Subscribe to our WhatsApp Channel
It is a fact that some media groups spread false information or report real incidents in a misleading manner, with the aim of harming individual brands. In this regard, we are clarifying the facts about a misleading social media post concerning a fraud committed using a well-known brand that has been heavily discussed in society.
Social Media Posts:
A post was published saying, “CID investigating another theft through Commercial Bank!”
Facebook | Archived Link Archived Link
Below are some other posts published on this theme.
As reported in these notes, we have taken steps to investigate whether fraud has occurred and whether the bank’s officials involved are being questioned as suspects because the digital system used to process financial transactions at Commercial Bank is insecure.
Explainer:
By stealing customers’ money through fake websites designed to resemble the “ComBank Digital” system in late 2025 and early 2026.
Although cybercriminals created fake pages that closely resembled the official website of the Commercial Bank and deceived customers, this was not a fraud perpetrated by the Commercial Bank system.
This worked when searching for “Commercial Bank login” on Google: the fake site was displayed as an advertisement above the real site, and SMS and WhatsApp messages saying “Your account has been suspended” or “Update information” were sent with fake links, leading customers to the fake site.
As soon as you enter your user ID and password to access the website, the information ends up in the hands of fraudsters.
The fake site then asks you for a one-time password (OTP). When you enter it, the scammers immediately log into the real banking system and transfer the money from your account to other accounts.
However, this is a scam carried out through a fake website and not an incident through the official Commercial Bank website.
Commercial Bank
The bank emphasizes that its internal systems are secure, and that this fraud occurred because customers unknowingly provided their confidential information to external parties. However, some media outlets are continuously trying to portray this as a fraud committed by commercial banks, and it is stated that the Criminal Investigation Department is questioning bank officials regarding this fraud and is working to convince them that this was a fraud committed within the bank.
They over and above that mentioned this on their official Facebook account as follows.
As these scams were carried out by redirecting customers to malicious websites through fraudulent website advertisements posted on Google, the bank said it reduced the daily transaction limit to 100,000 as a precautionary measure. This reduction applied only to customers transacting via the Commercial Bank website and the ComBank Digital system, and did not affect mobile application (App) transaction limits.
Posing as the official Commercial Bank website, scammers accessed customers’ bank accounts by redirecting the user ID, password, and OTP entered by customers to the official ComBank Digital system.
The bank also said it took steps to recover as much money as possible for customers who fell victim to these scams, informed the public, notified the Criminal Investigation Department and the Computer Emergency Response Team, and worked to remove the fake website.
They emphasized that customers should always check the official URL when accessing the ComBank Digital system and ensure transactions are made through the mobile app.
Criminal Investigation Department
The Computer Crimes Investigation Division of the Criminal Investigation Department (CID) is conducting an extensive investigation into the matter, based on complaints from consumers who have lost millions of rupees.
Information has emerged about several organized groups involved in this racket, and several suspects have been remanded in custody. Our Criminal Investigation Department also inquired about this, and a senior officer stated that this fraud had taken place through a fake website designed to resemble the official website of the Commercial Bank. The officer said this was not a fraud committed by hacking the bank’s official website. The officer also said further investigations are being conducted, that bank officials have not been questioned as suspects, and that the Criminal Investigation Department has not uncovered any evidence that this involves bank officials.
How do you protect yourself from these fraudulent websites?
Check the URL: Always use only the official addresses https://www.combank.lk or https://www.combankdigital.com.
Use the Mobile App: It is safer to use the official ComBank Digital mobile application (App) than using websites.
OTP Confidentiality: Never give your OTP number to anyone in a phone call or text message. Bank officials will never ask you for your OTP number or password.
Suspicious links: Avoid clicking on suspicious links received via SMS.
If you feel you have been scammed: Immediately call the Commercial Bank hotline at +94 11 2353353 and take steps to freeze your accounts. Then file a complaint with the nearest police station or CID.
These are common steps that customers transacting online at any bank can follow.
Sri Lanka Emergency Response Computer Forum
They stated that caution should be exercised during the festive season regarding fake bank pages that resemble official bank pages.
Join us to learn about our fact-finding efforts
Facebook | Twitter | Instagram | Google News | TikTok
Title: Is the CID investigating the ComBank Digital fake-website scam?
Fact Check By: Pavithra Sandamali
Result: Insight
