Phishing, Smishing, Vishing, Pharming & SIM Swapping: The Anti-Fraud Guide for Mexico 2026

Every time your banking app asks for an OTP, every time you receive a suspicious SMS, every time your mom calls because “the bank” asked for her details — you are watching a silent war between financial institutions and criminals who have industrialized fraud. Mexico has one of the highest rates of attempted bank fraud per user in Latin America. Knowing the names of each technique is the best first defense.

This guide explains, in plain English, what phishing, smishing, vishing, pharming, SIM swapping and other common frauds are; what every user should do to stay safe; and what obligations a regulated fintech has to prevent them. If you work in a financial institution, this text should be part of your staff training and your user-education campaign.

Phishing: email fraud (and how to avoid it)

Phishing is the sending of fake emails that imitate your bank, fintech, e-commerce platform or digital service in order to make you click a malicious link or reply with your credentials. The name comes from fishing: they cast bait and wait for you to bite.

Modern phishing no longer looks like an email from a Nigerian prince with typos. Today the emails:

• Perfectly mimic the visual identity of the bank or fintech.
• Use almost-identical domains (banamex-mx.com instead of banamex.com).
• Are written with AI — no errors, convincing tone.
• Exploit urgency (“your account will be blocked in 24h”).
• Include logos, legal footers and disclaimers indistinguishable from the real ones.

How to protect yourself as a user:

• Verify the sender domain. Large institutions send from official domains (@banamex.com, not @banamex-mx.com).
• Never click links inside the email. Open the official app or type the URL in your browser.
• Hover over the link before clicking to see the real URL (without clicking).
• If they ask for sensitive data (password, OTP, token), assume it's phishing. Regulated institutions don't request that by email.

What a regulated fintech should do: publicly publish its official domains, maintain a reporting channel (“phishing@…” email), actively monitor look-alike domains, take down fraudulent sites in coordination with CONDUSEF and authorities.

Smishing: phishing via SMS

Smishing (from SMS + phishing) is the text-message version. Messages with links to fake sites where they ask you to “verify” your account, “claim a prize” or “reject a suspicious charge”. It's one of the most effective because most people trust an SMS more than an email.

Typical smishing patterns in Mexico:

• “We detected a $4,500 charge on your card. If you don't recognize it, click here: bit.ly/…”
• “Your package could not be delivered. Update your address: …”
• “Congratulations, you won a prize. Claim it at: …”
• “SAT (tax authority): we detected inconsistencies in your filing. Verify: …”

Regulated financial institutions in Mexico do not send SMS links asking you to enter sensitive data. Period. If you receive one, it's fraud. If your app needs to verify you, it will do so through the app itself, not via an SMS link.

If you receive smishing: don't reply, don't click, report to your bank through the official channel (not by replying to the SMS) and delete the message. Reporting to CONDUSEF and PROFECO helps the entire ecosystem.

Vishing: the phone fraud that hits older adults hardest

Vishing (from voice + phishing) is probably the most dangerous because it combines social engineering with real-time psychological pressure. A criminal calls posing as bank or fintech personnel, claims an alarming situation (suspicious charge, attempted theft, detected fraud) and asks for data “to protect you.”

The typical vishing script:

1. The criminal already knows your basic data (name, last digits of your card, bank) — obtained from earlier data breaches.
2. They call presenting an urgency scenario: “there's a $15,000 charge from Singapore, is it yours?”
3. When you deny it, they “transfer” you to the “security department”.
4. They ask you to read out the OTP that will arrive on your phone “to verify your identity”.
5. That OTP is to authorize a transfer they are making in real time.

One rule to protect yourself: if they call you, hang up and call the official number (the one on the back of your card or in the app). Financial institutions never ask you over the phone to read out an OTP, dictate your password, or perform actions in your app by verbal instruction.

Vishing disproportionately targets older adults. If you have parents or grandparents, the best gift of financial security is teaching them this rule.

