In March, SriLankan Airlines discovered that UAE Dirham (AED) 974,000, roughly 87 million rupees, had been wired to a fraudulent bank account. The method was not a sophisticated hack. A Dubai based supplier's electronic mail account had been compromised, and the attackers simply altered the bank account details in what appeared to be a routine payment instruction. The Airline processed the payment in good faith. The money vanished.

This was not an isolated case. In Sri Lanka, over the same period, the Treasury lost US$ 2.5 million through an almost identical technique — a business email compromise (BEC) attack that diverted five instalments of a bilateral debt repayment to Australia into a fraudulent account in Delaware. The Posts Department reportedly lost $ 625,000 the same way. The National Development Bank disclosed a Rs 13.2 billion fraud exposure. The People's Bank flagged a Rs 656 million remittance system error. The Aswesuma welfare programme issued Rs 248.79 million in duplicate payments due to a system glitch.

Sri Lanka is not uniquely vulnerable. It is simply the latest country in South Asia to illustrate, painfully and publicly, that the region's rapid digital transformation has outpaced its digital defences. India recorded over 2.8 million cybercrime complaints last year (in 2025), a 24 per cent increase from the previous year (2024), with total financial losses reaching Rs  22,495 crore. Investment scams alone accounted for over 75 per cent of those losses. Deepfake-based impersonation fraud in the Indian banking sector has surged by 550 per cent since 2019, according to industry reports.

The question is no longer whether South Asia has a cybercrime problem. The question is whether the region can use the same technology — artificial intelligence (AI), and specifically generative AI — to fight back.

Anatomy of a Threat

To understand how AI can help, one must first understand the nature of the attacks now targeting the region.

The most damaging incidents in South Asia in recent months have not involved firewalls being breached or servers being hacked. They have involved emails. Carefully written, patiently timed emails that exploit the gap between how institutions communicate and how they verify what they receive. The Sri Lankan Treasury hack is a textbook case: attackers infiltrated the email system of the External Resources Department and sent payment instructions that looked entirely legitimate, complete with authorised signatures that were later found to have been fraudulently generated. No malware was deployed. No password was cracked. The system trusted email more than it should have.

This pattern — BEC — is now the single most financially destructive category of cybercrime globally. And, it is becoming far more dangerous because generative AI allows attackers to produce convincing correspondence in any language, mimic writing styles, clone voices for phone verification, and even generate synthetic video of executives authorising transactions. Scam centres in South-East Asia are already deploying multilingual AI chatbots that allow a single operator to run dozens of scam conversations simultaneously, each tailored to the victim's language and context.

Meanwhile, South Asia's digital infrastructure remains largely undefended against these threats. Sri Lanka's Computer Emergency Readiness Team (CERT) handled over 12,650 cyber complaints in 2025, but, the country's outdated cybercrime laws do not effectively address modern fraud methods. India's CERT-In requires cyber incidents to be reported within six hours, enforcement remains inconsistent and conviction rates in many states remain below 20 per cent.

AI as a Shield: Five Practical Solutions

The good news is that the same AI technologies being weaponised by criminals offer powerful defensive capabilities. Here are five concrete ways that AI and generative AI can be deployed as solutions across South Asia.

Intelligent Email and Payment Verification

The BEC attacks that devastated Sri Lanka's Treasury and the SriLankan Airlines shared a common vulnerability: payment instructions received via email were processed without independent AI-powered verification. Modern AI-driven email security systems use behavioural analysis to learn how an organisation normally communicates — who writes to whom, at what times, using what tone and vocabulary, requesting what types of transactions. 

When something deviates from the pattern — a supplier suddenly requesting a change of bank account, a payment instruction arriving from an unusual internet protocol address, a writing style that subtly differs from the genuine sender — the system flags the anomaly in real time, before money moves. This is not hypothetical. Enterprise platforms using such behavioural AI are already securing over $ 200 billion in business-to-business payments globally. South Asian governments and state-owned enterprises should adopt these systems as standard infrastructure, not optional upgrades.

AI-Powered Transaction Monitoring and Anti-Money Laundering

Traditional rule-based systems for flagging suspicious transactions generate enormous volumes of false positives — sometimes over 95 per cent  — overwhelming compliance teams and allowing genuine fraud to slip through. Machine learning models trained on vast datasets of financial behaviour can detect complex patterns that manual methods would miss: unusual wire transfer sequences, accounts that suddenly begin receiving funds from multiple jurisdictions, and transaction volumes that deviate from established customer behaviour. These systems continuously learn and adapt, evolving alongside new fraud tactics rather than relying on static rules written for yesterday's threats. For South Asian Central Banks and financial regulators, AI-powered transaction monitoring represents perhaps the single most impactful investment in financial crime prevention.

