Senior Information Security Engineer at the SLCERT, Roshan Chandraguptha stated that the incidents had occurred when two parties had indulged in email conversations with regard to transactions of goods and the payment methodologies.

“The two parties involved in the business exchange several details via email and the sellers would at one point instruct the buyer to deposit a certain amount of money to their bank account on a specific date,” he said.

“Just before the day, the buyer would receive a mail, stating that there is an audit going on in the company and therefore to deposit the money to a different account. This mail would be sent by the hacker through the official address of the seller,” Chandraguptha added.

He said that the buyer then realizes that something had gone wrong when the goods do not arrive on time and contacts the seller who denies sending a notification to deposit the money to a different account.

“In such instances, it is best that the buyer phones the relevant party and confirms whether they had requested for the money to be deposited to a different account,” Chandraguptha added.

He further advised people not to fall prey to emails which state that their inboxes were reaching maximum capacity or those which call for change of usernames and passwords. “These mails are linked to the hacker. Even if you change the password later, the hacker would have made some adjustments to monitor your mail transactions,” he added. “Always change your password through the settings.”

President, National Chamber of Commerce of Sri Lanka (NCCSL), Thilak Godamanna told Nation that even though the NCCSL had not come across any issues, pertaining to businesses being affected as a result of online scams, he cautioned entrepreneurs to be vigilant when dealing with clients or partners via email.

“Those who indulge in business transaction online have to be very vigilant especially when there is a lot of money involved. On the other hand, some people depend on the internet for every minute detail. What you see is not what you get in many cases,” he said.

The law
The basic enabling environment available on the legal side as far as general cybercrime related business issues are concerned include the laws – the Computer Crimes Act, No.24 of 2007, which contains provisions for procedural measures allowing the country to gather electronic evidence by working collaboratively with international law enforcement agencies through mutual legal assistance, Sections of Amendments to the Penal Code and the Convention on Cybercrime/Budapest Convention on Cybercrime/Budapest Convention, the international treaty drafted by the Council of Europe seeking to address internet and computer related crime by harmonizing domestic laws, improving investigative techniques and facilitating and increasing cooperation among countries, which the Sri Lankan State as a non-European Union Member has ratified and is a party to.

Whilst acknowledging that these laws and procedures in place had evolved fairly substantially to comprehensively deal with the said matters, the Information and Communication Technology Agency of Sri Lanka (ICTA), however, highlighted the need to conduct periodic status checks on the laws and the continuous assessment of the online perimeter walls (in terms of what has happened to them, what are the threats and what needs to be done in terms of safeguarding against potentials, threat handling and resolution, and resilience measures).

Addressing the issue of law enforcement authorities, prosecutors and the courts finding it difficult to obtain and gather electronic evidence, which he deemed was a global problem, Director Legal at ICTA, Attorney-at-Law Jayantha Fernando, however, noted that increasingly States were going in for international treaty based legal instruments to deal with the issue of collaboration.

The reasons for such included the fact that the stringent procedures adopted by judicial organizations with regards to fairly standard guidelines for gathering electronic evidence made it difficult to go after the evidence, which only resulted in the obtainment of the evidence at too late a time, and also the fact that in relation to social media accounts, although the user, the tools and the primary server were in Sri Lanka, the secondary, backup server was in a foreign country (for an example, in the case of an inquiry into a computer crime, if all electronic mails {emails} in a Yahoo! Mail, a web based email service, account have been deleted, one has to get the information about the deleted emails from the United States of America, where the service provider is based, and in this context, Yahoo! may or may not cooperate as they are not legally bound to by US law but are encouraged to).

“This is the age of digitization. In order to maintain themselves, governments, organizations and corporates including companies introduce novel methods to market themselves effectively and efficiently to provide services and protect critical information infrastructure, from aspects such as unauthorized access which damage systems. The laws in Sri Lanka allow for our country to have authority to tackle such irrespective of whether the offices of those who are involved the offences are within the country or not,” he said.

“There are terms and conditions one agrees to when starting an email account. Multiple jurisdictions are involved in such crimes as evidence is in different places. We have to lawfully activate criminal justice. Things must be seen through a global lens. Under international law, one has to qualify to join the said Convention, and Sri Lanka qualified. Since then some improvements have been made. There are judicial precedents for an example in the US in cases such as the one involving the SpyEye malware creators and certain cases involving Microsoft which can be used to further buttress methods of inquiry and how to gather evidence. Trainings are being conducted for the Police and judges and they have specialized curricula and manuals. The Police and the judiciary must be on the same wavelength with regards to cybercrime related matters of investigating and gathering electronic evidence. There is more structure and strategy now.”

More awareness needed
He highlighted the need for more education and awareness about the said matters, adding that the media needed to conduct trainings to journalists on balanced, objective reporting instead of resorting to sensationalizing.

There is also a trend of reluctance to use technology, he opined, observing also that the trend of taking action in attempts to limit the use of technological tools was also due to the negative publicity surrounding such.

Options must be provided with, he pointed out, also querying as to how technology and technological tools could be better used with precautions and care (of sharing content with only close friends, immediate family or next of kin, what to look at and do when accepting friend requests and how to categorize friends) such as through the utilization of specialized privacy tools embedded in mobile and web based applications.

Companies which are telecommunications service providers, mobile network operators and mobile virtual network operators must provide safeguards and must work with law enforcement, Fernando emphasized.

The government alone cannot deal with this and the private sector has a huge role to play with regards to best practices, he outlined.

“Corporates and businesses must have proper internal policies. Corporate executives must be educated on what information to share, what kind of email one responds to, and simple things such as right clicking with the mouse on the head of any email to check if it corresponds to an actual source. If malware checking tools may not be up to date, the system therefore may have got or may get infected. The corporate culture must change. There is an e-government policy which provides for a checklist for baseline information security guidelines which need to be followed. There is a lot to be done. What is safe now is not safe tomorrow.”