Q COSTARICA — Behind the banking cyberfraud epidemic hitting Costa Rica, there are no independent criminals, but rather complex structures that operate as criminal enterprises, according to various experts who spoke to SemanarioUniversidad.com.
“We have been able to detect that they are coordinated structures. In many of these cases, they operate under the modality of organized crime, that is, an articulated structure, with leaders, middle managers, and low-level individuals or figures,” said Melissa Quirós, coordinating prosecutor of the Prosecutor’s Office against Cybercrime.
The prosecutor revealed, in an interview with the media outlet, that these are organizations with access to technological and economic resources that allow them to “operate on a large scale” in a business that has become “very lucrative”; so much so that authorities have detected that many ordinary criminals have been migrating to this modality: “It’s simpler, less risky,” the expert explained.
“We are in an era where seeing is believing is no longer enough. Even if you see and hear, you can no longer believe,” says cybersecurity expert Roberto Lemaitre.
This murky landscape in which cybercriminal groups operate has facilitated the growth of reports of banking cyberfraud—or electronic scams, as they are actually classified—by 668% between 2020 and 2024, from 942 to 7,235 cases, according to an analysis based on data provided by the Judicial Investigation Agency (OIJ).
In the first four months of 2025, Costa Rica’s judicial police, the Organismo de Investigación Judicial (OIJ), recorded 4,545 cases. Therefore, if the trend continues, the year will close with approximately 13,635 reports, almost double the number of 2024 and equivalent to one victim every 37.7 minutes.
Million-Dollar International Business
The prosecutor indicated that, during 2024, nearly ¢4.5 billion colones (US$8.75 million) were stolen from victims’ bank accounts, while the OIJ announced in a press conference that, for the first half of 2025, Costa Ricans’ losses exceeded ¢2.6 billion colones (US$5 million).
This multi-million-dollar illicit business has firmly established its tentacles in Costa Rica, but the structures transcend national borders. For Esteban Jiménez, a cybersecurity expert, the cyberattacks carried out against the country’s public institutions by the cybercriminal groups Maze (2020) and Conti (2022) put the country’s vulnerabilities on the radar of attackers.
Jiménez indicated, along the same lines as Quirós, that this isn’t just a “neighbor who’s connected to a computer with internet access,” but rather entire organizations, with an administrative structure and global deployments with affiliates: “In Costa Rica, there were no high-capacity local attack groups, that is, with financing or access to high-end technological resources. This developed as we observed this phenomenon of attack groups expanding their territories and seeking greater capitalization,” the specialist commented.
Just last May, the Cybercrime Prosecutor’s Office executed a series of simultaneous raids with Colombian authorities with the aim of dismantling an international cyber-fraud network that affected more than twenty clients of Banco de Costa Rica (BCR) following the cloning of the financial institution’s website.
A Wide Range of Scams
Gathering sensitive data through fake websites (even those with security certificates) is one of the methods cybercriminals are most frequently using to defraud people, but there is a wide range of this type of fraud, explained Yorkssan Carvajal, head of the OIJ’s Specialized Section Against Computer Fraud.
The investigator noted that criminals also make calls to their victims, posing as municipal, bank, or other institution officials, with the supposed claim that they are trying to help with a procedure or service.
To do this, cybercriminals have access to large personal databases of financial institution clients. The Semanario says it was able to review one of these files, which contained more than a thousand records containing information such as full name, ID, date of birth, physical address (Tico-style addresses), occupation, employer, and up to six phone numbers per person, among other elements.
Another type of scam Carvajal highlighted is when fraudsters take advantage of people who list items for sale, such as cars, for example. The criminals pretend to be interested in purchasing the item, trick the victim into believing that a down payment (cash advance) is on the way, and send a fraudulent link as proof of the transaction: “The victim logs in, and obviously, the first thing the link will ask for is sensitive information such as a username and password, a dynamic key or token, and the victim’s email address, and that’s how they lose control of their bank account,” said the OIJ officials.
Along the same lines, an additional form of electronic fraud highlighted by both the head of the Computer Fraud Section and the cybercrime prosecutor is the one that occurs through the money transfer service known as the Sistema Nacional de Pagos Electrónicos (SINPE) – National Electronic Payment System. Criminals take advantage of the situation when a bank account is linked to a phone number, but the victim changes numbers without unlinking the account:
“Criminals buy lines in bulk and begin testing all those SIMs to see which ones are still linked. When they find one that is linked, they manage to withdraw the money. We have cases, for example, where they have withdrawn millions of colones because a person didn’t realize (the scam) because they were using that line associated with a savings account and it wasn’t their primary line,” Quirós noted.
The media outlet was also able to verify how a criminal impersonated an engineer, taking control of his social media and messaging platforms. Through the victim’s own WhatsApp, the criminal offered contacts dollars at low prices, intending to scam them.
“We are in an era where seeing is believing is no longer enough. Even if you see and hear, you can no longer believe,” said Roberto Lemaitre, a cybersecurity lawyer, computer engineer, and professor at the University of Costa Rica (UCR).
Only a handful of convictions
Although reports of cyber fraud are growing rapidly, the same is not true for the statistics on legal proceedings and convictions for this type of crime.
According to data provided by the Judiciary, in 2024, there were only 85 trials, in which 44 people were acquitted and 41 received sentences, most of them suspended, although seven people also received prison sentences between five and fifteen years.
Although the figures are low, there was an increase in the number of trials, going from just 20 in 2020 to 85 in 2024. In 2023, the highest figure, the number was 97 trials, of which 54 resulted in a conviction.
It should be noted that complaints filed in a given year do not reach trial within the same period. In fact, according to information provided to this weekly by the Judiciary, the average total time taken for all stages of a criminal process (preliminary, intermediate, and trial) for cyber fraud is 52 months and one week, or more than four years. In this regard, Lemaitre explained that the trial is the final stage of the criminal process, and not all cases reach this stage, as they can become trapped in the previous stages.
For the specialist, the disparity between the indicators for complaints and trials reflects that both the Cybercrime Prosecutor’s Office and other specialized areas need to be further strengthened in the investigation of these crimes, especially with more personnel.
This is because “the investigation of these types of cases is not as fast,” and criminals have realized that it is an effective criminal modality with a return on investment: “In the end, these are criminal enterprises, and the prosecution of these crimes is costing much more,” he insisted.
Translated and adapted from SemanarioUniversidad.com. Read the original (in Spanish) here.
Source link
Rico