Deepfake Detection for Identity Verification

As banking and government services increasingly move online, the verification of identity through video and voice has become both essential and vulnerable. AI-generated deepfakes can now produce realistic facial movements synchronised to speech, clone voices from short audio samples, and create synthetic identities that combine real documents with fabricated biometric data. The defence must be equally sophisticated. 

Advanced AI liveness detection systems now analyse facial micro-signals, detect artefacts produced by generative adversarial networks, and verify that video feeds genuinely come from a device camera rather than a pre-rendered injection. Indian developers have already built platforms achieving 99 per cent  accuracy in detecting synthetic media through heatmap analysis, metadata verification, and confidence scoring. These tools should be integrated into banking know your customer processes, government identity verification systems, and law enforcement workflows across the region.

Natural Language Processing for Scam Detection 

Generative AI can analyse the content of messages, social media posts, and online advertisements to identify scam patterns at a scale impossible for human revieweRs  An AI system trained on the linguistic patterns of investment scams, romance frauds, "digital arrest" schemes, and phishing campaigns can scan millions of communications and flag likely fraudulent content before victims engage. This approach is particularly relevant for South Asia, where the explosion of vernacular-language internet use means scams now operate in dozens of languages and dialects. Large language models capable of understanding Sinhala, Tamil, Hindi, Bengali, and Urdu can extend protective coverage to populations that traditional English-centric security tools have left exposed.

Predictive Threat Intelligence and Network Analysis

AI excels at identifying connections across large datasets — tracing financial flows between seemingly unrelated accounts, mapping communication networks between suspected scam operators, and predicting likely targets based on emerging patterns. When Sri Lankan authorities raided scam centres across Colombo, Negombo, and other districts early this year (2026), they found operations run by nationals from China, Vietnam, Indonesia, Malaysia, Cambodia, India, and Taiwan. Mapping these transnational networks and predicting their next moves requires the kind of pattern recognition that AI performs far more effectively than manual investigation.

What South Asian Governments Should do

Technology alone will not solve this problem. The region needs a coordinated approach combining AI deployment with institutional reform.

First, governments should mandate AI-powered payment verification for all state institutions processing international transfers. The fact that Sri Lanka's Treasury was processing multi-million-dollar payments based on email instructions without automated anomaly detection is an institutional failure, not merely a technological one.

Second, South Asian nations should establish a shared regional cybercrime intelligence platform, using AI to aggregate and analyse threat data across borders Cybercriminals do not respect national boundaries. The scam centres discovered in Sri Lanka were staffed by nationals of seven different countries. India's I4C Coordination Centre offers a model that could be extended regionally.

Third, the region needs investment in AI literacy and cybersecurity training at every level — from government treasury officials to village-level digital service users  India's 1930 Cybercrime Helpline and the "Pause, Verify, Report" model promoted by some state police forces represent a start, but, digital hygiene education must keep pace with digital adoption.

Fourth, regulatory frameworks must be updated to address AI-enabled crime specifically. Laws written for an era of simple phishing cannot adequately address deepfake impersonation, AI-generated synthetic identities, or autonomous attack campaigns.

The Race That Matters

Trend Micro has predicted that 2026 will mark the year that AI-powered cybercrime becomes fully autonomous — capable of independently conducting reconnaissance, discovering vulnerabilities, exploiting weaknesses, and monetising attacks without human intervention. If that prediction holds, the window for South Asia to build its AI defences is narrowing rapidly.

The incidents documented — the Sri Lankan Treasury heist, the SriLankan Airlines payment diversion, the explosion of scam centres, the surge in deepfake banking fraud across India — are not aberrations. They are the early symptoms of a systemic vulnerability that will only deepen as the region digitises further.

The same generative AI that allows criminals to craft perfect phishing emails in Sinhala (or Hindi, Bangla and Urdu) or clone a Chief Financial Officer's voice from a YouTube clip, can also detect those emails before they reach an inbox and flag that voice as synthetic before a payment is authorised. The technology exists. The question is whether South Asia's institutions will deploy it in time.

The race between an AI-powered attack and AI-powered defence is the defining cybersecurity challenge of our era. For South Asia, it is also an economic survival question. With over a billion people now transacting digitally across the region, getting this right is not optional. It is urgent.

(The writer is an Associate Professor in Generative AI and Machine Learning and the Leader of the AI for the Climate and Disaster Resilience Research Group at the York St. John University, UK. Views expressed are personal.  He can be reached at n.somasiri@yorksj.ac.uk )