Banking Fraud in Costa Rica: 668% Growth, 38 Victims Per Day, and What Your Business Can Do About It

The Velocity

One victim every 38 minutes. That's the current rate of electronic banking fraud in Costa Rica — 24 hours a day, every day of the year.

In 2020, the OIJ received 942 complaints for estafa informatica — electronic fraud. By 2024, that number was 7,235. In 2025, it exceeded 10,000. The growth rate over four years: 668%.

The financial damage in 2025 alone: approximately ₡6 billion — roughly $12 million USD — in confirmed stolen funds. And that's only what was reported. The actual figure is almost certainly higher, because many victims — particularly businesses — never file complaints.

On March 5, 2026, Costa Rica's Asamblea Legislativa passed a law that fundamentally changes who bears the cost. For the first time, banks will be required to reimburse victims of electronic fraud unless they can prove their own cybersecurity systems met regulatory standards. The burden of proof has shifted.

The Numbers in Context

The OIJ's fraud statistics tell a story of exponential acceleration:

• 2019: 639 estafa informatica complaints
• 2020: 942 — a moderate increase, partly driven by pandemic-era digital adoption
• 2021: Roughly 930, holding steady
• 2022: Approximately 3,136 — the curve breaks upward
• 2023: 3,262
• 2024: 7,235 — more than doubling in a single year
• 2025: Over 10,000 estafa informatica complaints, plus 7,483 additional general fraud complaints

The criminal justice system cannot keep pace. In 2024, 7,235 fraud complaints were filed. Only 85 cases went to trial. Of those, 44 ended in acquittal. Average time from complaint to trial: more than four years.

How the Fraud Actually Works — The Six Dominant Modalities

The OIJ identified six primary fraud techniques operating in Costa Rica in 2025. Understanding the mechanics matters more than generic warnings about "staying safe online."

1. Fake bank websites (Pagina falsa)

The victim searches for their bank on Google. The top result — sometimes even a sponsored result — is a cloned website. It looks identical to the real bank, sometimes with a valid SSL certificate. The victim enters their username, password, and one-time token. The criminal uses those credentials on the real bank site within seconds and drains the account. These sites are hosted on global cloud infrastructure, which makes takedowns difficult and time-consuming.

2. Fake municipal official calls (Falso funcionario municipal)

This is the most common modality overall. A criminal calls posing as a municipal official regarding a tax payment, permit, or utility service. They claim the victim needs to complete an administrative process and either request banking credentials directly or send a link to a phishing page. The caller knows the victim's name, cedula number, and address — because criminal organizations have access to large databases of personal information.

3. Fake bank official calls (Falso funcionario bancario)

The criminal calls pretending to be a bank employee, claiming there's a suspicious transaction or a required security update. They request account data, tokens, or passwords. In many cases, the caller ID is spoofed to display the bank's actual phone number. This modality primarily targets older adults.

4. Fake job offers from known companies

Criminals post job listings using the names of well-known companies. Victims submit their CVs. A supposed HR representative calls to say the victim has been selected but needs to "update their firma digital" — digital signature. They ask which bank it's linked to, request the authentication token and email password. This is particularly dangerous for businesses, because digital signatures are often linked to corporate bank accounts with much higher balances than personal accounts.

5. Vehicle and property sale scams

Criminals respond to online vehicle or property listings, often posing as English-speaking foreign buyers. They claim to send a deposit and provide a doctored payment receipt. When the seller says the money hasn't arrived, the "buyer" initiates a three-way call with a supposed bank official (an accomplice) who sends a link to "release the funds." The seller clicks, enters credentials, and their account is emptied.

6. SINPE Movil exploitation

Two vectors. First: criminals purchase prepaid SIM cards in bulk and test which phone numbers are still linked to active SINPE Movil accounts. When someone changes their phone number without unlinking SINPE Movil, the old number eventually gets recycled — and whoever holds that SIM can now transfer money out of the linked account. Second: phone theft. Criminals steal phones and immediately execute SINPE transfers before the victim can block their accounts. The Central Bank has since implemented a ₡100,000 daily limit on SMS-based SINPE transactions to reduce exposure, but app-based transactions remain at higher limits.

SIM Swapping — The Growing Threat

SIM swapping deserves separate attention because it circumvents most traditional security measures.

The criminal obtains the victim's personal information — name, cedula, phone number, employer — from databases that are widely available in Costa Rica's criminal underground. They contact the victim's telecom provider (Kolbi/ICE, Claro, or Liberty), impersonate the victim, claim a lost phone, and obtain a new SIM card with the victim's number.

Now every SMS verification code — SINPE Movil OTPs, bank login codes, password resets — goes to the criminal. They access the victim's bank accounts, reset passwords to email and other services, and drain funds — all before the victim realizes their phone has stopped working.

The BCR Maze Breach — This Isn't New

The current fraud epidemic didn't start in 2022. In August 2019, the Maze ransomware group first gained access to BCR — Banco de Costa Rica, one of the country's largest state-owned banks. They chose not to encrypt the systems because the potential damage was too significant.

In February 2020, Maze returned to check whether security had improved. It hadn't. They exfiltrated data and claimed to possess 11 million credit card credentials — 4 million unique, with 140,000 allegedly belonging to US citizens. They released sample card numbers with expiration dates and CVV codes as proof.

