Phishing Case Surge in Mexico, Prompting Calls for Regulation

Mexico shows a significant increase in phishing incidents, recording 6 million cases during 2024, which represents a 40% rise compared to 2018. This phenomenon affects both individual users and micro, small, and medium-sized enterprises (MSMEs), underscoring the need to implement preventive and regulatory measures, reports The Competitive Intelligence Unit (The CIU).

The rise in cyberattacks, particularly phishing, “underscores the urgency of implementing legislative measures against it,” reads The CIU’s Phishing in Mexico Analysis. The report emphasizes the critical need for a regulatory framework to contain the spread of these types of fraud, which compromise data integrity and financial assets for both individuals and corporations.

Phishing, a form of social engineering used to steal information or digital identity, allows attackers to impersonate legitimate entities to obtain confidential data, such as passwords or banking credentials. This method is primarily executed through SMS, instant messaging, or email, using links that redirect users to fraudulent websites mimicking official platforms. A common example involves receiving a text message, allegedly from a financial institution, notifying of an unrecognized charge and requesting account verification via a link. Entering credentials on the fake site enables cybercriminals to capture the information, resulting in unauthorized access or fraudulent transactions.

According to The CIU, in 2024, cyberfraud cases reached 6 million, compared to 2.2 million traditional fraud cases. The average cost per cyberfraud was estimated at about MX$3,525 (US$185), a significant amount considering that the minimum salary per day in Mexico is about MX$278.80 (US$14.64). Of all fraud cases, seven out of 10 occurred online, encompassing e-commerce, online banking, internet operations, and mobile payments. The total amount claimed exceeded MX$20 billion (US$1.052 billion).

Study Main Findings

Phishing also affects business. Dark Reading reports that SMEs in Latin America have been 40% more affected by cyberfraud than those in other countries. Mexico ranks as the second most targeted country in the region, behind Brazil, with over 119 million blocked attack attempts. These figures highlight the increasing sophistication of cybercrime and the vulnerability of organizations to social engineering tactics aimed at acquiring personal and financial information.

The National Commission for the Protection and Defense of Financial Services Users (CONDUSEF) reports that 76.9% of reported frauds concentrate on three main strategies: fraudulent phone calls posing as banks, SMS or instant messages requesting information under the pretense of suspicious charges, and fake websites replicating the interface of financial institutions. The prevalence of these techniques underscores the need for organizations to strengthen their security protocols and train employees to identify and mitigate such threats, according to The CIU.

The CIU study adds that 34% of internet users have received suspicious messages requesting personal data, and one in three internet users knows someone who has been a victim of such scams. About 13.5% of all internet users, equivalent to 13.5 million people in the country, have fallen victim to phishing. Among those affected, 61.5% lost passwords, and 38.5% lost personal data such as addresses, photos, or phone numbers. Around 23.1% reported monetary loss, and 15.4% lost access to their bank accounts. The average economic loss per victim was MX$8,750.

Many are actively trying to protect themselves from this practice, with 45.6% of internet users reportedly avoiding clicking on suspicious links, 34.4% verifying the authenticity of the contact’s email or phone number, 32.6% using strong passwords, and 31.2% avoiding opening attachments. However, only 18.6% use antivirus or security software and 17.7% admitted not taking specific precautions. However, one in three internet users feels limited in their ability to recognize and avoid phishing attempts, representing more than 30 million vulnerable individuals.

Mexico also lacks a specific and robust regulatory framework to comprehensively address phishing, reports The CIU. Authorities are urged to develop legislation that includes cybercrime of this nature. Senator Liliana Rivera, for example, noted in a previous law proposal that defining a regulatory framework would enable not only the classification and sanctioning of phishing, but also the establishment of prevention and education programs.