The Shocking Heist: How Scammers Stole Millions from an Costa Rican Academic Institution in Just Two Hours

The High-Stakes Cyber Theft at an Academic Company

In a brazen act of cybercrime, a group of scammers siphoned off approximately ¢93 million (Costa Rican Colón) from the bank accounts of an academic training company within a mere two-hour window. This sophisticated heist, occurring on October 14, 2021, has led to a contentious legal battle, with the company suing Banco Nacional for an alleged security breach.

The Deceptive Trap: A Phone Call Leads to Financial Catastrophe

The scam unfolded as one of the company’s account administrators received multiple calls from a number mirroring that of Banco Nacional. The caller, feigning concern, warned about unauthorized credit card transactions and requested sensitive information, including the card number. Following this interaction, a flurry of unauthorized bank transfers drained the company’s funds.

A Multi-Million Scandal: Unauthorized Transfers and Bank’s Alleged Security Flaws

In an alarming sequence of events, the fraudsters transferred funds from the organization’s dollar account to its colón account, subsequently dispersing ¢52 million across various private accounts. An additional $77,110 (over ¢41 million) was siphoned off in ten separate transactions. The rapidity of these transfers, completed in about two hours, raises serious questions about the bank’s security protocols.

The company representative argued that the standard security measures employed by Banco Nacional would typically require a more extended period between account registration and activation, a safeguard that was conspicuously absent in this incident.

Legal Battle Ensues: Company Vs. Banco Nacional

Following the incident, the victimized company initiated legal proceedings against Banco Nacional at the Administrative Tribunal, alleging significant security lapses in the bank’s system. The complaint detailed how an individual, identified only by the surname Romero, was illicitly added as an administrator on the bank account, bypassing standard authorization procedures.

Banco Nacional’s stance, as per their Operations Sub-Manager Jaime Murillo, was to reject the request for reimbursement, attributing the loss to the legal account administrator’s negligence in safeguarding sensitive information.

The Bank’s Stance and the Legal Impasse

In response to appeals from the affected company, Banco Nacional maintained its position, attributing the fault to the client for a grave oversight in protecting their account details. The bank’s legal department further confirmed that an additional person had been added to the account, modifying security settings to prevent alert notifications for the transactions.

A Precedent for Security: Comparisons with Past Banking Practices

The organization supporting its claim with an example from 2019 highlighted the rigorous procedures previously employed by Banco Nacional for opening bank accounts. The detailed requirements then starkly contrast with the ease with which the scammers manipulated the account, pointing to a severe lapse in the bank’s online security system.

A Pending Judicial Review

The case is currently under review by the Administrative and Civil Court of the Treasury, with a preliminary hearing scheduled for April 2024. The company’s lawyer, Lucrecia Brenes, awaits the trial, while Banco Nacional has refrained from commenting further due to the ongoing legal process.

This incident is not just a cautionary tale about cybersecurity and financial vigilance but also poses critical questions about the responsibilities of financial institutions in safeguarding their clients’ assets.