By Dwayne Ferreira
SriLankan Airlines has been cleared in a UAE cyber fraud case, but questions remain over the supplier, recovery and missing AED 974,000.
SriLankan Airlines may have escaped blame in the UAE cyber fraud case, but one crucial question still has no public answer.
Who got the money?
The question now sits at the centre of a case involving a hacked email account, a Dubai-based service provider, a payment of AED 974,000, and a national carrier that says criminals tricked it into sending funds after altering bank account details through what looked like official communication channels.
Deputy Minister of Ports and Aviation Janitha Kodituwakku has said investigators cleared the airline of wrongdoing. According to him, SriLankan Airlines successfully remitted the payment from its side, while the cyber attack took place on the recipient’s side.
On that basis, officials treated the matter as a cleared payment.
This explanation answers one part of the story. It does not answer the rest.
SriLankan Airlines And The UAE Payment Dispute
SriLankan Airlines earlier said a Dubai-based service provider had informed the airline that it had not received the AED 974,000 payment. The airline then checked the matter and found that a third party had allegedly compromised the service provider’s email account.
After that breach, the third party changed the bank account details and sent supporting documents through the same official communication channels. Because of that, the airline believed it was still dealing with the legitimate supplier.
In simple terms, SriLankan says it paid. The supplier said it did not receive the money. The airline says the supplier’s email system was compromised. The Government now says the airline was not at fault.
Yet the public still does not know who the Dubai-based service provider was, who controlled the account that received the money, whether authorities froze the funds, whether investigators recovered them, or what action UAE authorities have taken.
That is why this story goes far beyond a cleared payment.
The Missing Money Trail
SriLankan Airlines has said it reported the incident to authorities in the UAE and to the Criminal Investigation Department in Sri Lanka. It also said investigations were continuing in both countries.
However, no public statement from UAE authorities has identified the account holder, confirmed whether officials froze an account, announced arrests, or explained whether they traced the diverted money after it entered the wrong account.
Earlier reporting said the payment, linked to Dubai-related operations, went to an account at Abu Dhabi Islamic Bank. The same reporting said the legitimate supplier account was different.
Even so, that still does not answer the central question. A bank account is only the first stop in a fraud trail. In cyber-enabled payment diversion cases, criminals often move money quickly through multiple accounts. They can then withdraw it, convert it, or layer it through other financial channels.
So the public question remains simple.
Where did the AED 974,000 finally go?
SriLankan’s position is also clear. The airline says it made the payment based on established email instructions and supporting documents carrying authorised signatures.
Later, it discovered that those instructions and documents had come fraudulently from the compromised supplier account. The airline has also denied liability to the service provider for the non-receipt of funds. It says the compromise took place inside the supplier’s email system and outside the airline’s control.
That may protect SriLankan Airlines from a direct liability claim. It may also explain why the Deputy Minister says authorities cleared the payment from the airline’s side.
However, that does not clear the wider system from scrutiny.
How This Fraud Works
This case appears to follow a classic business email compromise pattern. In such frauds, criminals do not always need to hack the payer.
Instead, they compromise a supplier’s email account, watch genuine correspondence, wait for a payment discussion, and then insert altered bank details at the right moment.
To the payer, the request can look real. The email thread looks familiar. The documents appear official. The signatures seem valid. Even the tone may match earlier communication.
That is exactly why organisations can no longer treat email alone as a safe approval channel for high-value payments.
For a state-owned national carrier, the real test is not whether the email looked genuine. The real test is whether the airline independently verified the change in supplier bank details outside the email chain.
Was the supplier contacted through a previously verified telephone number?
Could the change have been confirmed through a secure vendor portal?
Did compliance or internal audit give a second approval?
Were the new account details compared with the supplier’s historical payment records?
Should officials have imposed a waiting period before releasing payment to a new foreign bank account?
Did the payment system flag the change in beneficiary account?
These are not small administrative questions. They sit at the heart of public financial governance.
Why Clearance Is Not The End
The Deputy Minister’s explanation focuses on where the cyber attack took place. According to him, the attack happened at the recipient’s end, not inside SriLankan Airlines.
That may be factually correct. Yet public accountability cannot end with the question of whose email got hacked.
A fraud can happen outside an institution’s server and still expose a weakness in that institution’s payment process. Likewise, a payment can be marked as cleared and still show that verification controls relied too heavily on trust.
In the same way, a company can avoid recording a final loss and still owe the public a full explanation about what changed after the incident.
SriLankan Airlines is not an ordinary private company. It is a national carrier with a long history of public scrutiny, financial pressure, restructuring debate, and taxpayer exposure.
Any payment involving nearly a million dirhams deserves a fuller explanation than a brief statement saying the airline has been cleared.
The public deserves to know whether the supplier absorbed the loss, whether SriLankan adjusted the amount in its payable account, whether authorities recovered the money itself, and whether investigators blocked the suspect account in the UAE in time.
There is a major difference between recovering money and removing liability from the books.
That distinction matters.
Recovery And Accounting Are Not The Same
If the supplier agreed to adjust the amount because the breach took place on its side, that may stop SriLankan from carrying the loss. Even then, that does not prove that investigators froze the fraudster’s account, traced the money, or recovered the funds.
In public money cases, accounting treatment and criminal recovery are not the same thing.
If authorities recovered the funds, the public should be told. When the money remains unrecovered but the supplier accepted the loss, officials should make that clear too.
UAE authorities may still be tracing the funds. If so, the public should know. If the investigation has ended, the outcome should be explained.
Right now, the public record still contains too many gaps.
The supplier remains unnamed. The holder of the recipient account remains unidentified. UAE authorities have not publicly explained what action they took.
The recovery status remains unclear. SriLankan Airlines has also not publicly detailed the procedural reforms it introduced after the incident.
These missing answers are not only about blame. They are also about prevention.
A Warning For The Public Sector
Every ministry, department, corporation, authority, and state-owned enterprise that makes supplier payments faces the same risk.
Public institutions often attract criminals because they deal with repeat vendors, predictable payment cycles, and bureaucratic approval systems. Once criminals understand the communication pattern, they can exploit it.
For that reason, the SriLankan Airlines case should serve as a warning to the entire public sector.
Supplier bank details should never change through email alone. A large foreign payment should not go to a newly introduced account without independent verification. Finance teams should not accept supporting documents simply because they arrive through a familiar email chain. Vendor master files should not change without a documented compliance check.
If the airline has already strengthened these controls, the Ministry should say so. When officials introduce new rules after such an incident, the public should know what they are.
Other state-owned enterprises may also need to review their payment verification systems. If the Government has issued such advice, it should make that public.
That matters because the real danger is not only that one payment went to the wrong account. The real danger is that the next payment may follow the same path.
The Question Still Remains
SriLankan Airlines may now be cleared of wrongdoing. But the fraud trail is still far from clear.
A hacked supplier email may explain how the incident happened. A ministerial statement may explain why the airline is not being blamed.
An accounting adjustment may explain why the loss does not appear in the airline’s books.
Yet none of those explanations answers the question at the centre of the case.
Who got the money?
#SriLankanAirlines #SriLankaNews #CyberFraud #UAE #Dubai #BusinessEmailCompromise #PublicMoney #PaymentControls #CID #AviationNews #TheMorningTelegraph
