The Treasury is expected to soon submit to Parliament a report on the US$2.5 million Business Email Compromise (BEC), also referred to as a Treasury heist, Finance Ministry officials said.
According to officials speaking to The Sunday Times Business, cybercriminals used methods such as creating look-alike domains and compromising internal email systems to intercept communications related to loan repayments. This enabled them to alter legitimate beneficiary bank details and redirect funds to accounts under their control. As a result, a total of US$2.5 million—part of a broader US$22.9 million bilateral loan repayment—was transferred in multiple tranches within a one-month period from December last year to January this year, to bank accounts in the United States, specifically in Delaware.
Digital Economy Deputy Minister Eranga Weeraratne stated that “a party impersonating a genuine organisation was sending emails and account details, getting the staff of the Treasury’s External Resources Department to transfer some funds to a bank account they had specified,” adding that investigations are currently ongoing.
He further noted that authorities are still not certain whether the incident involved a direct system hack. “How the impersonator obtained the details related to this organisation is still under discussion, including the extent of possible internal involvement and whether email addresses or formats were accessible. There are multiple possibilities. If there was access to the Treasury email server, information could have been obtained. Alternatively, if login credentials of the External Resources Department email accounts were leaked online, the impersonator could have gained access that way,” he explained.
He added that the impersonator may have obtained information locally or from overseas sources, and that the investigation is still ongoing to determine the exact method used. However, he emphasized that it is clear the transaction was carried out based on fraudulent instructions, with staff acting on impersonated communications.
He also confirmed that the Criminal Investigation Department (CID) is working with Interpol and other international agencies, including authorities in Australia, while standard financial recovery procedures are being followed.
As a precaution against future phishing and impersonation incidents, emergency control measures have already been introduced to reduce reliance on email-based instructions. Treasury and financial officials are now required to follow strict telephone callback verification procedures using official and verified communication channels to independently confirm all payment instructions with the originating source.
Courtesy: The Sunday Times Business
