At a mid-sized Costa Rican software studio with around 50 employees, the chief financial officer (CFO) receives a WhatsApp voice note at 7:45 a.m. before the office opens. The voice is unmistakably that of the CEO, who is traveling to a trade fair in Miami. The message is brief and urgent: a supplier in Panama needs a same-day wire of $12,000 to close a contract before a competitor does. The CEO asks for discretion: “Don’t copy anyone; I’ll explain when I land.”
The CFO, conditioned to respond to executive requests and with no written policy requiring dual authorization below $20,000, executes the transfer within the hour. The CEO lands, checks in, and knows nothing, but by then, the money is gone.
This may seem like a hypothetical scenario, but it isn’t. Corporate identity theft incidents have surged manifold in Costa Rica in recent years, with AI amplifying the problem, especially across small and mid-size companies (SMEs) and family businesses. Overall cyberattacks are up five times this year, with over 33,300 attacks recorded between January and April, as per a new report by Kaspersky.

Social engineering has become a key concern in such companies, where the budget is often tight for mandatory compliance training, and internal governance runs on personal trust and informal hierarchy. “In that culture, questioning a request from the owner or the CEO is not just unusual; it feels disloyal. Attackers know this. They exploit it deliberately,” Mauricio París, a leading expert in arbitration and digital law in Costa Rica and partner at ECIJA, one of the largest law firms in Spain, told Nearshore Americas.
Questioning a request from the owner or the CEO is not just unusual; it feels disloyal. Attackers know this. They exploit it deliberately. — Mauricio París, Managing Partner, ECIJA
Public-sector companies and startups come next in the target list, but for different reasons. “(In such companies) Procurement and payment processes are bureaucratically rigid on paper but operationally chaotic in practice. There are many actors, unclear chains of command, and political pressure to move fast. That combination is ideal for social engineering,” says París. As for startups, they get exposed by speed because they pride themselves on cutting controls.
The common thread across all types of vishing (voice phishing) cyberattacks is the same: the more an organization runs on personal authority rather than documented process, the more vulnerable it is to an attack. With AI voice cloning capable of reproducing exact expressions, including intonation, accent, and speech patterns, it is now nearly impossible to detect impersonation at first glance.
Company or Client: Who’s Responsible?
Under Costa Rican law, liability in such cases is genuinely unsettled. The legal gap is specific: there is no regulatory standard that mandates what a voice-verification protocol must look like for financial transactions. The attacker is obviously liable criminally, but they are rarely identified because they often operate from other jurisdictions.
So, says París, the real legal fight is between the employee and the employer. “Labor courts will look at two things: whether the employee acted with gross negligence, and whether the company had adequate control systems in place. If it had no written protocol for authorizing transfers, no dual-approval policy, and no cybersecurity training on record, courts tend to protect the employee.”
The Costa Rican labor law, like most systems in the region, enshrines the indubio pro operario principle: where doubt exists about the facts or their interpretation, the benefit of that doubt goes to the worker, not the employer. “In a vishing case where the fraud was sophisticated, the instruction appeared legitimate, and the company never defined what “proper authorization” looks like, it can’t fire someone for failing to follow a rule that was never written, and under indubio pro operario, the ambiguity itself becomes the employee’s shield,” París maintains.
Conversely, if the company had clear procedures and the employee bypassed them, even under pressure or good faith, the calculus shifts.
If a vendor and a client are at the center of a similar fraud – and they have an ironclad master service agreement (MSA) – the responsibility gets shared, Ross Lazerowitz, CEO & Co-founder at San Francisco-based computer and network security company Mirage Security, tells Nearshore Americas. “Both parties end up holding the bag, because the customer doesn’t care whose logo is on the contract. Look at Clorox suing Cognizant for roughly $380 million after attackers posing as employees talked the outsourced help desk into handing over credentials.”
If you’re a BPO and the client hands you procedures you believe are insecure, push back in writing. And test your help desk against the procedures you’ve documented. — Ross Lazerowitz, CEO and Co-founder, Mirage Security

Lazerowitz draws two lessons from such cases: “If you’re a BPO and the client hands you procedures you believe are insecure, push back in writing. And test your help desk against the procedures you’ve documented.” In some instances, despite having the process in place, it is never followed. Ross says a procedure nobody follows is worse than no procedure. “It gives everyone false confidence.”
What Can Companies Do Beyond Training
Training is necessary, but establishing a verbal-confirmation ban for financial instructions is the first line of defence against such frauds. “No transfer above a defined threshold — say, $5,000 — should be authorized based solely on a phone call or voice message, regardless of who is calling. This single rule eliminates most vishing attacks. It costs nothing,” says París.
Out-of-band verification, behavioral anomaly detection on payment systems, and internal red-team exercises are other measures companies can implement to protect themselves, suggests París. “If a request arrives by phone, it must happen through a separate channel. A pre-registered callback number, a secure messaging app, or a physical confirmation…most banking platforms offer rule-based alerts for transactions outside “normal” patterns — unusual amounts, new beneficiaries, off-hours timing. Many companies never activate them…(a company can) hire someone to vish CFO. The results are usually sobering.”
He explains that not many companies in Costa Rica have such controls in place, especially outside the regulated financial sector, where entities have baseline requirements. “Everyone else is largely on their own. There is no mandatory cybersecurity standard for non-financial corporations, no reporting obligation when a fraud of this type occurs, and no public registry of incidents.”
With few government regulations in place, the question arises: how should the BPO industry move toward common standards? Lazerowitz suggests that regulators in developed markets like the US should serve as benchmarks. The New York Department of Financial Services, for example, has 23 NYCRR Part 500 cybersecurity regulation that requires financial institutions to develop and maintain a robust cybersecurity program against AI-enabled social engineering.
Lazerowitz suggests rebuilding custom reporting and response workflows to detect, predict, and present security breaches. Attackers, he says, have moved past email to target individual employees directly, and it applies well beyond BPOs.





Add comment