To report security or privacy issues affecting The srilankan Group products or web servers, you can contact cybersecurity@srilankan.com. We will respond via this secure channel if we require additional information to investigate a security issue.

For the protection of our customers, The srilankan Group generally does not disclose, discuss, or confirm security issues until a full investigation has been completed and any necessary patches or fixes are available.

The srilankan Group handles government information requests in accordance with local laws within the countries in which it operates. You can contact privacy.office@srilankan.com if you are a law enforcement agency.

Journalists can contact our press office at media@srilankan.com, or visit the Srilankan Media Centre.

Use these tips to avoid scams and learn what to do if you think your FlySmiLes ID has been compromised.

If you receive an email or someone claiming to be from SriLankan, who calls and asks for your account name and password, then it’s likely you have been a target of a scam.

Scammers use any means to obtain your personal information including but not limited to fake emails, pop‑up ads, texts and instant messages, and even phone calls. They will try to trick you into sharing personal information, such as your FlySmiLes ID password or credit card information. Here are some helpful tips on how you can protect your account and avoid scams.

Protect your FlySmiLes ID

Never share your FlySmiLes ID, password with anyone. SriLankan will never ask you for this as part of our validation process or when providing support. If you believe that your FlySmiLes ID has been compromised, we encourage you to change your password immediately.

If you get a suspicious phone call or voicemail

Scammers also try to copy email and text messages including the unauthorized use of corporate logos and formats from legitimate companies in order to trick you into sharing your personal information and passwords. We recommend our customers do not follow links or open attachments in suspicious or unsolicited messages. If you need to change or update your personal information, contact us directly.

The following signs can help you to identify potential phishing scams:

• Sender’s email address or phone number does not match the name of the company that the sender is claiming to be from.
• Your email address or phone number is different from the one that you provided to the company.
• The message starts with a generic greeting, such as “Dear customer.” Most legitimate companies will include your name in their messages to you.
• A link appears to be legitimate but upon clicking takes you to a website URL which does not match the address of the company website.
• The message looks significantly different from other messages that you may have received from the company.
• The message requests personal information, such as credit card details or account password.
• The message is unsolicited and contains an attachment.

Report phishing attempts and other suspicious messages to Srilankan

To report a suspicious email claiming to be from Srilankan, you can forward the message to us at cybersecurity@srilankan.com. Please include complete header information. Whilst this email address is monitored by SriLankan, you may not receive an individual reply to your report beyond an auto‑acknowledgement.

Are you concerned that an unauthorized person might have access to your FlySmiLes ID? These steps can help you find out and regain control of your account.

Because our customers can use their FlySmiLes ID for SriLankan and its partner products and services, we encourage you to ensure that your FlySmiLes account is as secure as possible. We recommend that our customers do not share password information with anyone. If someone you don’t know or don’t trust can sign in with your FlySmiLes account, your account is not secure.

Here are some reasons why the FlySmiLes account you are using may not be secure:

• Someone else created a FlySmiLes account on your behalf, or you are using a FlySmiLes account provided to you by your travel agent.
• You are sharing a FlySmiLes account with family or friends. We remind our customers that your FlySmiLes account is your personal account.
• You do not recognize the FlySmiLes account that is signed in to The SriLankan App on your device.
• You may have shared your password with someone else intentionally or unintentionally. For example, someone else selected your password for you, you told someone your password, or you might have entered your password on a "phishing" site.
• You do not have control of the email address or phone number associated with your FlySmiLes account.
• Your password may be considered weak. Strong passwords include a combination of letters, numbers, Upper and lower cases, and symbols to form an unpredictable string of characters that doesn't resemble words or names

If any of the above sounds familiar, your account may be compromised, and we recommend you reset your password as soon as possible and review your account information.

Your FlySmiLes account might be compromised if you receive an account notification from SriLankan FlySmiLes for a change that you did not make, or if you do not recognize changes to account details. For example:

• You receive an email or notification stating that your FlySmiLes account was used to sign into a device which you do not recognize or did not sign in to recently (for example, "Your FlySmiLes account was used to sign in to SriLankan.com on an unknown PC or from an unknown location").
• You receive a confirmation email from SriLankan stating that your FlySmiLes account password was changed, or your account information was updated, but you do not recall making such changes.
• You see FlySmiLes miles deducted for purchases or redemptions that you did not make.
• Your password no longer works, or it might have been changed or locked.
• You do not recognize some or all of your account details.

If you believe that your FlySmiLes account has been compromised, you can use these steps to gain control of it and review your account information:

• Sign in to your FlySmiLes account page. If you are unable sign in or you receive a message that the account is locked when you try to sign in, try to reset or unlock your account. If you are still unable to sign in, you can contact the FlySmiLes team.
• Change your FlySmiLes account password and choose a strong password.
• Review all the personal and security related information in your account. Update any information that is incorrect or that you do not recognize, including:
  • Your name.
  • Your primary FlySmiLes account email address. If you need to change your email address you can do so by accessing your Personal Preferences.
  • All alternate email addresses, rescue email addresses, and phone numbers.
• Check with your email address provider to make sure that you control every email address associated with your FlySmiLes account. If you do not recognize and control the email addresses associated with the FlySmiLes account, we recommend that you should change the password for the email address or use a different email address.

If you have completed the steps above but still have reason to believe your account is still compromised, you can contact the SriLankan contact center.

Criminals use fake emails and fake websites.

They set them up to con people into giving away passwords and other sensitive details. The technical word for this is ‘phishing’.

For example, they might send you an email that looks like it comes from us and it might contain a link to a website that looks like this one. When you try to log on, they can steal your password. They could also ask you to make a phone call or reply by email.

They are good at making their emails and websites look realistic. But the fake ones often share some common characteristics:

• Strange looking email or web addresses
• Poor design, typos or bad spelling
• They ask you to do something unusual
• A site that requires you to log in but doesn't display the padlock symbol in the address bar when you do so

If in doubt, stop. Don’t click on any links. Don’t open any attachments. Just forward the email to cybersecurity@srilankan.com and we will investigate it.