freeze their accounts and file a police report.
The incident highlights the growing sophistication of phishing attacks targeting financial institutions in Sri Lanka and the importance of customer vigilance in online banking security.
Fact Checker
Verify the accuracy of this article using The Disinformation Commission analysis and real-time sources.
8 Comments
Concerning to hear about this sophisticated phishing scam targeting ComBank customers. Cyber criminals are getting more and more creative in their attempts to steal sensitive information. Hope the CID investigation can get to the bottom of this and help prevent future incidents.
Agreed, these kinds of scams can be very damaging. Glad the authorities are taking it seriously and investigating thoroughly.
This is a good reminder to be extra vigilant when banking online. Checking URLs carefully and enabling strong authentication measures like two-factor can help protect against such fraud attempts.
Absolutely. Customers should also report any suspicious activity to their banks immediately to help shut down these scams quickly.
It’s alarming how advanced phishing scams have become. The use of fake websites and ads to intercept customers is quite sophisticated. I hope the CID investigation can identify the perpetrators and put an end to this scam.
This is a timely warning about the dangers of phishing. I hope the CID probe can uncover the full scope of this scam and provide recommendations to improve online banking security in Sri Lanka.
Kudos to the authorities for investigating this incident. Phishing remains a major threat, and it’s crucial for banks to stay on top of these evolving tactics to protect their customers.
Agreed. Ongoing cybersecurity education for customers is also key to helping them spot and avoid these kinds of scams.