Pharming: when you type the correct URL and still get caught

Pharming is more sophisticated: the criminal does not send you a fake link. Instead, they manipulate your device or your DNS so that when you type the real URL (bbva.mx, for example), the browser takes you to a fake site that looks identical to the real one. Once there, they capture your credentials without you suspecting anything.

Pharming can happen via:

• Malware installed on your computer or phone that modifies the hosts file.
• Compromised DNS in your home router (especially with default settings).
• Connecting to public Wi-Fi networks controlled by attackers.
• Malicious browser extensions.

Practical defenses:

• Keep your operating system, browser and antivirus up to date.
• Change the default password on your home router.
• Avoid connecting to your bank from public Wi-Fi (cafes, airports).
• Verify the HTTPS lock and, more importantly, that the certificate belongs to the correct organization (click the lock).
• Consider mobile banking apps over the browser: the app validates the server on its side and is harder to pharm.

SIM swapping: the fraud that clones your number

SIM swapping is one of the most sophisticated and fastest-growing frauds. The criminal convinces your mobile carrier to transfer your number to a new SIM under their control. Once they control your number, they can receive all your SMS —including bank OTPs— and take over your accounts.

The typical process:

1. The criminal collects your data (name, date of birth, RFC, address) — from leaks, social media or social engineering.
2. They go to a carrier branch or call the call center and report “loss” of their SIM (with your data).
3. If the carrier's controls are weak, it activates a new SIM with your number.
4. Your original SIM goes inactive (your first signal: you lose service for no reason).
5. The criminal logs into your banking app, requests password reset, receives the OTP, and transfers your money.

How to harden yourself:

• Enable authenticator-app MFA (Google Authenticator, Authy) instead of SMS, whenever your fintech allows it. An authenticator app does not transfer with the SIM.
• Set a PIN or password with your mobile carrier required for any SIM change.
• If you lose service for no reason and nobody else around you does, assume SIM swapping and contact your bank and carrier immediately.
• Limit personal information publicly visible on social media (birthdays, hometowns).

Other fraud schemes growing in Mexico

Beyond the big five, watch for these rising patterns:

Nigerian / inheritance fraud. Someone contacts you by email or social media saying you have inherited/won an amount and only need to pay “a fee”, “a deposit” or “legal expenses” to release it. No legitimate prize or inheritance ever requires you to pay up front.

Romance scam. A digital relationship of months where the other person, just when trust is built, “has an emergency” and needs a loan. The operators are professional networks running playbooks against multiple victims simultaneously.

Fraudulent QR codes. In parking lots, restaurants and street posters, QRs appear “to pay”, “to claim a coupon”, “to confirm a booking”. Some lead to fake sites. Always verify the URL before entering data.

OTP / incoming-payment fraud. The criminal says “I'm going to send you a test deposit; when you receive the code, read it to me to confirm”. That code actually authorizes an outgoing transfer, not an incoming one.

“Wrong number” or “boss on WhatsApp” fraud. A message supposedly from your boss asking you to buy gift cards, transfer to a vendor, or send information. Always verify through an alternate channel before acting.

For fintechs: how to prevent and report

As a regulated financial institution in Mexico, preventing fraud is not optional. CNBV, CONDUSEF and the UIF require evidence of robust anti-fraud programs. The minimum components:

• Reinforced authentication (MFA). Beyond SMS: authenticator apps, biometrics, trusted devices.
• Real-time transactional monitoring with alerts. Rules and AI models that detect unusual operations: geolocation changes, new devices, atypical amounts, structuring patterns.
• User education program. Periodic communication with practical tips, alerts about active scams, accessible guides.
• Reporting channel. Phone and email to report fraud, suspicious attempts, and brand-targeted phishing.
• Coordination with authorities. Report to UIF, collaborate with CONDUSEF, join sector intelligence networks.
• Traceability and forensics. Detailed logs of every operation to reconstruct incidents, identify responsible parties and, eventually, pursue legal action.

Fraud is dynamic: every new technique exploits a specific weakness in the sector. The only sustainable defense is adaptable technology infrastructure — configurable rules, retrainable models, integrations with external intelligence sources, and a team that can iterate as fast as the attackers.