In May 2020, Maze posted a 2 GB CSV file containing real Mastercard and Visa card details on their leak site. The Cyble Research Team verified the data contained real card information. BCR publicly denied any breach.

The Regulatory Response

SUGEF 10-07 (v5, effective June 1, 2025) establishes comprehensive security requirements for all supervised financial entities — banks, cooperatives, and all entities under SUGEF, SUGEVAL, SUPEN, and SUGESE. The regulation mandates:

• Biometric identity verification for digital channels
• Digital behavior analysis and real-time fraud detection
• Multi-factor authentication with login attempt limits
• Malware and tampering detection for mobile banking applications
• Full audit logs of authentication events

CONASSIF 5-24 (effective August 5, 2024) adds an IT governance and risk management framework requiring financial institutions to demonstrate active board-level oversight of cybersecurity.

Both regulations are now critical because of what happened on March 5, 2026.

The Banking Fraud Law — A Fundamental Shift

On March 5, 2026, the Asamblea Legislativa approved Expediente 23.908 in second debate — the banking fraud law that had been debated for months. The law is pending presidential signature, but its passage was decisive.

The liability shift

Financial entities — both public and private — now carry strict joint liability (responsabilidad objetiva solidaria) for electronic theft of customer funds. The burden of proof inverts: instead of customers having to prove the bank failed, banks must prove they were diligent. If a bank cannot demonstrate compliance with SUGEF cybersecurity standards, it must reimburse the customer.

The claims process

A customer has 30 calendar days to file a fraud claim. The bank then has 30 days (with a possible 10-business-day extension) to investigate. If the claim is accepted, the bank must refund the stolen amount plus interest within 10 days. If the bank rejects the claim, it must provide a forensic analysis justifying the rejection and send copies to both the OIJ and SUGEF. SUGEF then has 10 business days to validate or reject the bank's decision. If SUGEF doesn't ratify the rejection, the bank must reimburse.

The exceptions

Banks are not liable in cases of self-fraud or intentional misconduct by the customer; transfers between the customer's own accounts; transfers to immediate family (spouse, partner, or relatives up to the second degree); or when the bank can demonstrate full compliance with applicable SUGEF cybersecurity regulations.

Criminal penalties for false claims

Filing a fraudulent fraud claim carries 2 months to 3 years in prison for amounts up to 10 times the base salary, and up to 10 years for larger amounts.

The legal analysis from ECIJA frames the impact clearly: this law converts cybersecurity into the primary mechanism of legal defense for the financial system. Having policies on paper is no longer sufficient. Institutions must demonstrate compliance with robust and verifiable standards.

What This Means for Businesses

The Banking Fraud Law creates obligations and opportunities for every business that operates a bank account in Costa Rica.

If your business is a victim of electronic fraud, you now have a structured claims process with defined timelines. Document everything immediately — screenshots, timestamps, transaction records, notification timestamps. File your claim within 30 calendar days. If rejected, demand the forensic analysis and SUGEF review.

If you're a financial institution or regulated entity, compliance with SUGEF 10-07 is now your legal shield. The institutions that can demonstrate full compliance with biometric verification, real-time fraud detection, and multi-factor authentication requirements will be protected from liability. Those that can't will bear the cost.

For every business, the practical recommendations aren't generic password advice. They're specific to how fraud actually operates in Costa Rica:

Bookmark your bank's URL

Never search for your bank on Google. The number one fraud modality in Costa Rica is fake bank websites appearing in search results. Type the URL directly or use a saved bookmark. Train every employee who accesses business banking to do the same.

Migrate away from SMS-based SINPE Movil for business transactions

Use only authenticated banking apps or web platforms. Set SMS limits to the minimum. When employees change phone numbers, immediately verify that all SINPE Movil links are updated — old numbers get recycled to new SIM holders.

Move from physical coordinate cards to dynamic keys

BCR's Clave Virtual, Banco Nacional's digital token, BAC's soft token — these are harder to intercept than static coordinate cards.

Implement a verification protocol for incoming calls

No bank will ever call you and request your password, token, or OTP. Train employees — especially those with access to corporate bank accounts — to hang up and call the bank's official number directly.

Know the claims process

Under the new law, you have 30 days to file. Don't wait. Document the incident the moment you discover it and file with both the bank and the OIJ.

Report fraud

File with the OIJ at any of their 35 delegations, through the 24/7 ORD in San Jose, or at oij_denuncias@poder-judicial.go.cr. Also report to CSIRT-CR at csirt@micitt.go.cr. Every unreported case makes the aggregate statistics less useful and makes it harder to justify resources for enforcement.

The Bigger Picture

Costa Rica's banking fraud crisis is not a technology problem. It's an ecosystem problem. Organized crime operating from inside prisons. Personal data readily available to criminals. A justice system that processes 85 trials per year against 7,235 complaints. A regulatory framework that is only now catching up. And a population that adopted digital banking faster than digital security literacy could follow — SINPE Movil now processes 359 million transfers per half-year, growing 20% annually.

The new Banking Fraud Law is a significant step. It aligns incentives correctly — the institutions best positioned to prevent fraud now bear the cost when they fail to do so. But legislation doesn't stop phishing emails. It doesn't stop criminals from buying SIM cards in bulk. It doesn't train your employees to recognize a spoofed phone number.

That part is your responsibility.