In light of the energy supply disruptions caused by the escalating conflict in the Middle East, the Sri Lankan government re-implemented the National Fuel Pass (QR) system on March 15, 2026. Following this, several fraudulent websites claiming to be official registration portals have begun circulating on social media to steal citizens’ personal data.

The Claim
Viral posts on WhatsApp and Facebook claim that the government has launched a new system to issue fuel permits and provide links such as register-fuelpass-online or other third-party URLs, urging users to “register here” to obtain their QR code.

The Investigation
FactSeeker conducted a verification of these claims and found the following:

Official Directives: According to the special announcement issued by the Ministry of Energy on March 14, 2026, the only authorized website for the National Fuel Pass is http://fuelpass.gov.lk. The links currently circulating on social media are not mentioned in any official government documentation.

Cybersecurity Expert Warning: Expert Asela Waidyalankara issued a public alert via X (formerly Twitter), identifying these viral links as phishing scams. He warned the public not to enter personal information, such as NIC or vehicle details, on these unauthorized platforms.

https://x.com/aselawaid/status/2033408423619178652?s=20

Official Denial: The Managing Director of the Ceylon Petroleum Corporation (CPC), Mr. Mayura Netthikumara, confirmed in a media briefing that fraudulent accounts have been created by malicious actors to harvest personal data. He emphasized that citizens should not share data with any third-party websites.

SL-CERT Official Advisory (March 17, 2026): In a formal notice published in today’s newspapers, SL-CERT warns that scammers are using look-alike URLs with slightly altered characters (e.g., using fuelpass-gov.pro instead of .gov.lk) to deceive users.

System Restoration: While the official fuelpass.gov.lk portal experienced temporary technical glitches during the initial rollout on March 15, the Ministry of Energy has confirmed that the authorized system is now fully restored and operational.

Conclusion
The investigation confirms that the website links circulating on social media are FAKE. They are phishing platforms designed for identity theft and financial fraud. Citizens are strongly advised to use only the official government portal.

Awareness on “Quishing” (QR Phishing)
As the Fuel Pass system relies heavily on QR technology, attackers are increasingly using a tactic known as “Quishing.” It is vital for both the public and fuel station operators to remain vigilant.

How it Works: Attackers create malicious QR codes that redirect users to fraudulent sites. These can be shared digitally via messaging apps or physically by placing fake QR stickers over legitimate ones at fuel stations.

The Risk: Scanning a fake code can lead to the loss of sensitive data, including NIC numbers, mobile numbers, and vehicle details, which can be used to hijack your fuel quota or access financial accounts.

To Stay Secure:

Scan Only Trusted Sources: Only scan QR codes found on the official government app or verified signage within fuel stations.

Verify the URL: Before submitting any information, check your mobile browser’s address bar to ensure the domain is exactly fuelpass.gov.lk.

Report Suspicious Activity: If you notice a QR code that looks like a sticker placed over another, report it to the fuel station management immediately.