Cybercrime is a serious problem in Costa Rica. The number of victims is rapidly growing and so are the different techniques used by criminals to commit them. Behind the epidemic of cyberbanking fraud hitting Costa Rica are not independent criminals, but rather complex structures that function as criminal enterprises.
The Cybercrime Prosecutor’s Office revealed that organizations have access to technological and economic resources that allow them to “operate on a large scale” in a business that has become very lucrative.
“We have managed to detect that they are coordinated structures. In many of these cases, they operate as organized crime groups, that is, a coordinated structure with leaders, middle managers, and rank-and-file members or low-level figures,” authorities said.
Authorities have detected that many ordinary criminals have been migrating to this modality because it is easier to operate and less dangerous for them. The prosecutor indicated that during 2024, nearly ₡4.5 billion (approx. $8.3 million USD) was stolen from victims’ bank accounts. Meanwhile, the OIJ announced that in just the first half of 2025, Costa Ricans’ losses exceeded ₡2.6 billion (approx. $4.8 million USD).
This multimillion-dollar illicit business has strongly infiltrated Costa Rica, but its structures transcend national borders. For Esteban Jiménez, a cybersecurity expert, the cyberattacks carried out against the country’s public institutions by the cybercriminal groups Maze (2020) and Conti (2022) put national vulnerabilities on the attackers’ radar.
With the rise of artificial intelligence (AI), scams have become more sophisticated, and it is increasingly difficult to detect when something is fake. Criminals are capable of cloning voices and images, impersonating people, and even hacking devices such as WhatsApp, which makes it difficult for many people to distinguish whether they are really talking to a friend or family member or a criminal.
Another method is the collection of sensitive data through fake websites (even with security certificates), which is one of the methods most commonly used by cybercriminals to defraud people. However, there is a wide range of this type of fraud, according to Yorkssan Carvajal, head of the OIJ’s Specialized Section Against Computer Fraud.
The investigator pointed out that criminals also make calls to their victims, posing as municipal officials, bank employees, or representatives of any other institution, under the pretext that they want to help with a procedure or the management of a service.
To do this, cybercriminals have access to large databases of personal information on customers of financial institutions. These records contain information such as full name, ID number, date of birth, physical address (including street address), occupation, employer, and up to six phone numbers per person, among other details.
Scammers also take advantage of people who are selling or renting property. The criminals pretend to be interested in purchasing whatever is being sold, and lead owners to believe that a down payment is on its way, and send a fraudulent link as proof of the transaction.
“The victim clicks on the link, and obviously, the first thing it will ask for is sensitive information such as username and password, dynamic key or token, and the victim’s email address, and that’s how they lose control of their bank account,” said the police.
Although reports of computer fraud are skyrocketing, the same cannot be said for the statistics on legal proceedings and convictions for this type of crime. According to data provided by the judiciary, in 2024 there were only 85 trials, in which 44 people were acquitted and 41 received sentences, most of them suspended, although seven people were also sentenced to between five and fifteen years in prison.
