Sri Lanka Police have arrested a 22-year-old man over a phishing fraud that drained Rs.408,000 from a victim’s bank account through a fake online sports-goods storefront.
The North Western Province Computer Crimes Unit said the suspect posed as a sports-goods sales company and persuaded the victim to place an order. The fraud chain involved a malicious banking Trojan application and a phishing link that, once installed and opened, gave the attacker remote access to the victim’s mobile phone — enough to authorise transfers from the linked bank account.
The arrested individual is a resident of Pallegama, Makkanigama. Police have not named the bank involved or disclosed how the victim was first contacted. Investigations are continuing.
The case fits a recurring pattern in 2026, with police now publicly tracking a growing range of mobile-side fraud techniques. The Sri Lanka Police repeated their standard advisory urging the public to remain vigilant when using the internet and to avoid clicking on suspicious links.
The arrest follows a series of similar enforcement actions. Police on Wednesday warned of a fake traffic-fine SMS scam routing victims to a counterfeit GovPay site, while in March they re-issued an alert over a fake SriLankan Airlines mobile app planted with a banking Trojan. Earlier this month, women’s organisations counted 4,742 AI-enabled cybercrime cases against women in 2025, underscoring the scale of the broader threat landscape.
Source: Newswire.
