With the age of the “factura electrónica” – electronic invoicing or digital invoice –  in Costa Rica, it has giving rise to a niche in electronic fraud.

“Hola. Este pago fue aprobado y enviado esta mañana, por favor confirme los detalles del beneficiario y firme. Gracias”, reads the text of the fraudulent email with an attachment to a “factura electrónica”.

Although targeting mainly accounting and human resources departments of business, whose employees would proceed normally to open the attachment to verify the payment. However, it is not exclusive to the business world and anyone, even you, can be victim.

So, be careful in opening it. Know the source first. Did you really make the purchase? Why are you getting a bill for it? For example, it could be a receipt for your cellular phone. Or is it one the mass emails making its way around the web containing a malicious program that will infect your computer and steal sensitive information an/or demand a ransom for its return.

Once the attachment is clicked on, there is no turning back.

Criminals take advantage of the lack of knowledge that still exists in relation to electronic invoicing and with the help of “phishing” – a social engineering technique – the victim is tricked into revealing personal and/or company information.

Data from the Organismo de Investigación Judicial (OIJ) reveals that in 2017, 1,042 complaints were filed and in 2018 the number increase, 1,286 up to November 28.

The most common complaints filed with the OIJ are scams involving credit or debit cards and its use online, fraud with a card without consent and computer scams.

Now with the use of electronic invoicing, the risks increase.

“At the beginning of last year we began to see the impact of a combination of low education (of cybercrime) of users, a population that was not prepared to start in electronic invoicing, even many did not what one looked like, nor did they know the process of creating an account … All this giving rise to a niche in electronic fraud,” explained Esteban Jiménez, founder of ATTI CyberLabs told El Financiero.

How can you detect that you are facing an electronic invoice scam?

Either by telephone or email, there are five main scams to be aware of:

  1. Falsification: The fraudster sends an email asking the victim to fill out a form in order to complete the invoices. The data is then used to send to others invoices that seem official, making it more credible and expand their contact base.
  2. Ransomware: The attachment to the emails activates malicious code that, when opened, allows the fraudsters to demand payment in exchange to get back information.
  3. Verification of accounts: The victim receives a phone call from a supposed official of the Ministry of Finance (with respect to the electronic invoice) and asks for personal and/or corporate and banking information to “help” the taxpayer to enter their account and verify the status of “connection” with the Treasury system to consult the amounts of the payment of taxes.
  4. Install a program: The scammer asks the victim to install software as a requirement for the tax system to work properly and can issue invoices.
  5. Counseling: The taxpayer is contacted by the fraudster who poses as an official of the Ministry of Finance and offers to be an “adviser” to configure the electronic invoice appropriately. The criminal requests an electronic payment for such help, which is never given.

The main recommendation is to learn to recognize fake emails (or phone calls) and knowing who is the invoice provider.

Opening an email from a provider you have not done business with or not known to you could be a signal.

Take great care of your data

For the consumer there is another risk, businesses are taking advantage of the electronic invoicing, asking their buyers more information that actually needed to generate the digital document.

It could be as innocent as a check out at the local supermarket, the checkout clerk asking if you want your name of the ‘factura’ to asking all types of information that the retailer can now use, with your permission, for marketing purposes. Or by scammers.

The Law for the Protection of the Person against the Processing of Personal Data (Ley de Protección de la Persona Frente al Tratamiento de sus Datos Personales) establishes that the merchant can request from the client only their identification number (cedula or passport for example), their name and email address.

To date, the Agency for the Protection of Data of Inhabitants – Agencia de Protección de Datos de los Habitantes (Prodhab) – says it has not received complaints regarding the bad treatment of data in relation to electronic invoicing, according to Ana Karen Cortés, director of the agency.

However, Prodhab recommends that it is important that, when you must provide your data with respect to the electronic invoice, provide only the necessary (ID number, name, and email).

Telephone numbers, addresses, date of birth, financial or other data that serve as marketing tools have to be requested by the merchants and it is your right to refuse to give it.

In case of receiving suspicious calls or if you are a victim of fraud, the Ministry of Finance has enabled the Denounce Ya form on their website.

One of the keys to suspecting a scam is the sense of urgency that the criminal has. Phrases like “if you do not give me the information you will be fined” is one of the main signs.

What has been your experience with the “factura electrónica”? Have you received suspected emails or been asked for more that the required information when making a purchase? Post your comments below or to our official Facebook page.


Stay up to date with the latest stories by signing up to our newsletter, or following us on Facebook.